China Bitcoin ransomware report: 11.9% victim pay to recover their files
Qihu 360, the leading IT company in China, releases an annual report on the development of ransomware in China and predicts 10 times growth of potential victims or 50 million in 2017.
1. Individual and enterprise victims
Wenting released a weibo one week ago, warning the Bitcoin ransomware. Her tone was serious:
This is the second time our lab experienced extortion by Bitcoin ransomware. We paid around 10,000 RMB. Please spread the words to those who have lots of research data, especially those who are about to graduate.
The location of weibo indicates that she is earning her doctoral degree in the Institute of Hydrobiology of Chinese Academy of Sciences. Unfortunately the weibo was not reposted, not even once. Her voice was weak but she was not alone.
Last month, one of the top 10 threads in Peking University BBS was a call for help from a victim of Bitcoin ransomware. The victim said he received an email in his PKU emailbox with a PDF attachment. He doubled click the file out of curiosity, then all of his files were locked. 3 bitcoins were demanded to decrypt the files and he was given a detailed instruction as below:
Obviously, the victim was seeking a free solution but he soon realized that he was left with only two options: to pay or to format. The decryption without private key is almost impossible. Comment from CharAznable is cold but realistic:
That depends on how much you value your data.
In fact the breakout of ransomware is so rampant that a municipal government has to release an official warning on taking precautionary measures against Bitcoin ransomware, as first disclosed on 8btc forum.
Changzhou government released a warning against Bitcoin ransomware in November 2016
The notice on 4th Nov by Changzhou authority proposed 4 measures to prevent loss from bitcoin ransomware like web-surfing conduct, implementation of multi-level network security strategy, terminal protection and data backup and recovery.
It’s unusual for a regulatory authority to issue an official notice aiming for a specific virus, probably the first of its kind in China.
2. 2016 China Bitcoin ransomware report
Cryptolocker is believed to be the first ransomware in the market when it was detected in 2013. The localization of similar virus came 3 years later when the first ransomware with Chinese instructions, Locky, was intercepted by Antiy, a Chinese internet security company.
Ransomware is a denial-of-access attack that prevents computer users from accessing files since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file. -Wikipedia
On 15th December. 360 Internet Security Center released an annual report of 2016 China Ransomware. Some figures are listed below:
- From 1st Jan to 29th Nov, 2016, a total of 113 types of ransomware were intercepted from 167,000 samples and at least 4.97 million PCs have been infected nationwide.
- Cerber, Locky, XTBL are the top 3 ransomeware tree.
- Web page Trojans, email attachment and server breach are the most common attack vectors.
- Among the domestic ransomware victims, 18.9% were enterprise users and 81.1% were individuals.
- IT / Internet industry is the most vulnerable sector, accounting for 25.7%; followed by the manufacturing sector accounted for 18.8%, government or public institutions accounted for 14.4%.
- 42.6% of the victims do not know how they are infected with the virus, 21.8% were infected by browsing unfamiliar webpage, 11.9% were infected by downloading software, 8.9% were infected by clicking on the email attachment, 5.0% caught virus through the flashdisk exchange and 3.5% is remotely controlled via port 3389.
- Among those who did not want to pay ransom, 39.9% of the victims did not believe the money will actually work, 24.7% did not want to surrender to hackers, 10.7% chose to believe that there would be alternative tools to recover the encrypted files.
360 is the leading IT company in China, claiming to be the 1# internet security company in China with 600 million users, among which 1 million are enterprise accounts. The report soon became the source of many similar reports in China’s mainstream media.
3. Bitcoin payment is difficult for common users
The third chapter in the report is about bitcoin payment. A sample survey indicates that 11.9% victims choose to pay the ransom to recover files, among which 58.4% are paid via taobao, 33.3% by following ransomware instructions and the rest by resorting to friends.
However, not every payment attempt is successful. For those who seek payment via taboo, 92.9% of the victims eventually paid off successfully and recovered their files. Only 50% managed to pay via ransomware prompt instructions. The most unreliable means is through friends with zero success. In the end, 70.8% victims finally delivered the payment. That means bitcoin payment via self-education is not that easy.
As Bitcoin is a censored word on taobao, I searched “ransom “instead and found an individual shop that offers to decrypt files at the price of 3, 600 RMB. 77 user comments are mostly praising the shop-owner’s timely service even in mid-night.
Taobao shop that offers decryption service
The survey also reveals that the importance of data infected is the most important factor in choosing to pay or to format. The other three factors are monthly income, job position and related industry.
CEO, chairman, president and other core business leaders are most willing to pay a ransom, accounting for 25.0%. Because their computers often host core data that does not necessarily have backup files. On the other hand, none of the senior or secondary level of executives is willing to pay a ransom, mainly due to their files are usually backed up in their subordinates.
The financial sector victims are most willing to pay a ransom, accounting for 33.3%, followed by 20.0% from the energy sector, 14.3% for the foreign trade sector, 9.6% for the IT / Internet, 7.9% for the manufacturing sector and 4.8% for the school. Financial employees often host important data related to investment, risk analysis etc.
4. Alternative solution
At the end of the report, 360 offers to pay up to 200 bitcoin for enterprise users if they are infected.
To enter into the agreement, users must turn on the anti-ransom service as described below:
360 anti-ransomware service
As per service agreement, if users PC got infected under the protection of 360 service, 360 promises to pay up to 3 bitcoins for individual and 200 bitcoins for enterprise accounts.
Dr.Pei Zhiyong, the author of the annual report, points out that virus makers have to compete with technology advancements, finding loopholes to facilitate extensive propagation in the past. The more victims, the more profits they could make. But things have changed now with the combination of cryptography, Tor network and Bitcoin payment. These technologies are matures and easy to replicate. Bitcoin is the final link in the business model. Traditional virus must combat with anti-virus software to survive in the victim’s operation system. Now with one-time encryption, the victims have to delete the files or pay at least one Bitcoin, or 800 USD equivalent at today’s spot price. Such amount could only be achieved with thousands of infected terminals in the past.
5. 50 million PC targeted in 2017
In the first half of 2016, around 580,000 PCs were attacked and the number grew 8 times in the second half.
The ransomware attacks from April to May 2016.
Ransomware attack from August to November
The outbreak in the 2nd half of 2016 is said to be linked to a Trojan on a major financial website. In 2016, at least 4.97 million PCs were attacked and the number is expected to grow 10 times to 50 million in 2017.
Earlier today, the Supreme People’s Court of China publicized an official interpretation on the telecom fraud and other criminal cases. Criminals who have committed frauds with value of more than 3,000 RMB of public and private property can be sentenced to less than 3 years imprisonment, 3 to 10 years imprisonment for 30,000 RMB and lifetime imprisonment for amount above 500,000 RMB.
Frauds committed via phishing site, trojan and network penetration is listed among the 10 scenarios that will receive severe punishment.
Bitcoin has two sides, just like any other coins in the history of mankind.
Download the 21 page report full report(Chinese).