Cybercriminals are attempting to create a so-called “ransomware creation kit” in order to mass produce new variants of malware designed to extort money from PC users, reports security firm Sophos.

The warning comes from Sophos’ annual Security Threat Report, which revealed that ransomware has become far more widespread over the last 12 months. The company said that it was all set to become the “market leader” of malware, due to Microsoft’s efforts to protect Windows computers against other kinds of attacks.

Online extortion

Ransomware refers to a special kind of malware that’s designed to extort money from PC users. Once the software installs itself onto a PC, it systematically encrypts data on the machine so that user’s can’t access it. Other forms of ransomware throw up a warning, saying that the computer has been used to view illegal porn or for illegal downloads, before ‘locking’ the PC. In either case, users will then be prompted to transfer money – perhaps in the region of $300 – in order to decrypt their data or unlock the PC.

Sophos’ biggest worry is that if cybercriminals do come up with a ransomware creation kit, this would remove the need for any coding experience – and if that were to happen, ransomware would become much more widespread.

According to the BBC, cybercriminals are most keen to emulate a ransomware program called Cryptolocker, which is said to affect in the region of 12,000 new victims each week. In recent weeks, both the US Computer Emergency Response Team (US-Cert) and the UK’s National Computer Crime Unit (NCCU) have issued warnings about Cryptolocker, which infects computers via fake emails that appear to come from financial institutions. Cryptolocker is capable of encrypting files on both the computer it infects, and any network it’s attached too, before demanding a ‘ransom’ of around $800 in Bitcoin, the anonymous digital currency. Even worse, is that even after the ransom is paid, Cryptolocker fails to decrypt user’s files.

Now, Sophos is warning of discussions on cybercrime forums about how to produce a so-called ‘creation kit’ to make it easier to build new variants of Cryptolocker.

“Cryptolocker is very much a deviation from the norm,” said James Lyne, global head of security research at Sophos. “I actually think it is a sign of things come.”

Sophos says that it’s worried about ransomware because this type of malware is often particularly difficult to remove. Firstly, ransomware can often lie dormant for weeks after infecting a computer, allowing it to infiltrate networks and infect any backup files too. In addition, advanced types often use RSA 2048-bit encryption keys, the same kind of software that banks use to protect their customer’s data.

Such is the difficulty of removing ransomware, that the UK’s NCCU states that prevention is better than the cure, and warns computer users to be on the look-out for suspect emails containing fake attachments.