1/9/2019
"We've been watching your browsing and..." begins yet another ransomware email. The ones I receive allege that they have my password from a porn site (I've never visited one), they've compromised my router and seen the porn I watch (again, I don't), and that they know the password for my email server (I've never used the claimed one on my email server). If I don't pay they say, they'll share my porn or email history with my entire address book, or maybe they'll post it on the web. This is sometimes called "scareware". Fortunately, I've never had my computer data encrypted and had the screen display a message demanding payment for decryption. (Some of these screens claim the police or a government agency locked the PC for "security reasons" leading to the term police ransomware.)
As I was writing this, multiple sites across the US, Canada, and the UK were hit with ransomware threatening to detonate bombs at work sites unless a ransom was paid in Bitcoin (more on that later). At least three friends received these emails at their offices.
The porn and email server ransomware tend to include an old password of mine and the ID of a Bitcoin wallet to which I am supposed to make a payment. If I am not familiar with how to do so, they even include instructions.
It seems the scammers harvest the email and password combinations from one of many leaks and then send the emails with the "I know your password is [whatever]..." lines in them. They appear to rely on the fact that far too many people use one password for many sites. Thus, if I used 'myUnicorn' as a password on some site that was compromised, maybe it is the password I actually used for my mail server or some other site. This is a good reason to never use the same password on multiple sites. In at least one case, I know they are reaching far into history because the claimed password is one I haven't used in a decade.
Each of these emails also contains the id of a Bitcoin wallet to which I am supposed to send a payment. Interestingly, I've received dozens of these emails and no two have the same wallet ID. Of course, they like cryptocurrencies as the payments are untraceable.
Yesterday's scareware with bomb threats is dangerous and annoying. Businesses and busses were evacuated and people genuinely feared for their lives. This goes beyond the threats of the past and is a form of terrorism. My belief is that this was intended to be a way to increase the price of Bitcoin: if thousands of people bought it in order to prevent being injured or killed, the price would go up. I hope governments working together can capture and arrest those responsible, but I believe the likelihood. Is small.
Email is not the only vector for ransomware or extortion. I've had calls telling me that that the caller was Microsoft and that Windows had reported to them that my PC was infected with a virus, was sending out my passwords, or was attacking other computers. Clever, but far from realistic. Bob Cromwell relates some more ransomware attacks on his site.
Some lessons from these stories: use a different password on each site, change your passwords once in a while (or at least after a documented breach), don't believe ransomware if it says to remit cryptocurrency such as Bitcoin (but report it anyway, especially if you get it at work!), and if seems bogus, it likely is.
To your safe computing,
John McDermott
Related Training:
Cyber Security
