- Internet & the Web»
- Viruses, Spyware & Internet Security
My Files Were Encrypted, And They Want A Ransom To Decrypt Them.
I knew something was dreadfully wrong when a window popped up asking me for permission to install a program. The problem was that I was not online yet. Something had accessed the internet and had attempted to download a program, but had failed. Then a second window popped up. And a third. I immediately pulled the internet cable. Then I pressed and held the power button until the computer shut off cold. I needed to run a virus scan. I started the PC up again, running the Task Manager to shut off any suspicious programs. Perhaps I should have thought of going to Safe Mode, but I had Malwarebytes, and Malwarebytes no longer functioned properly in Safe Mode. A design flaw in the latest version. When run in Windows XP, it increased the resolution of the dashboard during Safe Mode to the point where it was bigger than the screen. The button to scan for rootkits was off screen and could not be accessed. And I wanted to scan for rootkits.
Nothing unusual showed up in the Task Manager. I started up Malwarebytes. I decided I needed to reconnect the internet cable so I could update the virus scan database. If this was a new virus, I did not want the scan to miss it. A pop up window informed me there was a newer version of Malwarebytes and prompted me to install it. I did. Then I ran the scan. About 30 seconds into the scan everything slowed down. A minute later the internet explorer activated, and went directly to a website. Simultaneously a WordPad program activated, a text document program activated, and the Windows Picture and Fax Viewer activated. The picture, WordPad, text document, and website all had the same thing. A message explaining to me that my text, picture and video files were now all encrypted, and that the key to decrypt them was on a secret server, and if I wanted my files decrypted then I had to send them a ransom via bitcoin. Eventually Malwarebytes found and isolated the virus, CryptoWall. But by this time the damage was already done.
I don't need the computer geeks among you to explain how many mistakes I made. Not immediately backing up the files. Not running the virus scan first in Safety Mode. Not attempting to use the System Restore. Reconnecting the computer to the internet. And the biggest mistake, clicking the button for the Malwarebytes update. ( more on that one later. ) These mistakes I figured out in the minutes following the final attack. The only thing I could do at that moment was back up the encrypted files and hope there was a way to decrypt them at a future time.
The earliest encryption ransomware, PC Cyborg, was launched in 1989. The virus encrypted the name of all the files on drive C, making the operating system unusable. The lone usable file was implanted by the virus, which printed on the screen a message that said the licensing on the software had expired, and that if the user wanted to extend the license then he would need to send a payment of $189 to the PC Cyborg Corporation in Panama. Unsuspecting victims assumed their operating system had expired, and mailed PC Cyborg payments for an extension. But there were some victims who knew operating systems did not expire, and contacted authorities. It did not take long to trace the PC Cyborg Corporation to the single hacker pulling the scam, Dr. Joseph Popp. Popp claimed that he was using the money he collected for AIDS research, which is why the virus is best known as the AIDS Trojan. Perhaps the most interesting thing about the virus is how it was spread. The victims downloaded it via a disc they received in the mail. Popp got his hands on a medical mailing list and mailed to everyone on the list a disc called "AIDS Information Introductory Diskette". Unknown to those who ran the disc, it uploaded a program that counted the number of times a victim started his computer, activating the virus on the 90th start-up after the virus was installed, making it harder to identify the source from which it came.
Once the AIDS trojan was identified, security experts began to theorize on how worse crypto viruses could get. They soon not only realized that it was possible to send a trojan via the internet, but in 1996 experts Adam L Young and Moti Yung were able to create a proof-of-concept virus that used public key cryptology, basically encrypting a file in a way where only the attacker had the decryption key. The fear of using encryption viruses for extortion came to pass in 2005 when the first of the viruses was identified, soon to be followed by a rash of encryption viruses in 2006.
Encryption goes back to the beginning of written language. The letters in messages were scrambled, and a "key" was needed to unscramble them. A typical example of this would be the key 123, meaning the first letter in the message would be offset by one, the second letter by two, the third letter by three, and then the fourth letter by one again, the fifth letter by two, and so on. For example, the emperor sending the general of his army the encoded scroll "Bvwben Hthfeh" could only be read if the general knew the key was 123. If the enemy intercepted the courier, the message could not be read. Encrypting data on a computer works the same way. The source code of any program could be encrypted the same as words on a paper, and require a key for decryption. However, encryptions can be broken. A key of 123 could be broken in a split second. A decryption program would simply try every combination of key until the program could be read, and with a three key encryption, this would take seconds. But the longer the key, the harder the decryption. The earlier encryption ransomware could be broken within a few hours. A simple program could be downloaded that took a sample of the encrypted file and discovered the key by the end of the day, making it possible to instantly decrypt all the other effected files.
New variants of encryption ransomware continued to pop up. However, the preferred ransomware virus did not encrypt the computer but locked it, then displayed a message claiming the computer had been locked by the FBI or some other agency. The owner was told that either pirated media or child pornography had been detected on their computer, and the owner was expected to pay a fine via online payment. If the fine was paid then the computer would be unlocked, but if the fine was not paid then further legal action would be taken, including the owner being arrested and his entire house searched. This ransomware played on the fears of the owner. Even if he had never downloaded pirated media or child pornography, there was always the fear that something he thought he had legally downloaded did fall into those categories. Could those downloaded pictures of that 20 something model have actually been a 16 year old girl? Was that free sample song from a fan site actually pirated? And is it possible another family member or a friend who borrowed the computer had used it to downloaded child porn or pirated music? And, of course, there were plenty of computer owners who did download pirated media or child porn, and did not want to get arrested for it. One computer owner who did have child porn on his computer was so convinced the ransomware was real, that he turned himself in to the FBI. It seemed that the FBI scam was more profitable.
That changed when Cryptolocker showed up in 2013, encrypting victims movie, picture and document files, and demanding payment in return for the key. Cryptolocker used and advanced encryption that even the most advanced super computer could spend months trying to break it. Cryptolocker was first detected September 5, 2013, and in the next 8 months it is estimated that over $27 million in payments were made by victims. Cryptolocker had done so much damage that an international collaboration between law enforcement agencies and almost all the computer security companies was initiated. Called Operation Tovar, it included Europol, the FBI, U.K.s National Crime Agency, The Australian Federal Police, as well as police agencies from South Africa, the Netherlands, Japan, Luxembourg, France, Italy, New Zealand, Canada, Ukraine and Germany. Supporting the operation was Trend Micro, Microsoft, McAfee, Dell, Level 3 Communications, Shadowserver, and at least twenty other security companies. In May of 2014 Operation Tovar isolated the source of the virus, shutting down the Gameover ZeuS botnet by June that year. Russian hacker Evgeniy Bogachev was arrested and charged with being the leader of the Gameover ZeuS gang. Other gang members were rounded up. The server where the ransom keys was stored was recovered, and the keys were distributed to many of the victims.
Cryptolocker may have resulted in the Gameover ZeuS gang being locked up, which should have been a deterrent to other hackers attempting the same thing, but it made nearly $30 million in ransoms in less than a year. Greed outweighed the risk of imprisonment. Hackers worldwide began launching their own encryption ransomware. Many did little damage before being caught, or had encryptions that could easily be broken. A few viruses, such as Cryptolocker.F and Torrentlocker did a lot of damage. But the worst encryption ransomware was yet to come.
The first known appearance of Cryptowall was in September of 2014, when e-mails were sent to all residents of Australia purporting to be from various government agencies. A typical e-mail would claim to be from the post office, and claim that they were holding a package, enticing the victim to click what was suppose to be a link to confirm their address if they wanted the package to be delivered. Cryptowall did not stop there. In the months to follow it spread across the globe. And unlike ransomware of the past where the hacker simply sent out a single variation and allowed it to spread on it's own, the hackers behind Cryptowall used strategy to spread their virus, and regularly updated it to prevent security companies from ether finding a way to decrypt files, or block the virus from infecting computers. The variant that attacked my computer was Cryptowall 3.0.
It was discovered the hackers behind Cryptowall would target companies by sending infected e-mails at specific times of day, usually in the morning when everyone just got to work. This would be the time of day when most workers would be using their computers to catch up on their e-mails, giving time for at least one to be careless and click the attached virus before someone reported a suspicious e-mail and an alert was sent out to everyone to delete it. Once someone clicked the attachment, Cryptowall was activated, and was able to infect the entire computer network, encrypting every file in the company. Files with documents vital to the operation of the company, forcing an immediate paying of a ransom. As of November 1st 2015 it has been estimated that Cryptowall has earned at least $325 million.
So how did I get Cryptowall? I have been increasingly cautious, to the point of paranoid, over the past few years, thanks to being attacked by many devastating viruses. I do not read e-mails unless it is something I was expecting, like a link for a refund. The account my friends and family sent me e-mails is long dead, and I have told them I was not giving out my new e-mail address, and if they wanted to contact me ten it would be by regular mail, text ( to my mobile phone only which is in no way connected to my computer ), or by phone call if very important. Whenever I am alerted that a program needs to be updated, I ignore it. I still have the same version of Ashampoo I downloaded five years ago even though every few months it tells me a newer more improved version exists. Adobe updates have been ignored for the past two years. When I am told Windows wants to install an update, I visit the Microsoft update site and get it from there. I am very weary about visiting new websites, especially ones from foreign countries. When I have no choice to do this, I always end the day with a five hour minimum virus scan with all the works.
Two days before the Cryptowall attack, I had done a virus scan and had a clean bill of health. Malwarebytes already had Cryptowall 3.0 in their database, so if I was infected then it would have been caught. I did not have any reason to visit my e-mail account at all. I had visited very few websites, and all were trusted sites like Wikipedia. I did not have need to upload any files, programs, updates, or use ant torrents, and had not visited any torrent site. And I certainly did not play any strange discs I got in the mail. So how did I get Cryptowall? In the past few weeks security experts were trying to answer the same question as thousands claimed they were just as careful as I was and were still infected.
It was discovered that some sites were compromised. Hackers had gained administrative access to the sites and embedded a redirect to a web page on their site that looked exactly the same as the page from the hacked site. But these were only the sites that were detected. It was discovered the hackers would only keep the redirect up for a short period then remove all evidence of the hack, then putting the redirect back for a few more hours on another day, making it hard for security experts to identify which websites were hit. Worse, most websites refuse to admit when they have been hacked. It is bad for business. Even if the vulnerability the hackers used to gain access has been fixed, the stigma is still there, and traffic drops off. Who wants to visit a website that had once dispensed viruses? To date, only one Chinese website has admitted being hacked with Cryptowall 3.0.
But even worse, it was discovered that at least one company that distributed banners had been compromised. Banners are those skinny animated advertisements you see at the top, bottom and sides of webpages. They can advertise anything from the latest Bond film, to a date site that notifies you that a hot Russian girl is living in your neighborhood. Hackers were able to embed the virus into these banners, which in turn put their virus on any website that had them. I could have gotten this virus from IMDb, Yahoo or any other site that has banners. This is why beginning in August, there has been a 25% rise in Cryptowall infections.
A security expert I talked to wondered if the virus found a new way to spread. He thinks the windows popping up on my computer asking me to download a strange program was a Cryptowall link. If I had clicked anything on the window, Yes, No or even the X, then I would be infected. He even suspects that the window announcing the Malwarebytes update was in reality a window generated by Cryptowall. Had I not tried to update Malwarebytes before the scan, I may have caught Cryptowall before it did any damage.
The next question, of course, is how to get my files back. I am not going to pay any ransom. While it is bothersome that I lost my files, there is nothing I have lost which is worth $100 in ransom to retrieve. All the lost picture files and video files can be redowloaded from the sites I got them from, that is, if I really do want them back. The text files are the major concern. Articles I had been working on, some for months. Mind you, I can look at the title of an encrypted word document and rewrite most of the article. It is not entirely lost. The backup is in my brain. But that still means a lot of back checking and typing for a second time around. Others have had it worse. The only copies of financial records, articles or work that needed to be handed in by the end of the day, videos and pictures of family that for some reason were stored on the PC with no backup anywhere. Companies that specialize in wedding videos having a months worth of work encrypted. The list goes on and on. Files many find too important to lose. For them, there is no choice but to pay the ransom.
But is it possible to decrypt my files without paying the ransom? Just in case, I backed up all my encrypted files. Next I asked the experts. Any encryption can be broken. But the stronger the decryption, the harder it is to break. The experts tell me that indeed my files could be decrypted without paying for the key. The problem is that first I need a super computer. Something like the FBI uses to decrypt files recovered from suspects computers. And then, expect that decryption program to run anywhere from a week to two years before the files are decrypted. This is why the experts say decryption is unfeasible. Even if I was to buy an off the shelf top of the line home PC, upload it with just the latest decryption program, and let it run, it could take decades before it finds the key.
But not to worry. All is not hopeless. Another Operation Tovar could bring down the gang behind Cryptowall. Odds are that the crime ring behind the virus could all be in jail by this time next year. The smart thing should be for them to take the money and run while they are ahead. But since they continue to spread and update Cryptowall, they have a hubris that they can never be caught, or at least assume they live in a jurisdiction where they can not be extradited. Experts say this hubris is what gets most hackers caught. And once they are, the servers with the keys still intact becomes a negotiating chip for a reduced sentence. With any luck, all the Cryptolocker keys will be made public one or two years. And even though they could range in the hundreds of thousands, it would still allow for decryption within a few hours time. The site that would really make a fortune would be the one that offers to decrypt the files.
Can't wait that long. There are dozens of programs on the market claiming to be able to decrypt your files. Experts warn these are all scams, or only have the Cryptoclocker keys in their database. Still, some programmers are working on promising programs that could get your files decrypted without having to go through years of decryption. One program being designed allows you to take one encrypted file and the same non decrypted file you have stored in backup, and compare them. An analysis then comes up with a few hundred possible keys and tries them all until the encrypted file is decrypted. Once this happens, the program is then ready to decrypt all the rest of your files. Other decryption programs are in the works as I write this. The programmer who is able to come up with a decryption program could end up very rich.
But it seems that the hackers behind Cryptowall are way ahead of them. This past week Cryptowall 4.0 was detected. This time it also encrypts the name of your file, making comparison almost impossible. It is also able to disable just about any protection your computer has, shreds any security program, and spread out into all your accounts to find and delete files you may have stored online.
Experts say the only defense at the moment is to backup files on an hourly basis, or at the least, backup whatever you find important. The backup needs to be isolated fro your computer. That means if it is on a flash drive then the drive needs to be immediately removed after the backup. If on a disc, then the disc needs to be removed from the tray. They suggest rotating the backup storage, so that you have more than one flash drive as backup. That way if Cryptowall hits while you are uploading files to the flash drive, then there is still a second one untouched. They say this was suppose to be the reality even before Cryptolocker showed up. Outside of ransomware there were a multitude of viruses that simply crashed your PC destroying files in the process. "Backup often" has always been one of the security companies mottos. The problem is, we have become too lazy to do this. Perhaps this is why so many people have complained that Cryptowall had encrypted their irreplaceable family photos. Why were they being stored on your PC in the first place, and not transferred to a disc or printed out onto photo paper? I am also guilty of not backing up files. Earlier this year I lost files from another virus, and then vowed to from that point on back up every article. But I never got around to doing that. As I write this, I have a few days worth of articles since Cryptowall destroyed my last batch that I have not bothered to back up. This hub took a couple of days to write, and has never been backed up, not even on Hub Pages. It is this laziness that has made Cryptowall and other ransomware so profitable. Ransoms would not be paid if the files were safe elsewhere.