First spotted in Russia in 2005, ransomware attacks have since spread to other countries - mainly those of the Western world - by using geo-location to target users with fake notices seemingly coming from their local police.

"Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat," Trend Micro researchers explained, pointing out that the ransomware threat is similar to the rogue AV one.

Until now, most ransomware attacks could be traced back to two groups that seemingly divided targets among themselves according to country. They use separate affiliate programs, different payment schemes, and different ransomware variants.

"One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country," the researchers shared. "A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case."

Still, both prefer getting paid via untraceable Ukash and paysafecard vouchers, which they promptly sell to exchange sites for half the price, and the circle ends when the exchanges sell those vouchers on for up to nine tenths of the original price.

But, as the researchers point out, new cybercriminal groups arrive on the scene all the time, and previously well-established schemes will likely change little by little, or be abandoned for new business models - it just remains to be seen which.