Trouble Paying Your Malware Ransom? Crooks Launch 'Customer Service' Site


By Herb Weisbaum

Here's a first: Crooks who understand the importance of customer service.

It's the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim's personal files -- and in some cases, backup files -- with state-of-the-art encryption. The bad guys have the only decryption key and demand $300 or two bitcoins to release the data.

"It's been a disaster for many of the people hit with it," said Lawrence Abrams, who has been tracking the spread of this infection on

Within the past few days, the criminal gang behind CryptoLocker created a site for people who need help making their required extortion payments.

"These guys have some big cojones," said security expert Brian Krebs, who writes the KrebsOnSecurity blog.

The CryptoLocker Decryption Service enables victims to check the status of their "order" (the ransom payment) and complete the transaction. Yes, you are reading this correctly!

Those who paid the ransom (with either Green Dot cards or bitcoins) but did not get the decryption key -- or got one that didn't work -- can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps to 10 bitcoins from two. At today's market value, that's nearly $4,000. And Green Dot is not accepted with this extended-deadline service.

Why are the CryptoLocker crooks doing this?

"They were leaving money on the table," Abrams told me. "They created this site to capture all the money they were losing because people couldn't figure out how to make the ransom payment or missed the deadline."

The bad guys also ran into some technical problems after launching their attack. It turns out that when antivirus software removes CryptoLocker from an infected computer, the victim can no longer pay the ransom to unlock their files. To do that, they had to reinstall the CryptoLocker malware -- something that was not only weird but cumbersome.

Is This the New Reality?

Law enforcement and cybersecurity experts always advise victims of ransomware attacks not to pay, as that money funds a criminal operation and there's no guarantee the files will be released.

But when you're the victim, when all of your data has been encrypted and you don't have a suitable backup, you're faced with two choices: Pay up or have those files frozen forever. That's why so many people are paying and why security experts fear more of this nasty malware is on the way.

"Anytime you see an underground business that is doing well, you will always see more people copying it," Krebs said. "Unfortunately, I think these destructive attacks are here to stay, and they're only going to get worse and more intense."

Sean Sullivan, security advisor at F-Secure, agrees.

Until now, ransomware attacks were limited by the lack of a global payment method. It took a lot of work to get paid in different parts of the world. Bitcoin, the new digital currency, solves that problem.

"CryptoLocker, using bitcoin, might finally have reduced the overhead of not having a global form of payment," Sullivan said. "We're getting to the tipping point where ransomware will become epidemic because it's not that hard to get paid anymore."

CryptoLocker: A New Method of Attack

Security experts tell me CryptoLocker is delivered in a Zip file attachment. If you open that attachment, the malware is loaded onto your machine.

Because some antivirus software can now detect CryptoLocker hidden in a Zip file and prevent the infection, the bad guys modified their attack a few days ago.

According to Abrams at Bleeping Computer, the files are now password-protected -- a trick that gets them past security software.

It appears that the password "PaSdIaoQ" is the same for everyone, he said. Open that attachment and your files are toast.

How do you protect yourself?

It's the same advice you're heard before: Don't open attachments from an unknown sender, have up-to-date security software and back up your files religiously. And because CryptoLocker can compromise files that have already been backed up, you need to reassess how you do your backups.

Network drives (whether physical or in the cloud) that are always connected to your computer are often vulnerable. Krebs suggested doing a manual backup and then disconnecting the drive when you're done. It's a lot more work, but much safer.

We are dealing with a new generation of malware, he said. Once it does its damage, you cannot undo it yourself.

"This is scary stuff," Krebs said. "People need to rethink how they protect their important files."
In a new article on his blog, Krebs recommends two tools that can block CryptoLocker infections: CryptoPrevent from Foolish IT for individual Windows users and the CryptoLocker Prevention Kit from Third Tier for small business administrators.

More from CNBC:

Follow CNBC contributor Herb Weisbaum on Facebook and Twitter @TheConsumerman
or visit The ConsumerMan website.

Originally published