Feb 28

Ransomeware strikes…

This ain’t the movies, kid…

There’s a lot of things Hollywood gets very wrong about computers, viruses and hacking. User interfaces of the most popular hacking tools tend to look like very old versions of Windows, and nothing like The Matrix at all. And nine times out of ten, your reflexes have little, if anything to do with it.

So this attack was quite unusual, in a number of ways.

It started in the morning, very quietly and without anyone suspecting that anything had happened. A link and slipped through to someone in an email, and they clicked on it. Internet Explorer 8 popped up, they got an error message, shut it, and got on with their day.

A couple of hours later, I got a call. Finance was having a problem – they couldn’t open their files.

I set a couple of remote scans, but the server that their files sat on was looking clean. But worryingly, the file extensions had changed in the Finance folder. They were all now reading


Ransomware. Someone, soon, would be getting a message

We set our little box of tools in motion, and isolated the files and the server.

We zipped the folder, scrubbed them, and planned a restore from the back up tapes once we had made a thorough search.

The server was clean but the attack was coming … from inside the house!

I mean office. Sorry.

We traced the traffic, got the IP address.

Act two

I started to walk towards the infected machine just as that person rose from their desk.

“Hey, as you’re here, can you just quickly look and see why I can’t print this document?”

In front my eyes, one by one, the file icons on the desktop were changing to encrypted. Just like a movie.

IT involves spending a lot of time on your knees, for one reason or another. This time it was to rip out the Ethernet cable.

There was nothing we could do for the PC now. If it had eyes i would have knelt by its side and gently closed them.

The desktop wallpaper changed, quoting the same text as the pop up image that had appeared.


I am an IT specialist, I research system vulnerabilities and make profit by selling them. I have found one vulnerability in your system and hacked it.  I have encrypted the files and if you are willing to decrypt them you need to buy a decryption key from me. Here is my contact …”

And so on. He left an email address, boasted of frankly impossible levels of encryption, and told us how much it would cost to undo.

But it wouldn’t have worked, even if we paid. This was scrambleware, and a particularly nasty version of it.

We rebooted the machine using a virtual copy of Windows XP, ran a complete array of anti-virus and anti-malware suites. All of them came back with absolutely zilch. Incredible.

We would have to reformat the hard drive. Nothing else to it.

But first, we had to go and do a little more snooping.

And there it was, the domain controller for another branch, in another country.

The encryption had started there as well, and had been working through them alphabetically. If that Ethernet cable had been in for another five minutes, the whole server would have been scrambled. As it happens, it had been halted on the second folder starting with ‘A’.

Kind of like Alien…

A nasty, nasty little piece of work. It had sat on this PC for almost three hours, working out where the Finance folder was and then quietly set about scrambling it. Then it systematically destroyed its host, while using it to reveal networked drives to go about its work, regardless of access permissions set up for the account holder.

We took as many fingerprints as we could, got a forum going to investigate it, but so far, a week in – nada.

So what did we learn …

  • It might be a good idea to rename your finance folder as something else entirely. Maybe Z Beeblebrox. Create another folder called Finance and just fill it with copies of files from other folders. If something like this hits you, the malware will seek out the finance folder and begin encrypting a pile of junk.
  • Get a tattoo on your forehead that says “do not open unsolicited documents or click on unsolicited links in general and in emails specifically”. If your forehead isn’t big enough, find another way to ram the message home to your staff.
  • Stop using Windows XP. Now.
  • Stop using Internet Explorer.

I’m going to tell you a little (and very badly kept) secret. Reboot your XP machine, and look for access to the safe mode, usually the F8 or Esc key.

Select “Boot in safe mode with networking”.

You are now two steps away from removing all password protection on the PC, while still having access to all the files and folders that are normally associated with it.

That’s how secure XP is. Makes you worry when you see it on a crashed ATM.

And as you probably know, in terms of security, Microsoft will no longer release security updates, software updates or offer support documents relating to XP in April.

We had made the business case for updating their software, but as with many charities, it was a low priority in cash strapped times. So we just went ahead and updated them anyway. We’ll worry about it another day. And it’s too early to really say if it really was an XP or ie8 vulnerability.

We have a pretty good international team investigating it, get in touch if you want to see the white paper that comes out at the end.

So, scary stuff. You have to wonder what’s next …



The car silently winds its way through the streets of Santa Monica

CALVIN leans back, speaking to his wife, KIRSTY via holo-cam. The car suddenly takes a detour.



 You look concerned. Something wrong?



Nothing. Just seem to be taking a different route.



 It happens.

 The car accelerates, heading back to a busy highway.


 Hang on, hun.

Tapping the screen – no response.


 Ok, Car. Status update please …


His wife’s hologram crackles – disappears. An evil-looking, masked, avatar takes its place …


 Good evening Calvin.



 What the …


Another burst of acceleration. An old Gary Numan song starts up. The doors double lock



We have control of your car, Calvin.



 Who the hell are you? What do you want?



 Your car has been hacked. You have 3 minutes

to give us your bank account details …



Here in my car

I feel safest of all

I can lock all my doors …