This post is part 2 of the our three part series on what happens when you pay the ransom after ransomware has taken over your computer. You can find out how it all began in Part 1. Here’s the current state of where we are at:
- Ransomware has infected the machine (Teslacrypt 4.0 to be exact)
- A majority of the files have been encrypted
- The business has stopped and must resort to manual processes
- Bitcoin is the payment currency
- Backups are not recent and what is available is only a last resort option (maybe)
- There are time deadlines that will not move
Visiting The Secret Hacker Web Site
The ransom note said we needed get a key to decrypt the file and it was filled with various “threats” about the cost going up the longer we wait. Three web sites were listed that we could contact and each had the same “personal” ID. This ID was very important as it distinguished our client’s computer from the other infected ones. Linking to the web site brought up a web page that showed how much was required to pay, a timer counting down the minutes until the price went up, a place to put the Bitcoin transaction ID and interestingly enough, a tab for Support. Support for what you might ask? More on that shortly. You could also upload one of the encrypted files to verify that the decryption would work. We did just that sending a PDF file that had no significance and the file was decrypted. There were only 5 days remaining before the price went up to $1000. We discussed our findings with the client and given the fact that the backups were months old, it made sense to pay the ransom.
Setting Up The Bitcoin
The ransom note was kind enough to include “recommended” Bitcoin providers. None of them were in the USA so we were very reluctant to recommend any of those sites. We directed the client towards Coinbase which appeared to be a reputable US company. Now here’s where it gets interesting. Coinbase requires a bank account in which to transfer funds from. Our client had an old account that wasn’t in use and started the process to link the accounts.
Remember that Bitcoins are traded like stocks – the actual price rises and falls throughout the day. There is also a transaction fee associated with the Bitcoin purchase so you have to fund the account with more than what the hacker required. If you don’t have enough money transferred, another transfer from the bank account would be needed and cause delays. The process started that Friday and would take up to 3 business days to complete.
The Clock Is Ticking
Unfortunately the client didn’t realize it was business days and thought the Bitcoin account would be ready sometime Monday. The following Tuesday was the cutoff before the ransom rose to $1000. So we have a dilemma. The earliest time the funds would be available was Wednesday the day after the Tuesday cutoff. The client already transferred the necessary funds for the $500 and any delay would impact the ransom not to mention delay the decryption. What would you do in this situation?
Extortion Customer Service
Is there such a thing? We were facing a challenge that we couldn’t control. The Teslacrypt author wanted us to pay the ransom but they had no idea we needed to pay. Their financial success depends on people paying the ransom and who would pay the ransom if the malware creators weren’t “understanding”. Remember they had a Support page so why not leave a message talking to our real issue? That’s exactly what we did. We explained that the bank account set up was taking longer than the deadline and we didn’t know what else to do. They were quick to respond and said they would keep the price the same ($500) and to ignore the deadline. This was great news!
The Delays Continue
Keeping the ransom price the same saved our client $500 just thru simple communication. However it didn’t move the critical deadline they faced. Time was still short. Tuesday came and went with no Bitcoin. Same with Wednesday and Thursday. The fact was the “simple” transfer wasn’t really that simple between the bank and Coinbase. The first time will always take longer than expected because of the nature of banking transactions. It was probably due to how new the Bitcoin process is but it is something to keep in mind if you have go to thru it.
Payment Web Sites Are Disappearing
The three payment websites mentioned in the ransom note were slowly being taken offline as companies discovered their web servers were hacked. This concerned us since we needed the Personal Home Page. We noticed a backup option at the bottom of the ransom note to use the Tor browser. Back to Teslacrypt Customer Support. They confirmed the backup plan. Tor is a browser like Chrome, Firefox and Internet Explorer but Tor allows for online anonymity. You can read more about the Tor Project here. We installed it and verify that everything worked.
Success
Friday morning arrived and the Bitcoin wallet was now funded. The Personal Home Page created by the bad guys listed the Internet address the Bitcoins needed to transfer to. We double checked it and the client sent off the transaction. We entered the transaction ID on the Personal Home Page so the Teslacrypt team could track it as well. Interestingly enough Bitcoin transactions are public meaning they can be traced on the Internet all the way to their destination. In this case, destination wasn’t a geographical place but a computer somewhere. We went to the Support page and let the hackers know that the transaction was complete. The Bitcoins arrived at their destination. Everyone was excited because there were three days to spare before the client’s unmovable deadline arrived. Soon this nightmare would soon be over. Or would it?
Can It Get Worse?
More grey hairs to come in Part 3. Check back or sign up for our blog updates. Or if you can’t wait, reach us here.
[…] surprises and setbacks are in store. Find out in Part 2. Check back or sign up for our blog updates. Or if you can’t wait, reach us […]