Group scored $79k a month with infect-o-tronic rent-a-bot
24 Aug 2016
An alliance of cops and anti-malware experts have doused the Wildfire ransomware that plagued users in Belgium and the Netherlands.
Wildfire is carried in spam messages and demands up to 1.5 Bitcoins of ransom for files to be decrypted.
Security researchers have uploaded 1,600 decryption keys with more to come to the No More Ransom joint ransomware-busting effort between McAfee and parent company Intel, Kasperksy Labs, Europol's EC3 cybercrime division, and dutch police.
The group earned US$79,481 (£60,240, A$104,399) over the last month by infecting 5,309 systems, Intel Security chief technology officer Raj Samani and advanced threat researcher Christiaan Beek found.
"The victims were misled with a notice of a missed delivery and instructions for scheduling a new delivery by filling in a special form attached with the mail," the pair say.
"This form was in fact an obfuscated dropper that infects the victims with the ransomware.
"The actors behind Wildfire have clearly put a lot of effort into making their spam mails look credible and very specific."
Countries including Russia; Moldova; Estonia; Latvia; Lithuania, and Belarus are excluded from being targeted by the ransomware in a tactic typically designed to avoid drawing local law enforcement heat.
Samani and Beek say the actors are likely a Dutch-speaking group due to language and iconography used in the Wildfire spam, but did not suggest the attribution was certain.
It also appeared Wildfire was operated under a service model in which criminals can rent ransomware and the necessary infrastructure to launch attacks against users, typically with some commissions in the range of 20 to 30 per cent going to malware writers.
Facilitators link new buyers to ransomware writers, and other necessary service offerings such as traffic pushers and encrypting services.
Criminals can net a conservative US$84,000 a month in the ransomware game for an investment of $6000, a whopping 1,425 per cent profit margin, Trustwave found last year. ®