Ransomware isn’t a laughing matter, especially if you’re the victim.
Even if you don’t lose any data in the attack, it’s a bit like getting mugged by crooks who end up running off without your wallet.
But we couldn’t help cracking a bit of a smile at this one, blocked by Sophos products as Troj/Ransom-DJC:
If you click
[Submit] without paying, the window at the bottom left of the “pay page” changes like this:
We have no idea what happens if you do pay up, as we didn’t try.
Our important document files certainly disappeared from view when the ransomware triggered:
The crooks, we can only assume, are hoping that the threat of deleting your scrambled-and-hidden files one by one is enough to persuade you to pay up.
There’s also the attractive fact that this ransomware is cheaper than usual, a snip at BTC 0.2 (about $130) instead of the usual $300-$600 price point.
There’s a good reason for the heavy discount, however.
This is a new sort of cryptoransomware that we’re dubbing “boneidleware.”
Your files aren’t encrypted at all; they’re simply hidden with extreme prejudice: deleted, erased, gone for good, removed, zapped, trashed, nuked, fried, /dev/nulled, placed in File 13…
…so there’s no point in paying up at all.
We can’t imagine that the rest of the ransomware underground is very happy about this one.
Since CryptoLocker burst on the scene in late 2012, ransomware crooks have built up something of a reputation for “honour amongst thieves,” because paying up usually does get your data back.
The developers of this boneidleware are undermining all of that.
And that’s why we made an exception, and cracked a bit of a smile at this one.
What to do?
We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.
Here are some links we think you’ll find useful:
- To defend against ransomware in general, see our article How to stay protected against ransomware.
- To protect against misleading filenames, tell Explorer to show file extensions.
- To protect against VBA malware, tell Office not to allow macros in documents from the internet.
- To learn more about ransomware, listen to our Techknow podcast.
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
13 comments on “Ransomware that demands money and gives you back… nothing!”
I just dealt with a ransomed computer last week. I was surprised that when I tried to reinstall the OS (Win7) I discovered they had encrypted parts of the recovery partition. I’d not heard of that before.
I hate hate HATE not having recovery media. Depending on a hard drive for restoring your OS is the stupidest idea ever conjured in Redmond. What WERE they thinking!?!
Dang good thing Win10 is still free. At least this computer didn’t become a complete door stop, though it sure resembles one. (micro-desktop form factor)
BTW the user was smart enough to make backups, she didn’t lose anything other than her preferred OS and the desktop wallpaper image of her dog.
I will say one thing good about Win10: I had no non-functioning hardware after the install. First time ever doing a Windows install without having to install drivers afterwards. Indeed, it handled the network adapter without a hitch, just like Linux. 😀
I recommend making at least one backup using disk imaging software. Most Linux live cds contain everything you need. Restore the image of the entire drive and run windows update.
late reply (sorry)…
“What WERE they thinking?”
Thank you for calling PC support, are you going to express your defiance by wiping that small partition and adding 2% to your usable storage? Hah, go ahead; we don’t mind.
Convenience is now largely prioritized for the manufacturer, not the consumer. They (not necessarily Microsoft) save revenue not printing millions of recovery discs–the small percentage of drive failures which don’t result in the ignorant “dang, I guess I need a whole new computer” will use far fewer resources in comparatively cheap bandwidth.
I’ve lamented before that unless the recovery partition is completely hidden from the OS, malware will find it. It would help if solely the BIOS/EUFI could find it. Maybe encryption at the outset is the answer, with a key pair unique to each PC–and the BIOS can decrypt while OSes can’t. Of course that would cost money and time to implement–and still might be circumvented–so it’d be weighed against how much tech support they expect to otherwise pay…ergo it’s unlikely.
Car manufacturers have done the same thing. Prioritizing assembly-line speed consequently means that some models of truck need the entire cab pulled off the frame to change a battery, or replacing a fuel pump requires dropping the engine. You pay a tow and a massive repair bill for something that was once a 10 minute DIY job.
Of course the Amazon product page rarely mentions the immutable disc is a dodo bird, and the car salesman rarely shows you that bullet point on the sticker.
Hah, you’re right… this is funny in the long run. However I feel for the short-term victims, with no chance (yes yes…we all know *some* chance, but you know what I mean) to recover their stuff.
This ALMOST makes the real ransomware look reputable, at least you could get your files back. But as always the moral is, just do backups, at the very least of your important files. The government agency I work for is being audited by the state. So far they have interviewed me twice, backups featured prominently. I do a hybrid NAS/cloud backup nightly and a weekly detachable backup once a week, and I still don’t feel that’s enough.
Much as I dislike the idea of even considering giving over money, if I were a silly person who doesn’t have backups and lost everything, looking to see if there’s one of those “we’ll unencrypt one file for you to prove we can” options around to see if it’s slightly legit might be handy.
In other news, i’ll just be off figuring out how to make a file look encrypted but have a duplicate somewhere for no reason at all…
The images after the [Submit] mimic a movie-like hostage situation…
That would be a straight-to-video movie, methinks 🙂
I suppose the silver lining is that if this type of ransomware gets popular, and does a sufficiently good job of undermining the trust in all ransomware, eventually the people will stop paying up altogether, and the industry will collapse.
Which can’t be bad.
Shouldn’t the bytes free go up if they were deleted, not down? Could this be just hiding the files from the system?
I’d expect the crooks hope panic to recover files will override powers of observation.
Also, since having a 1TB hard drive is fairly common, there’s not a huge apparent difference between
921G free of 951G
932G free of 951G
Oh wait! There are 2894 new files in the recycle bin! Never mind…
I blame Java and its derivatives.
Does anybody know if this ransomware deletes the files in a shared directory?