We originally reported on this back in #AxisOfEasy 58, it’s the phenomenon of getting an email spam wherein the mailer claims to have hacked or compromised your computer, and will (pick one).
- encrypt or corrupt your computers, files or data
- spread embarrassing or compromising information about you to your contacts
- release an unflattering video ostensibly taken via your computer camera
Since about a week ago there has been a noticeably large spike in the volume of these spams. I’m personally getting around a half-dozen per day, and clients are getting them and emailing us asking what to do about it.
Most of these emails send you one of your passwords that you may have really used previously (or God forbid, are still using somewhere) as “proof” of their claim to have utterly owned your computer.
How They Do It
So how do these guys know your password, or one of your old passwords, if the claim that they’ve hacked your computer is just a bluff?
Some vendors store passwords in clear text. It’s a major security #fail to do so, but a lot of companies do it anyway. Alternatively, there’s a lot of old, decrepit sites that used to do it, but are still online and vulnerable.
Those vendors and old websites get hacked, and then those login creds get distributed, aggregated and otherwise passed around. There is a thriving market for these on the darkweb. (The chatter within a security list I’m on posits that most of these are being culled from a LinkedIn breach, also noting that many of the recipients are unaware that there even was a LinkedIn breach…although I’m getting lots to addresses that don’t even have LinkedIn accounts.)
easyDNS maintains our own database of around a couple billion credentials as do other security types, and we periodically check our member accounts against it and force password resets on anything that hits. You can also sign up at a place like HaveIBeenPwned and they will email you when your email comes up in a new breach (it’s free).
How To Tell If It’s a Real Ransomware Attack
If it’s just an email in your mail and providing an old password, it’s spam and almost certainly a bluff. Don’t fall for it. Some people are. I randomly picked a Bitcoin address from these emails and can see that it’s had 25 transactions totally over 1.6 BTC, currently over $13,000 CAD.
In a real ransomware attack you typically don’t learn about it via a message in your email. You realize something is up when you can’t access anything on your computer and you’re locked out with a ransomware demand screen:
Protecting Yourself from Both Fake and Real Attacks
In the case of the fake email spam bluff, if they show you a password you still use anywhere, obviously, go change it, everywhere.
You should be using password managers or some other system that enables you to use complex, unique passwords across every website.
By using email canaries: the practice of setting up either a dedicated domain name with a unique email address for every vendor (i.e. email@example.com), or else unix “+” notation (i.e. firstname.lastname@example.org) – then you can tell which vendor was compromised from the email used to send you the spam, and now you also know that they’ve been storing their customer passwords in cleartext. (The problem with the latter method is not all online forms allow “+” notation in email addresses, and not all mail servers handle it properly. easyDNS mail servers and email forwarders handle them as expected.)
In the case of a real ransomware file-locked situation it all comes down to whether or not you have backups, and have those backups been locked as well?
If you have no viable backups, you’re pretty well stuck paying the ransom. Once you decrypt your files, chalk it up to the cost of learning your lesson and then right away go get some backups happening.
easyBackup specifically screens for all major malware and ransomware variants and syncs with all major malware detection. It’s an incremental backup system so if you get infected you can rewind back to your most recent clean backup, which can itself be encrypted (with your keys, not the attackers), and restore your files.