“WannaCrypt” ransomware scam demands payment in advance!

What’s worse than ransomware that scrambles all your files and demands money for the key to unlock them and get them back?

Well, WannaCry certainly added a new dimension to the ransomware danger, because it combined the data-scrambling process with self-spreading computer virus code.

As a result, WannaCry could worm its way through your network automatically, potentially leaving you with hundreds or even thousands of scrambled computers in a single attack, even if only one user opened a booby-trapped attachment or downloaded a file from a poisoned website.

The crooks behind the SamSam ransomware have also latched onto a rather different approach: instead of trying to reach thousands or tens of thousands of victims around the world with a hard-hitting spam campaign, and squeezing each of them for hundreds or thousands of dollars each, the SamSammers seem to attack one organisation at a time.

Indeed, the SamSammers generally keep their hand hidden until they have broken into the network and figured out, using similar techniques to penetration testers, a list of computers they know they can encrypt all at the same time.

Then they let fly on all of those identified devices at once, giving them a much higher chance of scrambling at least some computers that are critical to the workflow of your company,

Finally, they make a payment demand, typically charging a few thousand dollars for each individual computer you want to unlock, but also offering an all-you-can-eat deal of $50,000 to decrypt everything.

But now there’s a back-to-front approach – a bunch of scammers who aren’t saying, “If you don’t pay we won’t fix your files,” but instead saying, “If you do pay we won’t scramble them in the first place.”

Simply put, it’s a protection racket, where you’re being stood over to prevent bad things happening, rather than a ransom-based racket, where you are being squeezed to recover from bad things that already happened:

From: WannaCry-Hack-team
To: **************
Subject: !!!Warning Wannacrypt!!!

Hello! WannaCry is back! All your devices were cracked with our program installed on them. We have improved operation of our program, so you will not be able to regain the data after the attack.

All the information will be encrypted and then erased. Antivirus software will not be able to detect our program, while firewalls will be strengthless against our unique code.

Should your files be encrypted, you will lose them forever.

Our program also covers the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices.

Deletion of your data is scheduled for June **, 2018, at **:** – **:** PM. All data stored on your computers, servers, and mobile devices will be destroyed. Devices working on any version of Windows, iOS, macOS, Android, and Linux are subject to data erasion.

With an eye to ensure against data demolition, you can pay 0.1 BTC (~$650) to the bitcoin wallet: ****************

The bad news is that this WannaCrypt “demanding money with menaces” threat email is very widespread – we’ve had people worried about it from all over, which is why we decided to write up this warning.

The good news is that these particular crooks don’t actually have any malware to back up their threat.

Indeed, their claim that “antivirus software will not be able to detect [the] program” is one of the few truths in this scam, for the simple and fortunate reason that, in this case, there is no program to detect.

Just to be clear here: disk wiping malware – think of it as ransomware with no decryption key, so you can’t buy your files back from the crooks even if you want to – most certainly exists.

So, these WannaCrypt scammers could, in theory, have been telling the truth, giving you just a few hours to hunt down and turn off their attack code before your data was destroyed.

In this particular case, however, the whole thing is a fraud, right down to the existence of the malware in the first place.

What to do?

  • Don’t pay up. As far as we can see from the Bitcoin blockchain, no one has yet sent any funds [2018-06-22T12:00Z], at least to the Bitcoin address in the spam samples we’ve seen so far.
  • Don’t contact the scammers “just in case”. Letting them know you’re there and worried is giving away information about yourself that you dont need to.
  • Make sure you’re patched and protected. To pull off an attack like this would mean infecting you first but then giving you a fighting chance to track down the malware before it went off (ransomware, in contrast, only alerts you after it has triggered), so be prepared.

Remember that ransomware, disk wiperware, protection racketware and other malware that destroys your data is only one of many ways to lose your precious digital stuff – software bugs, fire, flood, loss, theft, and plain old hardware age can all result in abrupt and catastrophic data loss, too…

…so get those backups sorted, and do it today!