How Ransomware Turned into a Billion Dollar Business

Photo credits: Pixabay / WerbeFabrik

Although in their early days ransomware scams were mostly popular in Russia, they have rapidly expanded internationally. After thousands of users have so far been victims of ransomware attacks, this malware category is on the rise internationally. With Windows, Mac, Linux, and Android users at stake, ransomware has turned into the hottest security industry topic, and, why not, an extremely profitable business.

A recent study conducted by Bitdefender on internet users discovered that in 2015 alone ransomware caused $350 million worth of damage, with 50% of these users not being able to even tell what ransomware was.

Warning signs of ransomware scams

Ransomware usually gets installed via e-mail, through a vulnerability or a drive-by download. It’s common for this type of malware to deceive them that their personal photos, files, and documents have restricted access and in order to regain the keycard for ownership, immediate payment is required.

The scammers involved in ransomware attacks can also claim that they are representatives of a security company who will clean up the network, as soon as payment has been registered. To reach their goal, they will even go as far as impersonating FBI or Homeland Security officials.

You can’t put a clear price on a user’s most prized possessions. Even though the fees vary, they’re never outrageous, as hackers do expect their victims to pay up as soon as possible. This is exactly why ransomware has turned into a very profitable business for digital criminals. The latter are usually remote groups operating from emerging economies which lack a proper law enforcement system.

The scammers have taken their attacks to a new level and everyone is at risk. They don’t target the average user alone, but have also attacked public institutions in the US, such as healthcare organizations, educational institutions, police departments, religious organizations, and financial institutions. As law enforcement representatives don’t negotiate, and don’t encourage negotiation in such circumstances, valuable data was lost and never reclaimed.

Once the machines are infected, the only information displayed on the screen is the amount required for payment and the deadline. Any attempts to reset the system or other actions will most likely fail.

Types of ransomware attacks

The types of ransomware attacks known to be going around are lock screen malware (non-encrypting), file lockers (encrypting), and disk lockers

Non-encrypting ransomware wasn’t very effective for monetization and was overshadowed by crypto-ransomware. An early example of encrypting ransomware is the 1989 AIDS Trojan (aka PC Cyborg) which tricked users into paying a fee to the PC Cyborg Corporation in order to renew their software license. To make it seem legit, the AIDS author, Dr. Joseph Popp, made sure users read an end-user license which reassured them of the software and PC Cyborg Corporation validity. Popp was apprehended by the New Scotland Yard and charged with 11 counts of blackmail.

However the earliest documented version of modern-day ransomware is CryptoLocker which came out in late 2013. It is part of the same infection family as CryptoWall and TeslaCrypt and its release led to a notable comeback of encrypted ransomware attacks. This Trojan was more sophisticated and was written to satisfy hacker needs of growing their revenue through scams at a higher level than the common fraud.

According to the FBI, CryptoWall was the most considerable ransomware targeting the US. As a result, “between April 2014 and June 2015, the IC3 (Internet Crime Complaint Center) received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.”

Aside from encrypting ransomware, some cases of non-encrypting ransomware were also detected in 2010 in Russia.  WinLock was such a Trojan and a massive scam worth $16 million. It convinced users from Russia and neighboring countries to pay for a code through a text message. This code would get rid of the pornographic display on the computer and allow users to regain access into their machines.

Petya crypto-ransomware is the most recent discovery in terms of malware and was thoroughly looked into by Bitdefender. Unlike other malware, it works much faster and it encrypts the entire hard disk. It usually takes the form of an email containing a Dropbox URL or an attachment. As reported by Bitdefender, the malicious code is inserted manually by the developer, in order to avoid being detected by security software scans.

Malware-as-a-service spikes Android

After targeting Windows computers for years, the cybercrime world has shifted its attention towards a new victim: Android, Google’s operating system. As Android-running hardware is predominant in the mobile market, ransomware attacks are breaking out not only in Eastern European countries, but have spread to the USA and Japan. Although not as advanced as its Windows counterpart, Android ransomware could be more threatening, as mobile devices are packed with both personal and corporate data which is rarely backed up offline.

Early Android malware attacks date back to 2013 when they were mostly based on scareware. They pretended to be legitimate applications meant to scare the user that the mobile device was infected with malware. The criminal group responsible for the Reveton / IcePol ransomware for PC developed Dubbed Android.Trojan.Koler.A. This ransomware for Android tricked users it was a video player which granted premium access to porn.

The next level of ransomware is the PIN Locker. It pretends to be a system update notification which changes the phone’s PIN code once installed and granted access. The user either paid the ransom or reset the device to factory settings.

Since then, hackers have improved their skills and moved on to developing a new category: encryption-based ransomware. The new and improved crypto-ransomware for Android encrypts data stored on external SD memory cards. It is highly developed, it mirrors the PC version, and has made a large number of victims, corporates included. The media named it Simplelocker.

If you’re in Russia and you’ve recently received a text inviting you to visit an adult website to download a porn app, then you’ve just witnessed the most recent type of ransomware for Android mobile phones. This ransomware not only exploits the porn industry, but once activated it threatens to alert authorities that you are part of a child pornography network.

Because it can tell the language of the device and will translate the message into any available language, Android.Lockdroid ransomware has spread throughout Europe, the US, and Japan. To protect your mobile phone, smartwatch or internet-connected TV against the escalation of Android malware, avoid accessing shady links and downloading apps or files from unauthorized sources.

In 2005, Bitdefender named the top Android Malware families in terms of distribution:  Android.Trojan.FakeInst, Android.Trojan.SMSSend, Android.Trojan.Agent, Android.Trojan.HiddenApp, and Android.Trojan.Slocker.


In late 2015, the Russian anti-malware company, Dr. Web, caught the first Trojan tailored for Linux – Linux.Enconder.1. For Linux, this malware family uses a mixed-encryption algorithm to exploit the vulnerabilities on the servers. Security experts from Bitdefender have investigated Linux vulnerabilities, establishing that “attackers leverage a flaw in the popular Magento content management system app. Once executed, the Trojan looks for the /home, /root and /var/lib/mysql folders and starts encrypting their contents.” Linux.Encoder is similar in behavior with CryptoLocker and other malware families for Windows. More technical information about Linux.Encoder.1 can be read in this paper put together cryptography experts at Bitdefender.

Nonetheless, Linux.Encoder can be easily fixed. A decryption tool has now been made available by Bitdefener for Linux users. The tool analyzes the files and restores them to their original state.

Apple no longer exempt from ransomware attacks

Simply because Windows and Android devices are more susceptible to ransomware attacks, it’s no longer accurate that OS X users are safe. Macs are now just as exposed as Windows computers. The most recent malicious code detected to attack OS X is KeRanger. This ransomware is no different from others: it locks the data on the Mac and requires payment in Bitcoins to release the decryption key.

The first known large-scale malware outbreak for iOS was detected at the end of 2015. XcodeGhost was present in applications available in the Apple App Store. The scammers intended to use this malware to steal private user data to authorize access to Apple ID and iCloud.

Following the money trail

The purpose of ransomware scams is to always encourage users to proceed with payment towards suspicious, untraceable prepaid cards. Payment can take the form of a wire transfer, text message, online payment or even Bitcoin. It’s not very clear what types of criminal activities or covert operations are financed as a result of this quick money.

The rage around ransomware is a result of the untraceable nature of Bitcoin payments. Due to its anonymity, this virtual currency has grown in popularity on the black market, and in use when it comes to money laundering, Ponzi schemes, and malware. In the early days of scamming, Bitcoin was not an option because it was only released in 2009. Those were the days when authorities had it easier in detecting scammers, as payments we made via PayPal, prepaid cards and vouchers like iTunes and Amazon gift cards. These were easier to recognize and expose, unlike Bitcoin which is anonymous. As a result of its pervasiveness, Bitcoin value skyrocketed, with 1 Bitcoin’s estimated worth of $447.21.

Best practices to minimize the risk of infection

Ransomware attacks are difficult to defeat, but not impossible. Although authorities have joined forces internationally to come up with the best strategies to prevent these scams, there are some steps which can be easily implemented by users to protect their infrastructure.

For too long now, the average user has neglected to install security updates for their operating system or failed to update or uninstall corrupt plugins. The most common vulnerabilities are in Java and Adobe applications, and are constantly exploited by attackers.

It’s better to be safe than sorry. The installation of a robust software security solution together with a strong backup system are the first actions to be taken against ransomware attacks. Regular backups in an offline password-protected system will protect the user from losing valuable data in case of a malware attack. In case of infection with the recently detected Petya, security company Bitdefender produced a vaccine which needs to be installed before the attack. It’s critical to follow these guidelines prior to infection, otherwise no existing software will be able to save the encrypted data.

About the author


From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.