Ransom Note Virus

AllYourImages.pngHere is a public service announcement from my friend Gary Smith. They had a serious virus attack on the computer systems at his office this week. The virus is a new type called a “ransom virus”. If you have not heard of this new type of virus, you will likely soon (since it is probably coming to a computer near you).  

The ransom virus is exactly what you might guess: A bad guy steals your valuable computer’s files (pictures, letters, …) and then demands a payment for their return. If you do not meet his demands, you will never see your loved files again. Here is a bit more detail on how they actually pull of this crime:


1.    The bad guy creates a computer virus that can be delivered to your computer via an email or a web site you might visit.

2.    Once the virus is inside your computer it encrypts every data file it can find. Data files include your photo files, video files, word documents, excel documents, e.t.c.). When a file is encrypted it is locked tighter than a drum unless you have the password to unlock it. The only person with the password is the bad guy.

3.    The password (sometimes called the key) is not your grandmother’s passwords. These password are very long and complex (think of full page of random text and you will have an idea of what one of these password looks like).

4.    So if your plan is to guess the password, you might want to get comfortable because it will likely take you one to two million years to guess it correctly (assuming you have access to a super computer than can make guesses at about a million guesses a second).

5.    After you files are locked, the virus uses your computer to post a ransom note to you.

6.    The ransom note will explain that your files have been taken hostage. The note will go on to explain that you have so many hours to pay them via an online payment or the password will be destroyed (typical time frame they give are in the 48 to 60 hour range to come up with the cash).

7.    Even if you break down and pay the ransom, you have to trust that the bad guy can supply you with the correct password and a valid decryption program to unlock your files (reverse the encryption process). There are many stories of people paying the ransom, but receiving a decryption programs that fails (in other words this bad guy may have created a virus that was good enough to scramble your files, but there skills may not be good enough to write software that will unscramble your files). 

The bad guys hide behind layers of Internet fog, so calling your local police station (or Bruce Willis or Liam Neeson) is not going to help. There will be no army of police officers hanging out in your home waiting for the phone to ring so they can listen in on call with the hostage takers. Nor will there be the delivery of a suitcase of cash to a secret drop off location. These bad guys request payment via Bitcoin (or something similar), which is a new non-traceable electronic form of payment (count your small blessings that at least you are not asked for your Visa card number). The extortion demands can be as small as one or two hundred dollars but of course they go up from there. Like any good capitalists, they will learn overtime what the market can handle in setting their price for unlocking your files. You will receive no hostage note created by the pasting letters cut from an old newspaper. They will simply post an electronic message to you on your own computer with what they have done and what they want (see the bottom of this email from real examples of ransom virus extortion notes.


If you are thinking this virus only attacks corporate servers (like ours was attacked) you would be wrong! The exact virus that locked up our server files could lock up your home computer files (it is an equal opportunity program). Our virus started at the PC level and was able to find shared server folders that from the PC perspective looked like an thumb drive or external USB hard drive. 

In the past most viruses were largely just a pain. Some were created by mischief seeking teenagers or hackers who just wanted to create a mess for the sport of it (i.e. kind of like if Justin Bieber egged your home … a real mess, but it can be cleaned up). These nuisance viruses often caused your computer to slow down or certain program to stop working. Other virus were more serious, but often they could be removed with virus removal software or worst case you have to rebuild your computer. 


This new ransom virus type is much nastier than the typical old virus because … 

1.    It can destroy something more valuable than your computer: your photos and data files.

2.    The financial incentive for the bad guys is so large they will be relentless.

3.    Because the financial rewards are high the bad guys will be able to fund development of new variants of the virus (that are more effective). 

At my office we were able to fully recover from this virus attack, however we had invested a lot of money in dedicated advanced backup systems. No home setup would ever have this type of backup system. For more technical details on our ransom virus experience see the bottom of this email (bonus material) in a section labeled “OUR INSIDE STORY WITH THE RANSOM VIRUS … “. 

By this  point of this painfully long email, you should be getting the idea that I strongly recommend that you hardened your home computers against this type of virus attack. 



Two simple steps will protect your home PC … 

1.    Backup your Data Regularly

The best way to backup most system is with online cloud based backup service (like Carbonite or Mozy). The advantage of this type of system is that the backup are automatically, continuous and the storage is outside your home. The disadvantage of this type of cloud backup solution is the monthly fee (fees are typically about $5 to $15 a month depending on how much data you have). 

If you are cheap (like me) or have too much data to backup online (like me), then you should use something like an external USB hard drive for your backups. I recently bought one of these external hard drives for about $60 that had enough storage to backup any-ones computer (and it was small enough to fit in my pocket). If you use an external device to back up your files you have to ensure the virus cannot find your backed up files when (and if) it attacks. For this reason, I suggest turning off (or disconnecting) your external backup storage devices when they are not in the process of backing up your files. 

2.    Confirm Your Antivirus software is Working Correctly (or if you do not have this software then quickly install some)

Make sure you antivirus software is installed and running (and up-to-date). Here are some tips on how to check these items: 

CONFIRM SOFTWARE IS INSTALLED -- To confirm you Windows computer has antivirus software installed on it go to the Start à Program list and see if you can spot your antivirus program. There are dozens of makers of this software, but in case you do not know the name of your own antivirus software it may be one of these: MacAfee, Norton, AVAST, AVG, Bit fender, Kaspersky, Avira, Adware, Microsoft Security Essentials, Panda, and Webroot. 

CONFIRM SOFTWARE IS RUNNING --  Just having software installed on your system is not enough to protect your computer. The antivirus software must always be running and fully up-to-date to be effective. Some antivirus software has an annual license fee required for it to keep working correctly, so it is easy to lose track of this and have your subscription laps and thus lose the use of this software. The best way to see if you antivirus software is running (not just installed) is to look for its icon in the Windows System Tray (the System Tray can be found on the bottom right corner of your computer screen by the clock). You may have to click an up or down arrow in the arrow by the clock, to see the antivirus icons in this tray. If you can spot the icon, double click on it and it should open and tell you if it is up-to-date and running ok. If cannot find it or there seems to be a problem with it not being up-to-date, then determine how to get it working again. 

HOW TO GET FREE ANTIVIRUS SOFTWARE -- If you have no antivirus software (or you want to move to free software), I suggest installing “AVAST Essentials” (there are other free software that is also very good, but I have no experience with it).  I have used the free AVAST antivirus software for many years and it has always worked well. The review site, CNET.com, gave AVAST Essential 4.5 stars out of 5. Over 26,000 user’s gave it almost 5 out of 5 (per CNET.com). AVAST Essentials has been downloaded more than 290 million times from the CNET web sitewww.Download.com (so you will not be the first person to try it. AVAST makes their money by having people upgrade to their paid versions or paying for their add on software products (examples: AVAST Internet Security; or AVAST Premier). You do not need these AVAST paid services to protect your computer, so if you are installing AVAST and you are asked for your credit card number, stop and start over again (because you have picked one of their paid services). See a section in BONUS section below labeled: HOW TO INSTALL FREE ANTIVIRUS SOFTWARE if you want further assistance with their antivirus software. 

If you have read this far, you are likely one in a hundred, so congratulations. If you are a true masochist, you will read more on this topic below, including: “How to install free antivirus software on your home computer”; or “The details of how this virus got around our antivirus software”; or “How we recovered our files without paying the ransom”;  or “Some real examples of ransom notes”.  If after reading this “Bonus Material”, you still feel the need for more information on this topic, then … 

a.    I have provided some links below of articles on the ransom virus; and

b.    You may need some psychological counselling, so I see me for recommendations.




The following steps will guide you through how to install the AVAST Essentials software, 

1.    If you have old antivirus software on your computer, uninstall it. 

2.    Go to www.download.com and using the search bar search on “avast”. You should have a list of results from your search, so look for “Avast Free Antivirus 2014”. If should show over 294,000,000 Total Downloads and should look something like this :


3.    Follow their downloading and installation instructions.

4.    If you install or use AVAST and they ask you for your credit card, you have likely strayed into using one of their paid version (with the free version there is no need to give you credit card ever). Thus go to step 1 above and retry.

5.    Once you have fully installed the free AVAST software, you will be asked to register it with AVAST. This registration only consists of giving them your email address (and they do not even confirm that this email is “real”). If you do not register, the product will stop working after a while, so do not skip this step.

6.    After it is installed they will ask you if you want to try other programs they offer. This request may take place via a pop up box (in which case just hit the X in the top right corner to kill it).

7.    When the program finishes setting up, it will give you a daily audio updates via a women’s voice, including messages like “Your our daily avast update is complete”. These can get a bit tiring after a while, so I suggest going into the avast settings and turning them off. 


This section tells the inside story of how the virus infected our servers and some problems we had in the recovery of our files. This section is more technical than you need to know for your home PC protection, but is just provided for the curious or readers who might have a similar online network or backup system and want to learn from our experience. 


This ransom virus most likely came into our system by an email. The question we had was how did the virus get around our Kaspersky Server based antivirus software. Our best guess was as follows:

1.    We had a new employee so a new PC was set up in our lab with all our standard software including our Kaspersky antivirus software.

2.    After this setup was done, but before we connected the new PC into our network, a “patch” was sent out by Kaspersky. Since the new PC was offline I did not receive the patch.

3.    When the new PC was introduced into our network, we assumed that the server would push down all new updates and patches. However, these updates did not occur fast enough, because the PC was infected soon after we introduced it to the main network.

Or new procedure will be to force all updates of the antivirus software when a new PC is installed in the network (regardless of the full install in the lap previously). 


We purchased a new backup system from Dell at the end of 2012. This hardware and software system works by providing an instant (incremental) backup of any file that is edited or altered in our system. It then keeps multiple versions of the edited or altered file, giving you the ability to restore one version back, two versions back, e.t.c. So even if you edited a file 5 minutes before the virus encrypted a file, we could recover this most recent file after the last edit.  All these backups all take place silently in the background.

Though this is a powerful backup system, it did lead to an interesting dilemmas when trying to do the restore after the ransom virus attack, for some of these reasons:

1.    As the virus encrypted and locked our files up, our backup system backed up the encrypted files.

2.    After a file was encrypted by the virus the last edited date of the file was not changed. Thus it was impossible to look at a folder of files and tell which files had been encrypted and which ones were un-touched unless you manually tried to open each file.

3.    We stopped the virus when it was about half way through locking up the hundreds of thousands of files on our servers. 

These facts resulted in some complications in the restore of our system because inside the backup system, some of the most recent backed up file set were of encrypted files (all files that were encrypted were backed up) while others that were not encrypted (because we killed the virus before it was finished encrypted all files) were not the most recent edit (and thus could be a year old). 

To solve this dilemma we had to use a utility (that did not work well) that searched for the encrypted files so we could selectively restore the correct version (this part of the story was actually much more complicated and time consuming that my over simplification implies).


Articles on the Topic of the family of Ransom Viruses:

1.    http://www.theguardian.com/money/2013/oct/19/cryptolocker-attacks-computer-ransomeware

2.    http://en.wikipedia.org/wiki/CryptoLocker

3.    http://www.bizjournals.com/washington/blog/techflash/2013/11/the-cryptolocker-virus-local-chamber.html

4.    http://www.pcadvisor.co.uk/features/security/3491195/how-protect-yourself-from-cryptolocker-attack/

Be the first to comment

Please check your e-mail for a link to activate your account.