As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.
In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit and is observing a similar telemetry spike around detections of this exploit kit:
- Web Attack: Impact Exploit Kit Website
- Web Attack: Impact Exploit Kit Website 2
- Web Attack: Impact Exploit Kit Website 3
Figure 1. Screenshot of Trojan.Ransomlock.Y
If you are a victim of a ransomware extortion scam, the golden rule is not to pay the ransom to the cybercriminals. Payment in no way guarantees that your computer will be unlocked and can be a costly mistake. By paying any such ransom it also fuels further cybercrimes. Symantec provides a set of removal instructions that can help remove these threats.