My father is being held for ransom

It’s the real-life fear of every experienced computer user – a family member calling up with the complaint: “I can’t use my computer anymore! All I see are strange messages and I can’t open ANYTHING!”

Yes, this situation really just happened to an Avira employee – and his father. Here is the story about what was done, not done, and why the FBI can be very, very wrong:

“All my father knew, as is typical in many cases, was that nothing worked,” said Andrei Petrus, Product Manager at Avira. “A lifetime of files, documents, and pictures were just not accessible – and that there were now strange characters added onto the file names.”

attachment2

When Andrei was finally face-to-face with the problem, he saw an average desktop PC running on Windows Vista. Interestingly enough, the computer had an up-to-date antivirus program installed (not Avira though) but all shields had been turned off.

Viewing the ransom note

The bad news came immediately after Windows booted. The popup announcement made it clear that the computer was infected with a variant of the “Cryptolocker” ransomware, and that all files had been encrypted with a strong AES algorithm and were unusable. The strange characters added to the file names were a special ID which helps the cybercrooks identify which key should be (probably) sent to you after the ransom has been paid so you can get your files back.

The data recovery options were limited. Publicly available tools to brute-force the decryption did not work for this variant. “But, in the hope that a decryption tool would be someday available, I copied the files to a backup drive,” explained Andrei.

The only thing left to do was to start over: take the hard drive and reformat it, and once again install Windows. But this time, Avira AV was installed to prevent this event from reoccurring.

Playing the data ransom game

The FBI recommends paying the ransom. Avira does not. Here is why:
“Just for fun, I decided to contact the cybercrooks and play their game, finding out how much they are asking for a ransom and go through the whole process,” he explained. “And since I am representing my father – who is really not an IT geek – I tried to ask very basic questions about how to best transfer the bitcoins.”

mail-initial
“There was no reply back. I’m wondering whether this would’ve happened regardless of whether I had bought the bitcoins or not,” he said. “Still, shouldn’t they ask how I’d pay and guide me through the payment correctly, if I said I had done this and they didn’t receive the money?”

mail-replies

Ransoming files, at least for this variant of the ransomware, may not be a real option. “My belief is that they don’t help victims recover the files, regardless whether they pay or not,” stated Andrei. “I also think that the entire process – infection, mail communication – is automated. Maybe they’re enjoying a cocktail in Thailand.”

Four points to remember:

  1. Use Avira to protect against getting infected in the first place with this sort of nasty ransomware. If you use another AV, make sure it is fully operational.
  2. Be suspicious about emails, especially the attachments to those emails that have catchy / hot subject lines.  Even with emails from friends, sometimes it’s better to ask them personally “why did you have send me that email?” instead of opening the attachment directly.
  3. Have a solid backup plan in place, ideally with a cloud service, as they offer file versioning and rollbacks. Using a spare HDD/SSD for a local backup is not enough, since the virus will encrypt the files on these locations too.
  4. Don’t count on a rescue or successfully ransoming your encrypted data.

This post is also available in: FrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.