The desktop background on the customer’s computer made me grimace: Scarlet letters on a grey-black screen read “Your files have been encrypted with RSA-2048 and AES-128 ciphers. Restoring your files is only possible with the private key and decrypt program, which is on our secret server.”
As the proprietor of a busy computer shop, I had seen messages like this several times before. I remembered the “FBI Virus,” which was so smart it accessed the computer’s web cam to display the customer’s picture in the middle of its “Wanted” banner. Then there was the infamous “Cryptolocker,” which had infiltrated a customer’s File Server and encrypted not only the data files on the machine, but also the backups that were stored on an attached external hard drive. Now, I was faced with the “Locky” variant of a “ransomware” virus, and I knew that there would be no recovering the information without paying for the key.
Although I already knew the answer, I asked the question anyway: “Do you have any sort of a backup?” After she answered in the negative, I conveyed the bad news: more than 22,000 files had been reduced to meaningless strings of random characters–years’ worth of family pictures, homework assignments, resumes, letters, recipes, even a Quicken data file. After we discussed the costs and the processes involved in recovering the information, my customer decided to pay the ransom and asked me to handle the matter for her.
A document on the infected computer gave instructions on how to pay the ransom, and said it would cost two bitcoins for the decryption program. “Bitcoins” are an anonymous payment system known as crypto-currency, and are often used to purchase drugs, pornography and other illegal products. The instructions contained inks to various sites where you can purchase bitcoins, as well as a “bitcoin address” where I could electronically deliver the bitcoins to the hackers.
The first step in purchasing the bitcoins was to set up an account with a bitcoin seller. I chose Coincafe.com, but there were plenty of others to choose from. At first, setting up the account seemed pretty straightforward: name, address, email address, phone number, etc. As I proceeded further though, more was required—I had to scan and upload a clear picture of my drivers’ license, and a copy of a utility bill that matched the address on the drivers’ license. Then, I had to upload a picture of me holding my drivers’ license next to my face; it took several tries before I was able to capture an acceptable picture. Minutes later, I received an email that told me the utility bill I had sent them was too old, so I had to locate, scan and upload a more recent copy.
Finally, about eight hours after I started this process, I received an email that said my account was setup, and that I could now purchase bitcoins and add them to it.
Coin Café offered me several ways I could purchase the bitcoins: I could use neither a check nor a credit card; for me the only viable options were to send cash, or via wire transfer. The web site said that the cost of each bitcoin was $481.45, plus a $35.00 transaction fee. I cashed a check for $1,000, and following Coin Café’s instructions I uploaded a picture of the ten $100 bills next to the order form, stuffed the cash into the envelope, and drove up to the UPS Store facility to mail the payment.
The UPS Next-day delivery did not make it to the Coin Café by the requested morning delivery time, nor was it delivered in the afternoon. At that point I was certain that someone had surmised that there was cash in the envelope, and had stolen it. Because FedEx won’t insure a cash delivery, that money would be lost forever.
Fortunately, before lunch time on the following day, I received an email that my payment had been received. Unfortunately, by this time the cost of a bitcoin had risen to almost $525.00, and instead of the two bitcoins I needed there were only 1.9280 bitcoins in my account. Frustrated, but a little more confident about the process, I cashed another check and overnighted the payment via Federal Express this time.
The morning after the cash was received I checked my account; I now owned 2.1270 bitcoins. I returned to the infected computer, ready to pay the ransom and begin decrypting the files. This was the step I dreaded most of all—I knew I had no guarantee that once my bitcoins were delivered the files would be decrypted, nor would there be any way to get my bitcoins back. I was also uncomfortable signing into the website of an obvious criminal, and running a program designed and delivered by the same people who had encrypted the files in the first place.
There were three links in the hackers’ instructions to the decryption website to choose from –but none of them would work! After more research I learned that I’d need to launch the links from Tor, a special internet “browser” designed to protect the anonymity of people surfing the internet–especially that unsavory netherworld known as “The Dark Web.” After I downloaded and installed Tor, one of the links now worked, and presented me with a message that read “We deliver to you a special software – Locky Decryptor ™” – with a “Trademark Symbol” at the end of it.
I signed into my Bitcoins account, and pasted the account code into the “Send Payment to” field on the decryption site, and waited. Fifteen minutes later, an email from Coin Café told me my payment had been delivered. Five minutes later, I refreshed my browser on the infected computer, and there was a link to the “Locky Decryptor” program. I downloaded and ran the program, and watched the screen as, one by one, the “Locky Decryptor” software began restoring almost 23,000 files to their original condition. After three days, almost $2,000 and considerable distress, my client had her files back.
There is no security software that can guarantee protection against the Locky or other types of crimeware. This particular customer had become infected by opening a Word document that was attached to an email. The Word document launched a “macro”; the macro then downloaded and ran the software which would encrypt the files both on this computer and on any other computers it could discover on the same network. Not all ransomware is spread via email, however; infected websites can also deliver viruses and crimeware.
Your best protection against ransomware is to keep your firewall and security software turned on and up-to-date, realizing that this step will not provide total immunity. Be judicious about opening any email attachments, no matter what sort of file they appear to be. If you don’t know the sender don’t open the attachment; if you do know the sender, but the attachment appears suspicious, delete the email and let the sender know. Most important, if your files are valuable to you, back them up: an external hard drive works best, but you can also use your Google Drive, ICloud and other web-based storage options to help ensure that, if your computer is infected, all is not lost.