By Alina Simone • 1/02/15
MY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever.
CryptoWall 2.0 is the latest immunoresistant strain of a larger body of viruses known as ransomware. The virus is thought to infiltrate your computer when you click on a legitimate-looking attachment or through existing malware lurking on your hard drive, and once unleashed it instantly encrypts all your files, barring access to a single photo or tax receipt.
Everyone has the same questions when they first hear about CryptoWall:
Is there any other way to get rid of it besides paying the ransom? No — it appears to be technologically impossible for anyone to decrypt your files once CryptoWall 2.0 has locked them. (My mother had several I.T. professionals try.)
But should you really be handing money over to a bunch of criminals? According to the Internet Crime Complaint Center, a partnership between the F.B.I. and the National White Collar Crime Center, this answer is also no. “Ransomware messages are an attempt to extort money,” one public service announcement helpfully explains. “If you have received a ransomware message do not follow payment instructions and file a complaint.” Right. But that won’t get you your files back. Which is why the Sheriff’s Office of Dickson County, Tenn., recently paid a CryptoWall ransom to unlock 72,000 autopsy reports, witness statements, crime scene photographs and other documents.
Finally, can law enforcement at least do something to stop these attacks in the future? Probably not. Many ransomware viruses originate in Russia and other former Soviet bloc countries. The main difficulty in stopping cybercriminals isn’t finding them, but getting foreign governments to cooperate and extradite them.
By the time my mom called to ask for my help, it was already Day 6 and the clock was ticking. (Literally — the virus comes with a countdown clock, ratcheting up the pressure to pay.) My father had already spent all week trying to convince her that losing six months of files wasn’t the end of the world (she had last backed up her computer in May). It was pointless to argue with her. She had thought through all of her options; she wanted to pay.
Only, paying turned out not to be so easy; the CryptoWall hackers take only Bitcoins.
Picture the kind of early-adopting, hoodie-wearing member of the technocracy totally comfy with the idea of a cybercurrency neither backed nor issued by any central bank or government. Now picture the opposite of that. That is my mom. Having never so much as purchased an app in her life, my mom had no idea how to buy Bitcoins. Happily, her ransomers had anticipated this problem and included a link to a step-by-step guide, complete with pictures.
She’d managed to make a cash deposit via Bank of America to the unique Bitcoin “wallet” provided by her ransomers, but since Bitcoin’s price is extremely volatile, her payment had already fallen $25 short by the time it arrived. (Credit and debit payments can take up to six days to process.) The fastest way to send the extra $25 was to make a direct deposit at an A.T.M. that handled Bitcoin transactions. That’s where I came in. Coin Cafe, the Bitcoin provider my mother had chosen, had an A.T.M. in Greenpoint, Brooklyn, not too far from where I lived.
The Bitcoin A.T.M. was not easy to find. It was housed in the second floor hallway of a cooperative work space, tucked inside an old Nynex phone booth. On one hand, I appreciated the winking irony of this sight gag. On the other hand, Fidelity Investments this was not.
Inside was a little white box with no buttons, just a screen, a camera eye and a money slot. I scanned in the QR code my mom had sent me. The machine whirred to life. “Balance query in progress,” it announced. This query remained in progress for the next 20 minutes during which I left three messages on Coin Cafe’s voice mail before abandoning the booth to get some coffee and walk around in the rain.
The fourth time I called, a human being answered the phone and told me the problem had been fixed. I hurried back to the A.T.M., scanned in my QR code, sent some Voldemorts $25 in crisp bills and called my mom. The whole experience had not done much to allay my misgivings about Bitcoin; what did allay them was Mike Hoats, the nice bearded man Coin Cafe sent over to fix the A.T.M.
We got to talking after I made my payment, and he told me that, while no one at Coin Cafe believed people should fund criminal activity by paying the ransom, their job was to broker the purchase and sale of Bitcoins, which, like cash, could be used for any purpose. CryptoWall had thrust them into the unwitting role of ransomware advisers, coping with grandmothers crying on the phone at the thought of losing all their photos or small-business owners whose family income was on the line. Coin Cafe didn’t like profiting from the victims (according to the company, these transactions are in the low single digits as a percentage of its total business), but they were downright mortified to learn that CryptoWall had anointed them as one of their Bitcoin providers of choice, with praise for their “fast, simple service.” That’s how my mom found out about Coin Cafe — from her ransom note.
This referral is only one of the handy services CryptoWall provides to ensure a more seamless customer experience. Others include the ability to “decrypt one file for free” and a message interface one can use “in case of any problems with payment or having any other questions.” What next, I wondered. Twenty percent off when you refer this malware to a friend? Frequent virus cards? Black Friday ransom specials?
“I THINK they like the idea they don’t have to pretend they’re not criminals,” Chester Wisniewski, a senior security adviser at the computer security firm Sophos, told me when I reached him in Vancouver by phone. “By using the fact that they’re criminals to scare you, it’s just a lot easier on them.” They don’t have to hire a professional translator to get their English perfect, Mr. Wisniewski explained, or engage in any of the baroque subterfuge required of someone pretending to be a Nigerian gentleman farmer who just needs a little help claiming his inheritance.
In addition to being criminals, these peddlers of ransomware are clearly businesspeople, skillfully appropriating all the tools of e-commerce. From branding (CryptoWall is a variant of a fearsome earlier virus called CryptoLocker, which was shut down last year) to determining what they can extort (ransomware hackers have tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay in order to have its database decrypted), these operators are, as Mr. Wisniewski put it, part of “a very mature, well-oiled capitalist machine.” It’s also an incredibly lucrative machine: Some experts estimate that CryptoLocker hackers cleared around $30 million in 100 days in 2013. And more than a million PCs worldwide have been hit with the CryptoWall virus.
Even after reading through numerous descriptions of CryptoWall 2.0 as “the largest and most destructive ransomware threat on the Internet” and “an enormous danger for computer users,” I still couldn’t help thinking this was mainly a problem for moms who persist in using big, boxy PC computers and small-town police departments. Mr. Wisniewski quickly disabused me of that notion. Although CryptoWall has primarily affected Windows computers and Android cellphones so far, there is no technological barrier that prevents the virus from infiltrating Macs like mine. And when it does, Mr. Wisniewski chuckled, I should expect the ransom to be a lot higher.
So what can we all do to protect ourselves? Keep our computers backed up on an independent drive or by using a cloud backup service like Carbonite, take those software update and “patch” alerts seriously and, most of all, Beware the Attachment. (Remember: Brand-name businesses like J. Crew or Bank of America will rarely send you an attachment.)
Of course, this advice arrives too late for my mom. And it appeared her payment had arrived too late as well: By the time I got home from Greenpoint, her CryptoWall ransom had been raised to $1,000, and the $500 in Bitcoins she had deposited had vanished. In a panic, she wrote to Mike Hoats asking for advice. What he told her sounded crazy to me. Use the CryptoWall message interface to tell the criminals exactly what happened. Be honest, in other words.
So she did. She explained that the virus had struck the same week that a major snowstorm hit Massachusetts and the Thanksgiving holiday shut down the banks. She told them about the unexpected Bitcoin shortfall and about dispatching her daughter to the Coin Cafe A.T.M. at the 11th hour. She swore she had really, really tried not to miss their deadline. And then a weird thing happened: Her decryption key arrived.
When I shared the news with Mr. Hoats, he was jubilant. “That is great news, truly!” he wrote. “Whoever these yahoos are, they have some little shred of humanity.”
But Mr. Wisniewski had a more pragmatic take. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back.”
Welcome to the new ransomware economy, where hackers have a reputation to consider.