Time to Pay the Cryptolocker Ransom: All in a Day’s Work?

Time to Pay the Cryptolocker Ransom: All in a Day’s Work?

The day started out like any other, with coffee and a calendar full of the usual tasks. However, it soon became evident that the next 24 hours – which would culminate in a ransom payment – would be anything but routine. Yes, contrary to the stereotype of the computer geek staring at a screen all day, the life of a Senior Systems Engineer can sometimes be an adventure … especially in a world where cybercriminals are able to deploy malicious software designed to make a company pay up or lose all it holds dear. For this client, that meant months of data.

The adventure began when a client (We’ll call them Client X) called to report that no one on their team could open their billing system. We logged in to discover that the program wasn’t running properly on the server, so we reached out to the billing vendor. What we heard was something you never want to hear: “It looks like all these files have been corrupted.” When the tech tried to restore the files from the backup, it turned out that the backups didn’t exist. More unsettling news.

Meanwhile, a user at Client X’s office said he was getting strange pop-ups on his computer. So another tech set out to troubleshoot THAT issue, and found out that the machine was infected with a virus – which was soon determined to be Cryptolocker – a malicious program that runs on an infected computer and encrypts all the files it can get its hands on. The only way to get such files unencrypted is for the user to pay a ransom; the alternative is for the targeted business to live with the loss. We now knew what was corrupting Client X’s billing system; the only question was whether they could live with the loss. The answer was no, so together we determined that the only thing to do was to pay the ransom.

That sent me on a quest to obtain BitCoin, an anonymous online currency -read more here http://www.network-support.com/bitcoin-and-paying-ransom-to-cyber-criminals/ that is available through online BitCoin exchanges. An added challenge was to obtain BitCoin quickly enough both to meet the criminal organizations demands and to get the business operating again ASAP. Because our client is in New York, we actually had access to one of the few BitCoin ATMs around, in Brooklyn. After establishing an account – which involved my sending a photograph of myself holding a photo ID, like some spy movie – I jumped in a car with only an address and the ransom money I was to exchange for BitCoin. Relying on Google Maps, I found the building in which the ATM was purportedly located, which turned out to be a workshare space. In the middle of the workshare space was an old style phone booth, and in it – there was the ATM, a small Android-based device with a slot in which to feed cash, like a vending machine! Very odd, indeed. The strangest part about it was that there was no CoinCafe or employees, just this random device in which to feed $100 bills. After figuring out how to interface with the machine, I proceeded with making payment and a colleague was able to remote into the infected machine to pay the ransom with the BitCoin I just deposited. And, within just a short time, all of Client X’s data was restored.

Posted in Blog Posts, Security

Share our post