istock 000024004885small

Crime pays very well: Cryptolocker grosses up to $30 million in ransom

No wonder street crime is down. If you want to make a dishonest living, cybercrime is the place to be. According to a Dell SecureWorks report by Keith Jarvis, the creators of the notorious CryptoLocker ransomware virus may have made as much as $30 million in a mere 100 days.

That’s a lot more than you’d earn stealing people’s iPhones --and you’re far less likely to get caught. (It’s also a lot more than you’d get doing honest work.)

The $30 million estimate comes from a Geek.com article by Lee Mathews, and is based on the SecureWorks report’s numbers. The original report includes a speculation that at least 0.4% of CryptoLocker victims end up paying the ransom, “and very likely many times that.” The report also admits that “These figures represent a conservative estimate of the number of ransoms collected by the CryptoLocker gang.”

CryptoLocker first appeared in the wild in early September. Like most ransomware, it attempts to scare people into sending money by closing off access to their data or threatening to do so. But unlike previous such programs, CryptoLocker makes good on its threats. Whereas previous ransomware viruses might trick you into paying their blood money by hiding your documents and other data files where any competent techy could find them, CryptoLocker really encrypts the files. And it does a good job of it. Jarvis’ report states that “CryptoLocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI. By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent.”

In other words, if CryptoLocker infects your computer, and you don’t have a recent and reliable backup, your choices are between paying the $300 ransom and kissing your documents, spreadsheets, and photographs goodbye. Surprisingly, if you do pay the ransom, you get your files back.

Keeping promises -- not a behavior usually associated with thieves -- suggests that whoever is behind CryptoLocker is treating it like a real business. When people balked at using credit cards to send money to criminals, these particular criminals started accepting Bitcoins. They’ve even responded to the insane Bitcoin deflation of recent months. When they first started accepting the virtual currency, they priced your files at 2 BTC. But as the price of a Bitcoin skyrocketed against real currencies, that price dropped three times, and as of Wednesday was down to 0.3 BTC.

That’s an awfully polite gesture for extortionists.

Of course, the rising cost of Bitcoins may have helped the criminals considerably. Jarvis estimates that they received nearly $380,000 in Bitcoins (it appears that most people still pay with credit cards). “If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication.”

I don’t want to make the people running this racket sound like gentlemen thieves. They’re crooks who steal your vital information, then make you buy back what is rightfully yours. They deserve jail time, not $30 million.

Subscribe to the Security Watch Newsletter