Hot search keywords

Hot search keywords

China Bitcoin ransomware report: 11.9% victim pay to recover their files

Qihu 360, the leading IT company in China, releases an annual report on the development of ransomware in China and predicts 10 times growth of potential victims or 50 million in 2017.

1. Individual and enterprise victims
Wenting released a weibo one week ago, warning the Bitcoin ransomware. Her tone was serious:

This is the second time our lab experienced extortion by Bitcoin ransomware. We paid around 10,000 RMB. Please spread the words to those who have lots of research data, especially those who are about to graduate.

The location of weibo indicates that she is earning her doctoral degree in the Institute of Hydrobiology of Chinese Academy of Sciences. Unfortunately the weibo was not reposted, not even once. Her voice was weak but she was not alone.
Last month, one of the top 10 threads in Peking University BBS  was a call for help from a victim of Bitcoin ransomware. The victim said he received an email in his PKU emailbox with a PDF attachment. He doubled click the file out of curiosity, then all of his files were locked. 3 bitcoins were demanded to decrypt the files and he was given a detailed instruction as below:

bitcoin-ransomeware-screenshot

Obviously, the victim was seeking a free solution but he soon realized that he was left with only two options: to pay or to format. The decryption without private key is almost impossible. Comment from CharAznable is cold but realistic:

That depends on how much you value your data.

In fact the breakout of ransomware is so rampant that a municipal government has to release an official warning on taking precautionary measures against Bitcoin ransomware, as first disclosed on 8btc forum.
gov-warning

Changzhou government released a warning against Bitcoin ransomware in November 2016

The notice on 4th Nov by Changzhou authority proposed 4 measures to prevent loss from bitcoin ransomware like web-surfing conduct, implementation of multi-level network security strategy, terminal protection and data backup and recovery.
It’s unusual for a regulatory authority to issue an official notice aiming for a specific virus, probably the first of its kind in China.

2. 2016 China Bitcoin ransomware report
Cryptolocker is believed to be the first ransomware in the market when it was detected in 2013. The localization of similar virus came 3 years later when the first ransomware with Chinese instructions, Locky, was intercepted by Antiy, a Chinese internet security company.

Ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file. -Wikipedia

On 15th December. 360 Internet Security Center released an annual report of 2016 China Ransomware. Some figures are listed below:

  • From 1st Jan to 29th Nov, 2016, a total of 113 types of ransomware were intercepted from 167,000 samples and at least 4.97 million PCs have been infected nationwide.
  • Cerber, Locky, XTBL are the top 3 ransomeware tree.
  • Web page Trojans, email attachment and server breach are the most common attack vectors.
  • Among the domestic ransomware victims, 18.9% were enterprise users and 81.1% were individuals.
  • IT / Internet industry is the most vulnerable sector, accounting for 25.7%; followed by the manufacturing sector accounted for 18.8%, government or public institutions accounted for 14.4%.
  • 42.6% of the victims do not know how they are infected with the virus, 21.8% were infected by browsing unfamiliar webpage, 11.9% were infected by downloading software, 8.9% were infected by clicking on the email attachment, 5.0% caught virus through the flashdisk exchange and 3.5% is remotely controlled via port 3389.
  • Among those who did not want to pay ransom, 39.9% of the victims did not believe the money will actually work, 24.7% did not want to surrender to hackers, 10.7% chose to believe that there would be alternative tools to recover the encrypted files.

360 is the leading IT company in China, claiming to be the 1# internet security company in China with 600 million users, among which 1 million are enterprise accounts. The report soon became the source of many similar reports in China’s mainstream media.

3. Bitcoin payment is difficult for common users
The third chapter in the report is about bitcoin payment. A sample survey indicates that 11.9% victims choose to pay the ransom to recover files, among which 58.4% are paid via taobao, 33.3% by following ransomware instructions and the rest by resorting to friends.
However, not every payment attempt is successful. For those who seek payment via taboo, 92.9% of the victims eventually paid off successfully and recovered their files. Only 50% managed to pay via ransomware prompt instructions. The most unreliable means is through friends with zero success. In the end, 70.8% victims finally delivered the payment. That means bitcoin payment via self-education is not that easy.
As Bitcoin is a censored word on taobao, I searched “ransom “instead and found an individual shop that offers to decrypt files at the price of 3, 600 RMB. 77 user comments are mostly praising the shop-owner’s timely service even in mid-night.

taobao-77-deals

Taobao shop that offers decryption service 

The survey also reveals that the importance of data infected is the most important factor in choosing to pay or to format. The other three factors are monthly income, job position and related industry.

CEO, chairman, president and other core business leaders are most willing to pay a ransom, accounting for 25.0%. Because their computers often host core data that does not necessarily have backup files. On the other hand, none of the senior or secondary level of executives is willing to pay a ransom, mainly due to their files are usually backed up in their subordinates.
The financial sector victims are most willing to pay a ransom, accounting for 33.3%, followed by 20.0% from the energy sector, 14.3% for the foreign trade sector, 9.6% for the IT / Internet, 7.9% for the manufacturing sector and 4.8% for the school. Financial employees often host important data related to investment, risk analysis etc.

4. Alternative solution
At the end of the report, 360 offers to pay up to 200 bitcoin for enterprise users if they are infected.
To enter into the agreement, users must turn on the anti-ransom service as described below:

360-service-on

360 anti-ransomware service

As per service agreement, if users PC got infected under the protection of 360 service, 360 promises to pay up to 3 bitcoins for individual and 200 bitcoins for enterprise accounts.
Dr.Pei Zhiyong, the author of the annual report, points out that virus makers have to compete with technology advancements, finding loopholes to facilitate extensive propagation in the past. The more victims, the more profits they could make. But things have changed now with the combination of cryptography, Tor network and Bitcoin payment. These technologies are matures and easy to replicate. Bitcoin is the final link in the business model. Traditional virus must combat with anti-virus software to survive in the victim’s operation system. Now with one-time encryption, the victims have to delete the files or pay at least one Bitcoin, or 800 USD equivalent at today’s spot price. Such amount  could only be achieved with thousands of infected terminals in the past.

5. 50 million PC targeted in 2017
In the first half of 2016, around 580,000 PCs were attacked and the number grew 8 times in the second half.

ransomeware-attack-april-may

The ransomware attacks from April to May 2016.

ransomeware-attack-aug-nov

Ransomware attack from August to November

The outbreak in the 2nd half of 2016 is said to be linked to a Trojan on a major financial website. In 2016, at least 4.97 million PCs were attacked and the number is expected to grow 10 times to 50 million in 2017.

6. Regulation
Earlier today, the Supreme People’s Court of China publicized an official interpretation on the telecom fraud and other criminal cases. Criminals who have committed frauds with value of more than 3,000 RMB of public and private property can be sentenced to less than 3 years imprisonment, 3 to 10 years imprisonment for 30,000 RMB and lifetime imprisonment for amount above 500,000 RMB.

Frauds committed via phishing site, trojan and network penetration is listed among the 10 scenarios that will receive severe punishment.

Bitcoin has two sides, just like any other coins in the history of mankind.

Download the 21 page report full report(Chinese).

COMMENTS(8)

  • BitcoinAllBot
    2 months ago BitcoinAllBot

    Here is the link to the original comment thread. Or you can comment here to start a discussion. Author: 8btccom

  • Calm_down_stupid
    2 months ago Calm_down_stupid

    11.9% hmmm….

    Warning, reading this message means your computer has been infected, send coins to me immediately before encryption starts. I am your only hope, don’t call the cops or we will double encrypt your shit.

    You have 15 mins from reading this message, if you are the other 88.1% then move on nothing to see here.

  • hl5460
    2 months ago hl5460

    Qihu 360, the leading IT company in China, releases an annual report on the development of ransomware in China and predicts 10 times growth of potential victims or 50 million in 2017.http://news.8btc.com/chinese-bitcoin-ransomware-report-11-9-victim-pay-to-recover-their-files

  • 1Referee
    2 months ago 1Referee

    No surprise. Bitcoin has been the ultimate payment tool for “getting rid” of ransom ware as is being promised when payment is completed. Right now it’s either Western Union and MoneyGram that is being used for such purposes, but Bitcoin is far more interesting since it can be sent over instantly without leaving any trails behind. But I have always said it, never reward these criminals as it only gives them more incentive to continue doing this. Just make sure you at all times have an active and recent backup that you can fall back on. Just secure erase the drive, and problem solved.

  • 8btccom
    2 months ago 8btccom

    LOL. It sounds all right.

  • temotodochi
    2 months ago temotodochi

    That’s a pretty good turnover and it’s based on trust. Keys have to be delivered after each payment or the next customers wont pay up. Weird.

  • hl5460
    2 months ago hl5460

    Quote from: 1Referee on December 21, 2016, 06:39:28 AM
    No surprise. Bitcoin has been the ultimate payment tool for “getting rid” of ransom ware as is being promised when payment is completed. Right now it’s either Western Union and MoneyGram that is being used for such purposes, but Bitcoin is far more interesting since it can be sent over instantly without leaving any trails behind. But I have always said it, never reward these criminals as it only gives them more incentive to continue doing this. Just make sure you at all times have an active and recent backup that you can fall back on. Just secure erase the drive, and problem solved.

    Wonderwing when bitcon will be used as ransomware on movie.

  • just_Alice
    2 months ago just_Alice

    Quote from: hl5460 on December 21, 2016, 05:57:07 AM
    Qihu 360, the leading IT company in China, releases an annual report on the development of ransomware in China and predicts 10 times growth of potential victims or 50 million in 2017.http://news.8btc.com/chinese-bitcoin-ransomware-report-11-9-victim-pay-to-recover-their-files

    First I thought no wonder Qihu 360 are trying to scare people so they start using their antivirus products. But on the other hand maybe they are right in a way. There are more and more ransomware has been developed lately and who knows, maybe the number of potential victims will really reach 50 million in 2017.

Please sign in first