CircleID

SMS-based micro-payments are clearly becoming the monetization channel of choice for the majority of cybercriminals engaging in ransomware campaigns. The logic behind this emerging trend is fairly simple, and as everything else in the cybecrime underground these days, it has to do with efficiency.

Compared to micro-payments, the 2008's monetization channel used by GPcode in terms of E-gold and Liberty Reserve accounts communicated over email — with cases where the gang wasn't even bothering to respond to infected victims looking for ways to pay the ransom — looks like a time-consuming and largely inefficient way to "interact" with the victims.

Another recently released SMS-based ransomware showing persistent ads within the browser sessions of infected victims, and demanding a premium-rate SMS for removal, is the very latest indication of the micro-payment monetization channel trend.

The DIY ransomware is offered for sale at $100, with the typical "value-added" services in the form of managed undetected binaries through crypting. Since the command and control interface is web based (php+mysql), the author is actively experimenting with new features such as scheduled appearing of the ads, inventory of banners and affiliate program links, and the ability to use multiple SMS numbers next to multiple unlocking codes.

Are the currently active ransomware "vendors" trendsetters or are they still in experimental mode?

The business model of SMS-based ransomware is clearly lucrative, especially in situations where cybercriminals are known to combine two or three different monetization tactics. However, compared to the high profit-margins which cybecriminals earn through the scareware business model, SMS-based ransomware remains a developing market segment.

By Dancho Danchev, Independent Security Consultant. Visit the blog maintained by Dancho Danchev here.

Related topics: Cybercrime, Malware, Mobile, Security