Trouble Paying Your Malware Ransom? Crooks Launch 'Customer Service' Site

By Herb Weisbaum

Here's a first: Crooks who understand the importance of customer service.

It's the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim's personal files -- and in some cases, backup files -- with state-of-the-art encryption. The bad guys have the only decryption key and demand $300 or two bitcoins to release the data.

"It's been a disaster for many of the people hit with it," said Lawrence Abrams, who has been tracking the spread of this infection on

Within the past few days, the criminal gang behind CryptoLocker created a site for people who need help making their required extortion payments.

"These guys have some big cojones," said security expert Brian Krebs, who writes the KrebsOnSecurity blog.

The CryptoLocker Decryption Service enables victims to check the status of their "order" (the ransom payment) and complete the transaction. Yes, you are reading this correctly!

Those who paid the ransom (with either Green Dot cards or bitcoins) but did not get the decryption key -- or got one that didn't work -- can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps to 10 bitcoins from two. At today's market value, that's nearly $4,000. And Green Dot is not accepted with this extended-deadline service.

Why are the CryptoLocker crooks doing this?

"They were leaving money on the table," Abrams told me. "They created this site to capture all the money they were losing because people couldn't figure out how to make the ransom payment or missed the deadline."

The bad guys also ran into some technical problems after launching their attack. It turns out that when antivirus software removes CryptoLocker from an infected computer, the victim can no longer pay the ransom to unlock their files. To do that, they had to reinstall the CryptoLocker malware -- something that was not only weird but cumbersome.

Is This the New Reality?

Law enforcement and cybersecurity experts always advise victims of ransomware attacks not to pay, as that money funds a criminal operation and there's no guarantee the files will be released.

But when you're the victim, when all of your data has been encrypted and you don't have a suitable backup, you're faced with two choices: Pay up or have those files frozen forever. That's why so many people are paying and why security experts fear more of this nasty malware is on the way.

"Anytime you see an underground business that is doing well, you will always see more people copying it," Krebs said. "Unfortunately, I think these destructive attacks are here to stay, and they're only going to get worse and more intense."

Sean Sullivan, security advisor at F-Secure, agrees.

Until now, ransomware attacks were limited by the lack of a global payment method. It took a lot of work to get paid in different parts of the world. Bitcoin, the new digital currency, solves that problem.

"CryptoLocker, using bitcoin, might finally have reduced the overhead of not having a global form of payment," Sullivan said. "We're getting to the tipping point where ransomware will become epidemic because it's not that hard to get paid anymore."

CryptoLocker: A New Method of Attack

Security experts tell me CryptoLocker is delivered in a Zip file attachment. If you open that attachment, the malware is loaded onto your machine.

Because some antivirus software can now detect CryptoLocker hidden in a Zip file and prevent the infection, the bad guys modified their attack a few days ago.

According to Abrams at Bleeping Computer, the files are now password-protected -- a trick that gets them past security software.

It appears that the password "PaSdIaoQ" is the same for everyone, he said. Open that attachment and your files are toast.

How do you protect yourself?

It's the same advice you're heard before: Don't open attachments from an unknown sender, have up-to-date security software and back up your files religiously. And because CryptoLocker can compromise files that have already been backed up, you need to reassess how you do your backups.

Network drives (whether physical or in the cloud) that are always connected to your computer are often vulnerable. Krebs suggested doing a manual backup and then disconnecting the drive when you're done. It's a lot more work, but much safer.

We are dealing with a new generation of malware, he said. Once it does its damage, you cannot undo it yourself.

"This is scary stuff," Krebs said. "People need to rethink how they protect their important files."
In a new article on his blog, Krebs recommends two tools that can block CryptoLocker infections: CryptoPrevent from Foolish IT for individual Windows users and the CryptoLocker Prevention Kit from Third Tier for small business administrators.

More from CNBC:
Follow CNBC contributor Herb Weisbaum on Facebook and Twitter @TheConsumerman
or visit The ConsumerMan website.

Increase your money and finance knowledge from home

Forex for Beginners

Learn about trading currencies and foreign exchange transactions

View Course »

Goal Setting

Want to succeed? Then you need goals!

View Course »

Add a Comment

*0 / 3000 Character Maximum


Filter by:

Losers that choose not to have real jobs like the rest of us but instead choose to blackmail us deserve to be executed as soon as they are found. And the public should have the right to execute on sight if they were to come across one of these a holes.

November 15 2013 at 4:09 PM Report abuse rate up rate down Reply

Consider passing a law to execute such criminals immediately without a trip to the courthouses?

November 15 2013 at 3:06 PM Report abuse +1 rate up rate down Reply

Baggers will defend these criminals as "entrepreneurial job creators". Or in Baggerspeak: "ontrapanurial jobb creaters".

November 15 2013 at 12:14 AM Report abuse -4 rate up rate down Reply
1 reply to teeessiii's comment
Robin Diaz

Crooks are crooks no matter what and some of the biggest crooks are currently in DC and particularly in the Oval Office.

November 15 2013 at 2:51 PM Report abuse +2 rate up rate down Reply

Frank The Great is obviously a very dangerous psychotic who should be confined to a mental hospital.

November 14 2013 at 11:36 PM Report abuse -1 rate up rate down Reply

The Government should have a special forces swat team to hunt these people down and snuff them.

November 14 2013 at 10:48 PM Report abuse +3 rate up rate down Reply

soon everything we own will be worthless. better off buying bags of salt to keep our food from going bad. oh. wait. we did that. the cycle continues.

November 14 2013 at 8:36 PM Report abuse -1 rate up rate down Reply
Petra Imports

Just restart your computer into safe mode and restore computer to an earlier point.
By shutting down holding the power button Then F8 when computer restarts.

November 14 2013 at 7:06 PM Report abuse +1 rate up rate down Reply

It happened to me. I took the tower to Best Buy..and they unlocked it. Took about an hour.

November 14 2013 at 3:47 PM Report abuse rate up rate down Reply
1 reply to ridge012's comment

What did they charge?

November 14 2013 at 5:06 PM Report abuse rate up rate down Reply