July 8, 2013Dancho Danchev By Dancho Danchev

Novel ransomware tactic locks users’ PCs, demands that they participate in a survey to get the unlock code

By Dancho Danchev

From managed ransomware as a service ‘solutions to DIY ransomware generating tools, this malicious market segment is as hot as ever with cybercriminals continuing to push new variants, and sometimes, literally introducing novel approaches to monetize locked PCs.

In this case, by forcing their users to complete a survey before they receive the unlock code.

More details:

Sample screenshot of the actual advertisement at a cybercrime-friendly international underground marketplace:


Its customers are able to add up to two survey links allowing them to earn more revenue from the ransomware victims who would be unwillingly participating in the surveys. The ransomware blocks the Task Manager, CMD, Regedit and the Start Menu. Its author accepts Bitcoin.

Despite the fact that the ransomware doesn’t pose any sophisticated features — bypassing signatures based antivirus scanning is not a feature, it is an every day reality — it provides and example of an efficient business model aiming to utilize cost-per-action (CPA) affiliate networks in an attempt to generate revenue for the market participants.

We’ll continue monitoring the development of this ransomware, and most importantly, whether or not this monetization model will scale across the international underground marketplace.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button


  1. […] Packaged scams to get victims (referred to as “slaves”) to complete online surveys using ransomware have begun appearing in underground cybercrime forums. Webroot has a write-up on one such scam, together with screeenshots, in a blog post here. […]

  2. […] in an attempt to generate revenue for the market participants,” Dancho Danchev wrote in a blog post where he also included a screenshot of the malware’s description that was posted on an […]