It might surprise you to know that ransomware uses geolocation technology to customize payloads and target individuals. You probably already know that geolocation is the approximate place where an Internet-connected device resides. Geolocation obtains an approximate location of a connection by referencing a machine’s IP address against various databases. As a reminder, here’s a good definition of IP address, which is the protocol by which data is sent from one computer to the other on the Internet.
Those databases are maintained by Internet Service Providers (ISP) and Traffic Detection Services (TDS), all of which utilize and maintain databases on the places where an IP address has been used. Geolocation data does not provide the actual address of an Internet-connected device, but it can get within 10 to 20 miles of a device’s location.
This geolocation information is used by extortionists to direct ransomware to specific regions where they can believe they can get a big return. They might use geolocation to customize ransom messages for each target region, so you are fooled into thinking a fraudulent email or link actually leads to the information you want or need regarding changes to your regional bank or utility provider.
Also, ransomware distributors can target regions or countries with a higher average level of income such as those in the United States, Japan, and Europe where users more capable of paying more than $500 to get the keys to decrypt their data. Recently I wrote about how ransomware distributors are using graphic designers and online chat tools to make it simpler and more likely that victims will pay — and geolocation is just another way that ransomware is becoming more sophisticated.
Ransomware uses geolocation to customize the language and content of the ransom message it displays to a user. Cybercriminals know that it will be much easier to get paid if their victims do not need to translate their messages first so they write ransom messages in the language used by the victim’s region. Some ransomware also check the language settings on the computer in addition to using geolocation information so that they utilize the correct language.
A variety of ransomware threats have included false claims from law enforcement agencies that users have conducted illegal activities such as downloading copyrighted movies, games, or music. Those that falsely claim to be from a law enforcement agency have the greatest chance for success when the law enforcement agency they claim to represent is one that has jurisdiction over their intended victim. These ransoms lock the computer until fines are paid to the extortionists. Such schemes use geolocation to customize which law enforcement agency is used in the ransom message.
As you can see, geolocation is an essential part of ransomware. No matter where you live, though, the basic rules of data protection apply. Avoid phishing emails that lead you to bogus sites. Back up your data with a reliable provider. Take the time to check out and reminders or invitation to click on links, to upgrade applications or browsers, simply by hovering over the link to see the full name of the URL. Often times, you’ll find suspicious words in the URL you are being encouraged to use. Ransomware of any type feeds on fear, and the motivation to move fast to avoid danger. Instead take the time to look for any hints of trouble.