Datajacking files is big business
The easy solution is to pay the ransom, but there is no guarantee that your computer files will be decrypted
‘If you really value your data then we suggest you do not waste valuable time searching for other solutions because they do not exist,” the hackers told Baden Moir as he desperately but unsuccessfully tried to access his encrypted computer files.
The ransom was one bitcoin (about R8 450). The deadline was 72 hours. When the clock ran out, the price would double. If the ransom was not paid when the next deadline lapsed, those files would be destroyed.
The affliction Moir and his personal computer suffered is aptly named ransomware. And it is the most lucrative malware in history.
Once in, the virus courses through the system, taking data hostage by encrypting all the files so that they cannot be accessed. In most cases, the only hope of retrieving the information is to pay for it.
The first case of ransomware dates back to 1989 when 20 000 infected floppy disks were distributed to the World Health Organisation’s international Aids conference attendees, distributing malware that would encrypt files. But the emergence of CryptoLocker in 2013 was a gamechanger — the malware could be distributed through downloads, weblinks and email attachments.
The malware has even affected United States police departments, which have sometimes paid the ransom to retrieve important files.
The FBI has also offered a $3-million reward for information leading to the arrest of the suspected mastermind behind CryptoLocker, Evgeniy Bogachev, who is known to enjoy sailing on the Black Sea coastline of his home country, Russia. It’s the highest reward ever offered for an alleged cybercriminal.
He is also suspected to be behind other cyberattacks that have taken $100-million out of US bank accounts.
Copycat versions of CryptoLocker have proliferated.
Moir is not sure how the ransomware gained access to his computer, but he was confronted with it whenever restarting his system or trying to open any of the encrypted files. He was presented with a format of frequently asked questions to help guide him through the process of recovering his files.
“What happened to my files?” was the first question posed.
Moir was told all his files were protected by a strong encryption using CryptoWall 3.0. (A handy link to a Wikipedia page for further reading was included.) Next, he was told that a decryption of his files was possible with the help of a private key and decryption program, which was kept only on the hijackers’ secret server.
Personalised links and codes were provided to begin the payment pro- cess. He was advised to install a Tor Browser, which is necessary to access the dark web.
Ransomware typically requires payment to be made in bitcoins because they can be difficult to trace.
“I never paid the ransom because bitcoins aren’t cheap,” Moir said.
Research by the technology giant Cisco estimates that 9 515 users in the US are paying ransoms every month, amounting to an annual revenue of $34-million for some cybercrime gangs.
Terry Greer-King, the head of security for Cisco, said there has been a huge surge in ransomware attacks of businesses. “This, however, is not unique to South Africa. Organisations worldwide are experiencing an uptick in attacks over
the past several months.”
For years, viruses, trojans and other malware have been sent over the internet to contaminate an end user’s computer, with demands for a ransom in exchange for the data, he said.
“Currently, at Cisco, we have found that JavaScript and Facebook scams are the most common attack methods. In addition, the number of WordPress domains used by criminals globally has risen by 221% between February and October 2015 alone.”
A printing company in Johannesburg, which did not want to be named, is one of many South African businesses that have fallen victim to ransomware.
An assistant manager of the company said the attack came in an email attachment and, once opened, it spread through the company’s entire i nformation technology system. It also affected the emailing system and sent out infected attachments to all recipients. More than 200 000 files were affected, he said.
A ransom equivalent to $5 000 was demanded to retrieve them. “It just wasn’t worth it for us.”
Instead the business has invested in hard drives to back up all data twice a week. “We learnt our lesson the hard way,” he said.
Although bitcoinzar.co.za suggests that paying the ransom is the quickest and easiest way to retrieve your files (See “What to do if your data is held hostage by ransomware”), there is no guarantee that the files will be decrypted once the ransom is paid.
The original CryptoLocker is known to unlock the files once payment is received, said Moir, “but
from what I have heard most of the emulated versions don’t at all. They just corrupt your files and hope you pay them.”
The assistant manager was also doubtful about getting the data back. “We decided to lose everything,” he said.
The prevalence of these attacks in South Africa are hard to measure as it is thought that many victims do not report them. Neither Moir nor the printing company did.
Victims are being urged not only to report it to the police but also to the National Cybersecurity Hub.
An Internet Service Providers Association advisory on reporting cybercrimes said: “Over the past few years, there have been an increasing number of convictions in South African courts for cybercrimes and that there are some extremely competent SAPS [South African Police Service] personnel involved in detecting and prosecuting cybercrimes. There is also a process under way to increase the penalties which may be imposed.”
Two years have passed since the attack on Moir’s computer but the ransomware still lingers there. “I can stop it from corrupting new files but I can’t get my old ones back or get rid of it.
“It looked like one guy was working on a code to reverse it, or had been making a few for the emulated viruses but then he stopped posting on the message board I was following and I never got an update,” he said.
“I still keep some of the files I want restored on my computer ... now and then I go look to see if there has been any progress, but it seems forgotten in the wave of new viruses.”