European fraudsters say pay up or your computer and files are goners!

Ransomware spreads from Europe to U.S. and beyond

By Robert E. Holtfreter, Ph.D., CFE, CICA; Tiffany McLeod
Ransomware hijacks computers and files and demands cash when end-users visit compromised websites or download a malicious attachment. Here’s how to combat this nefarious malware that’s traveling from Europe to the U.S. and around the world.

One evening, Suzie Duke logged onto her home computer to work on a project for an important business meeting the next day. When she went to a website to search for information, her computer locked up and a message appeared on the screen, purportedly from the FBI, stating she was in violation of federal law and that she would have to pay a fine of $300 with a MoneyPak card and, in return, would receive an unlock code to restore access to her computer. The website she accessed was compromised with a virus, which she activated when she visited it. 

Suzie called a work friend in the IT department, but he couldn’t offer a quick fix. So she panicked and purchased the MoneyPak card. Even though she couldn’t access other programs, she, of course, was able to click on the MoneyPak icon on the ransomware screen to insert the payment code, which was transferred to the fraudster who collected the money. However, the fraudster didn’t send her an unlock code so her computer remained locked, and she couldn’t access her programs. She contacted a computer technician who removed the ransomware. 

Suzie was the victim of a fast-growing and highly lucrative scam. The fraudsters, in effect, kidnapped her computer, held her programs hostage and demanded a ransom to unlock her computer. 

We recently learned of this actual case (we’ve changed the victim’s name), which is representative of others’ tales. The burgeoning ransomware scam on Windows-based computers has emptied the wallets and purses of scores of victims in 2012, especially in Eastern European countries. This year, the fraud is moving into other countries, including the U.S. 


Ransomware is closely related to the “scareware” fraud that we reported on in two Fraud Magazine articles in 2011 ("Scareware Fraud: All Trick and No Treat? Part One" and "Scareware Fraud, Part Two"). In both ransomware and scareware schemes, fraudsters follow the same script by using extortion tactics to panic victims and trick them into unloading their cash and personally identifiable information (PII). 

Traditionally, scareware fraudsters will confront users with notices claiming that their computers are infected with dangerous viruses. The notice will direct the victim to download a “free” program to remove the virus, which then “finds” the supposed virus and promises to remove it and protect the computer from future viruses for a small fee — generally $40 to $50. The user pays, and the notices disappear, but the program surreptitiously collects PII such as passwords, credit card numbers and bank records. Instant identity theft!

Ransomware follows the traditional pattern of scareware but with more vigor. The user isn’t asked to download a program. Instead, depending upon the form of ransomware, the program automatically downloads and installs when a user visits an infected website or opens a malicious attachment in an email message. Some ransomware programs don’t even bother with scare tactics; they simply lock or encrypt computer files and demand a ransom to restore access. 

Traditional scareware threatens damage, but some forms of ransomware actually carry out the threats by deleting files even if the victim does pay up. And, as with traditional scareware, ransomware also collects and transmits PII from the moment of installation.


According to Microsoft’s Malware Protection Center, ransomware comes in two forms: lockscreen and encryption

Lockscreen ransomware (also known as winlocker ransomware) is the predominate form of the scam. This type displays a full-screen image or web page that prevents the user from accessing anything in the affected computer. To increase the user’s panic level, fraudsters use social engineering techniques such as displaying “images and logos of legal institutions to give their scam an air of legitimacy,” according to Microsoft’s Malware Protection Center. (See Screen shot No. 1 below.)

Screen shot No. 1: Image courtesy of "Malware don't need coffee." 


Encryption ransomware, a less common form, uses a direct ransom demand approach instead of social engineering. After the fraudsters hook a victim, their ransomware, according to Microsoft’s Malware Protection Center, “encrypts your files [with complex algorithms] with a password, preventing you from opening them.” The fraudsters then demand payment in exchange for a password to access the encrypted files. (See Screen shot No. 2 below.) 

Screen shot No. 2: Image courtesy of:, 
"FBI and ICSPA - 'Computer locked, data encrypted' MoneyPak virus."


In our first article on scareware, "Scareware Fraud: All Trick and No Treat? Part One," we wrote that ransomware uses fear to extort money from victims. Instead of pretending to be security software, these programs might accuse the user of not just committing a crime but threaten to remove a user’s access to a program or file if a fee isn’t paid. 

For example, one ransomware program targets those who use “bittorrent,” or peer-to-peer programs. Once the program infects the computer, it pretends to scan for copyright violations and then displays a professional-looking pop-up screen, informing the victim that stolen material was found on the computer. The victim is given the choice of challenging the finding in court or of settling the matter instantly by paying a $400 fine. If the victim refuses to pay up, the program continues to pop up every time the computer is restarted; it then locks the victim’s desktop until he or she gives in and pays the alleged fine.  

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.