Beware Ransomware

Over the past week, I’ve been receiving emails from yahoo.jp email addresses offering me the choice between paying money into a Bitcoin address, or having my (alleged!) dirty secrets exposed to colleagues, friends and family.

One guy asked for $4000, another $5000. The highest figure quoted has been $6000, and one fellow asked for a Bitcoin, so who knows how much value he was expecting this hour, given that the coin could be worth just about anything next time you check.

I didn’t pay any of them, so apologies to any of you who might have been sent compromising material involving those lemmings.

But this does provide an opportunity for a quick PSA, seeing as these emails can appear convincing to some, and if you do engage, you’ll a) lose money and b) identify yourself as a sucker, ripe for further abuse.

The email is posted below, and is in fact a well-documented scam. Some things should clue you into this fact right away. First, if videos such as these exist, it would be easy to include a screenshot, which would demonstrate your credibility right away.

Second, if you’ve installed a keylogger on my system, you might – depending on how security-unaware your bank is – perhaps be able to simply pay yourself (whatever figure my account balances allow). The keylogger would have allowed you to harvest logins for banks, cellphone accounts, and whatever else you might need to pretend that you’re me.

The thing that can make these emails particularly convincing is that in many cases – including in mine – the email actually contains a legitimate password of mine. It’s not one that I use for any online logins, but one that I use for unlocking my laptop and desktop.

How did they get it? Easy: before I started using password managers (LastPass, Roboform, KeePass, etc.) that generate as secure a password as you choose, I needed to be able to remember my password. Like many of you, I used the same password in many places, back in the day when the Internet was young.

And, even though all the websites I currently visit now have secure passwords, that old password – still in use locally (well, it was until a week ago) – has been exposed in hacks of those old websites.

I’m aware of some of those hacks, thanks to having signed up for alerts via HaveIBeenPwned. Go there, register your email address(es), and you’ll then be informed of any occasions when your details might have been exposed.

Some password managers (like LastPass, which I use) also allow you to run a security check, which lets you know which passwords are insecure, whether you are using the same password across multiple sites, and so forth.

Emails containing your actual password can, of course, be alarming. But think before reacting, and certainly, if you have not yet secured your online accounts, do so today.

The email (insert [sic] liberally and as necessary):

I am well aware 101lemmings [not] is your pass. Lets get straight to the point. You do not know me and you’re most likely wondering why you’re getting this email? None has paid me to investigate about you.

Well, I placed a malware on the xxx vids (sex sites) web site and you know what, you visited this website to have fun (you know what I mean). When you were watching videos, your browser started functioning as a RDP having a key logger which provided me with access to your display and also cam. Right after that, my software obtained your complete contacts from your Messenger, Facebook, as well as e-mailaccount. And then I made a double-screen video. 1st part displays the video you were watching (you’ve got a nice taste lmao), and 2nd part displays the view of your cam, yea its you. 

You have not one but two possibilities. We will understand the solutions in particulars: 

Very first solution is to dismiss this message. In this case, I will send out your video recording to every single one of your personal contacts and also visualize about the disgrace you can get. Keep in mind if you are in a relationship, exactly how it would affect? 

Next alternative is to pay me $4000. I will regard it as a donation. In this scenario, I will promptly erase your videotape. You will keep on going everyday life like this never happened and you never will hear back again from me. 

You will make the payment through Bitcoin (if you don’t know this, search for “how to buy bitcoin” in Google). 

BTC Address: 17FywhvHqWL3P56rdgbZ9VzBYmsspD9Bu7 
[case-sensitive, copy and paste it] 

If you have been wondering about going to the cops, good, this email cannot be traced back to me. I have covered my steps. I am also not trying to charge a fee very much, I just like to be paid. 

You now have one day to make the payment. I’ve a unique pixel within this e-mail, and right now I know that you have read this message. If I do not get the BitCoins, I will definately send your video recording to all of your contacts including members of your family, colleagues, and many others. Nevertheless, if I do get paid, I will erase the video right away. If you need proof, reply Yea & I will certainly send your video to your 8 contacts. It is a nonnegotiable offer, that being said don’t waste my time and yours by responding to this e mail.


Also published on Medium.