YNOT – An apparent Russian crime syndicate has extorted more than $29,000 from about 2,500 people in the past five weeks by disseminating a file-locking worm via infected porn websites, instant messaging and USB drives, according to a report from antivirus vendor Trend Micro.

After invading a PC, Worm_Rixobot.A terminates Windows and security processes and blocks access to the web, then demands users pay the equivalent of a $12 fee in Russian rubles via premium-rate SMS in order to restore control. Trend hackers breached the syndicate’s servers and discovered the original “payload” file was downloaded 137,000 times during December alone, mostly by users with Russian IP addresses, but 3,000 downloads went to the UK. The total amount extorted from users worldwide may be even higher than initial estimates, a Trend representative said.

Trend attributed the success of the extortion plot to a combination of the way Worm_Rixobot.A piggybacks on other malware, a relatively low ransom fee and an easy payment method. The worm itself is not particularly sophisticated, researchers said, but because the fee demanded is so low, most victims evidently prefer to pay for an unlock key instead of digging into their operating systems to remove the worm’s components.