How ransomware creeps cash out their payments

Brian Krebs offers an in-depth look at a "cashout" service used by ransomware crooks to get money from their victims. Ransomware is malicious software that encrypts your personal files and demands that you pay a ransom for the key to decrypt them; the crooks who run the attacks demand that their victims buy prepaid MoneyPak cards and send the numbers for them by way of payment. But converting MoneyPaks to cash is tricky -- one laundry, which pipes the money through a horse/dog-track betting service -- charges a 60% premium.

* The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.

* The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.

* The guy(s) running this cashout service.

* The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.

How much does the cashout service charge for all this work? More than half of the value of the MoneyPaks, it would seem. When a user logs in to the criminal service, he is greeted with the following message:

“Dear clients, due to decrease of infection rate on exploits we are forced to lift the price. The price is now 0.6. And also, I explained the rules for returns many times, we return only cheques which return on my side if you cash them out after then we lock the account! There are many clients who don’t return anything, and I will work only with these people now. I warn you.”

Cashout Service for Ransomware Scammers


  1. Daily backups of your documents and photos is a the best last ditch defense against these sorts of attacks. I say last ditch because you can do a number of things to prevent it happening in the first place, but if you have a daily backup of your documents and photos and this happens, you can just wipe the hard drive and start over, no fuss, no muss.

    The daily backup thing is important for more than just these sorts of scams of course because anything could take out your hard drive and if you get any sort of virus infection the best course of action is to reformat and reinstall you OS.

    I hear good things about “mozy” online backup. An online backup has the added advantage of being off site as well. I personally use external USB drives (2) and a program called SyncBack (free version) and keep them locked in a fireproof safe. Realistically I run the backup to the drives about once a week.

    Before it is too late defense consists of an anti virus program (MS Security Essentials is ok defense wise, but the best by far in terms of not being intrusive or slowing your machine down and it is free), adblock plugin in your browser, javascript blocking plugin for your browser, flash blocking plugin for your browser and good internet habits in general.

    Never open anything that comes to you via email unless you asked someone to send it to you. Never means never. If they ask you if you got whatever they sent you, just explain to them you do not open anything sent to you via email. Even if they tell you ahead of time they are sending it or follow up to see if you saw the picture or got the ecard or whatever, just say no, sorry, (because you can’t trust they know what they are really sending).

    Really the same goes for links you get in email, basically never ever click a link in an email. If you for any reason think you need to follow a link sent in an email, close the email and then type the url into your browser by hand or find the site via google, or even better just pick up the phone and call the organization (especially bank related emails).

      1. When reading an email (you shouldn’t be reading an email), only use your peripheral vision. DO NOT stare at the email. Keep one eye closed while reading the email (you shouldn’t be reading an email) to avoid bilateral oculo-emailitis.  DO NOT taunt the email.

      2.  And which one of my suggestions is not considered to be best practices (aside from the MSE suggestion as best AV is open to debate)?

        But really, I am glad there are folks like you out there, they keep me employed.

          1.  Not sure what you mean. The original post is certainly not a joke and people who treat sensible recommendations for online security as a joke do keep me employed. The down side is they also cost us all money and keep the bad guys employed as well.

          2. People should exercise caution. If you’re at the point where you don’t open ANY attachment unless it has been explicitly solicited (in writing, with a witness, I assume), or simply verify a link by actually looking at it, then quite frankly you should probably just stop using email, as you’re not cut out for the perils it brings.

            If I ever encounter anyone that refuses to open my attachments, ill come looking for you.

          3.  Nested replies ran out so this is in reply to your last message:

            You would be surprised at the ways it has been possible and is still possible to fool the hover over method of url “verification” (especially if it is a long url). If you followed my suggestion to disable javascript when you hover over a link then I no longer know a way to spoof the url effectively, but with in browser email clients JS usually has to be enabled.

            Here is a decent list of ways urls can or used to be able to lie:

            And those are just the ones we know about, browser and email client bugs exist that we do not know about.

            It only takes one errent click and you are owned.

            Really it isn’t that hard to type in a url if you want to follow one.

            And again, while well intentioned, I am not trusting my security to people who send me things (or things that were supposedly sent by them, you check the full email headers every time or are sure their machine wasn’t owned ?).

            If you want to come find me, no problem, I’ll send you a map to my house as an email attachment ;)

          4. Oh don’t get me wrong, I know the ways (I work with the web) – it’s just there is such a thing as being too worried :) As I say, exercise caution – once you’re at the point where you categorically refuse to open any attachment then you’re just crippling your own workflow, and you might as well not bother using email – and anyone else you work with is going to hate you.

            I think the most important thing is for people to be more aware of what they’re doing, and to exercise caution at all times – assuming you’re paying attention that should negate 99% of the threats.

            And lets be honest, if that paranoid you should be running all your traffic and email through software anyway – something most of us can’t avoid even if we tried. Postbox/gmail flags malicious content, as does Chrome. I’m sure neither is perfect, but I like to live on the wild side.

  2. There has to be away to get the Zetas to hate people who distribute malware. A few of them turning up dismembered would have some deterrent value if they feel that no government can touch them.

    1. I have a feeling Maynard G. might object to the use of his name in re a criminal activity.
      Like, you laundered, man?

  3. When it comes to scareware, I always worked on the assumption that if a major law enforcement agency knew you were dealing in child porn, they’d prefer to drop in unannounced over sending a threatening e-mail.

  4. So, the takeaway here is as long as I undercut the current cashiers, say, by only charging 55%, I’m going to corner the market?

      1. I’m not a security expert, but I’m pretty sure I should not admit to something like this on the internet.

  5. Linux has been the best way to prevent virus infection. I use a bootable USB stick to browse piratebay or other questionable sites.

Comments are closed.