Ransomware warning

This is a warning to all those who read my website.

Ransomware is on the prowl again.

Make sure your backups are in good working order.

I have personally encountered ransomware and, thankfully, my client, a sizable company, who was a victim, followed my backup procedures and things were back to normal after about 4 hours.

Ransomware is malware which encrypts certain targeted files on your hard disk or network drives, e.g. MS Word, MS Excel, Adobe pdfs, jpgs, etc.

Typically, a victim is tricked into clicking on a link in an email.

The link may look very very similar to something the victim is familiar with, e.g. a postal service like Australia Post, or a courier service like UPS, or an energy utility like Sydney Water or Energy Australia, etc etc. All the logos are taken off the official websites and even the domain names may appear to be very similar.

There will be instructions on the webpage to click on other links or to do something and then the trouble starts šŸ™

The speed at which the victim’s files are encrypted are quite amazing – it can take just a minute or so to render valuable files unusable.

Some times, a taunting message usually appears after it is all too late for the victim to do anything.


Example of ransomware screen, in this case, from CryptoLocker.

The message will usually tell the victim his/her files have been hijacked and the only way to retrieve those files is to pay a “ransom” and hence ransomware.

The ransom is usually paid to a bank account outside the reach of most jurisdictions.

Consider yourself warned.



Crypto e-mail service pays $6,000 ransom, gets taken out by DDoS anyway

Follow-on attacks show capabilities “commonly possessed by state-sponsored actors.”

A provider of end-to-end encrypted e-mail said it paid a ransom of almost $6,000 to stop highly advanced denial-of-service attacks that knocked its networks, and the networks of some of its upstream providers, offline.

In a blog post published Thursday, officials of Switzerland-based ProtonMail said they “grudgingly agreed” to pay 15 bitcoins, which at current valuations came to about $5,850, to the attackers in exchange for them halting the assault. Even after paying the sum, however, crippling attacks continued, although at the time the blog post was being written, they had subsided. The ransom payment is generating protest from critics who say it will only encourage more attacks. ProtonMail officials wrote:

We hoped that by paying, we could spare the other companies impacted by the attack against us, but the attacks continued nevertheless. Attacks against infrastructure continued throughout the evening and in order to keep other customers online, our ISP was forced to stop announcing our IP range, effectively taking us offline. The attack disrupted traffic across the ISPā€™s entire network and got so serious that the criminals who extorted us previously even found it necessary to write us to deny responsibility for the second attack.

The campaign began shortly after midnight on Tuesday, when ProtonMail received an extortion e-mail from a group of criminals said to be responsible for a string of DDoS attacks across Switzerland over the past few weeks. The message was soon followed by a distributed denial-of-service attack that lasted for about 15 minutes. The attack resumed at 11am the same day and was already showing “an unprecedented level of sophistication.” By 2pm, the flood of junk traffic reached volumes of 100 gigabits per second and began targeting ProtonMail’s datacenter and upstream providers, including routers in Zurich, Frankfurt, and other locations where the ISP has nodes.

“This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.”

The blog post went onĀ to say:

Through MELANI (a division of the Swiss federal government), we exchanged information with other companies who have also been attacked and made a few discoveries. First, the attack against ProtonMail can be divided into two stages. The first stage is the volumetric attack which was targeting just our IP addresses. The second stage is the more complex attack which targeted weak points in the infrastructure of our ISPs. This second phase has not been observed in any other recent attacks on Swiss companies and was technically much more sophisticated. This means that ProtonMail is likely under attack by two separate groups, with the second attackers exhibiting capabilities more commonly possessed by state-sponsored actors. It also shows that the second attackers were not afraid of causing massive collateral damage in order to get at us.

At present, ProtonMailā€™s infrastructure is still vulnerable to attacks of this magnitude, but we have a comprehensive long term solution which is already being implemented. Protecting against a highly sophisticated attack like the second one which was launched against us requires sophisticated solutions as we also need to protect our datacenter and upstream providers. Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents. In order to cover these costs, we are collecting donations for a ProtonMail defense fund.

Attributing online attacks to a particular group, or even to a nation state, is a difficult endeavor that’s frequently prone to error. Still, the prospect that a nation state is behind the second wave of attacks could make an already problematic developmentā€”a service that paid a ransom to stop crippling DDoS attacksā€”much more complicated. It’s likely this story will have more developments before it’s done.


Post navigation

6 comments for “Ransomware warning

  1. FUNG
    November 8, 2015 at 9:27 pm

    Any information about the ransomware attacks Drive C, D or E? Can we just back up in Drive D or E to reduce the danger of losing the file?

    • moses
      November 8, 2015 at 10:37 pm

      Ransomware attacks any and every drive connected to your computer.

      Backups are usually done on removable drives or tape media.

      Whether the backup gets attacked depends on the nature of your backup, e.g. is the backup file named differently?

  2. Mercy
    November 8, 2015 at 9:32 pm

    Attributing online attacks to a particular group, or even to a nation state actually slow down the development of the particular group or a nation.This is a serious IT criminal case.

    • moses
      November 8, 2015 at 10:57 pm

      How would attributing online attacks to a particular group or nation state slow down the development of that particular group or nation state?

  3. Mercy
    November 14, 2015 at 2:00 pm

    Aggressive attributing online attacks to a particular group, or even to a nation state affects the data and dysfunction the program. Usually people will go for alternatives to solve the problems or even start from the beginning.

    • moses
      November 14, 2015 at 5:20 pm

      How would attributing online attacks to a particular group or nation state affect the data and cause the program to dysfunction?

      What problems do you mean?

      What do you mean by “start from the beginning”?

Leave a Reply

Your email address will not be published. Required fields are marked *