Ransomware victims pay cybercriminals to save family photos

Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals.

Their home computer had been seized by one of the more malicious malware programs spreading fast around the world.

• Ransomware: What you need to know

Ransomware takes computer files hostage. Cybercriminals target photos, videos, spreadsheets, documents, slide presentations — anything that someone will pay to recover. The initial infection takes seconds.

In some cases, the malicious software encrypts the files so their owners can no longer read them. The data isn't compromised or removed, just locked down and inaccessible.

Try to access them and a ransom demand appears. Typically, cybercriminals demand upward of $500 US, paid in the untraceable cybercurrency bitcoins.

Billy and Theresa Niedermayer run a home business programming and selling Android TV boxes, but their tech background didn't stop them from falling victim.

They had backed up their data on an external hard drive, but kept it plugged in to the computer, allowing it to become infected along with the rest of the computer.

'I felt violated'

Faced with the potential loss of their boys' childhood photos and their wedding and honeymoon photos, along with their business records, they paid the ransom and got the code to unlock their files.

"I felt violated," Billy Niedermayer said from his Winnipeg home. "It felt frustrating that they’re taking our hard-earned money and they’re pocketing it and funding who knows what."

It`s not clear how the Niedemayers got infected, but typically that involves opening an attachment or downloading software or an app, one which may appear legitimate. One ransomware source making the rounds appears as an email from Canada Post. It directs recipients to open an attachment to see the delivery information. But open it and the malware takes over. Virus protection programs, if outdated, even by just a couple of days, are no match.

Once a ransom is paid, a code is provided to begin the laborious decryption process — one that can take several days or weeks.

Infections with ransomware appear to be soaring. Last month, internet security firm McAfee Labs, now a subsidiary of Intel Security, announced that it had detected a 155 per cent increase in the final three months of 2014. Michelle Dennedy, chief privacy officer for Intel Security, estimates that cybercriminals are now taking in $10 million to $50 million a month using ransomware.

Just last month, the FBI issued a warning of a fairly new ransomware variant making the rounds called CryptoWall 2.0, which encrypts files on a computer’s hard drive and any external or shared drives to which the computer has access. Canadian authorities have echoed the warning.

Those who peddle the criminal malware are clearly oriented to business, skilfully using the tools of e-commerce.

"Even though we got had," Billy Niedermayer admitted, "they’re brilliant.”

Targets include Android phones

In 2013, poorly protected personal computers were the primary victims, but criminals have expanded their targets to include business records, governments and Android phones. In the U.S. alone, Android phones are estimated to have been affected four million times. Apple computers and phones haven’t been hit much yet, but that’s not to say they won’t be. And when they are targeted, expect the ransoms to be even higher, several tech security experts told CBC News.

The City of Detroit got hit and refused to pay the $800,000 ransom to get its database decrypted.

In British Columbia, three unidentified law firms were hit — two of them refused to pay the ransom, but one did.

"The software provided a notice with links that they need to pay a ransom within 12 hours," explained Ryan-Sang Lee, the communications officer for the Law Society of British Columbia, "and if that wasn’t paid within 12 hours, that ransom would effectively double."

The two firms that refused to pay had all their data backed up on detached, external drives. But then began a lengthy and annoying process of wiping their entire system, rebuilding it and returning the data from the backup.

Chester Wisniewski, senior security adviser at the internet security firm Sophos Canada, has become an internationally recognized expert at combating ransomware.

He sympathizes with those who get infected with ransomware and feel forced to pay.

"Clearly if someone's holding the photos of your toddler's first steps hostage for $500, that's a judgment call you need to make as to whether it's worth spending that $500 to get that content back."

Lesson learned

Wisniewski said if you get infected with ransomware and have backups of all your files, there's no need to pay the ransom.

"We recommend simply going to the computer shop and having the malware removed from your computer. And then you can just copy your files from your backup."

Theresa Niedermayer learned that lesson the hard way.

"We tell everyone you need to back up your computer on an external hard drive and unplug it — disconnect it from your computer," she said.

She and her husband are quite aware that their failure to do that forced them to make a payment — one that will only prompt the profitable cycle of cybercrime to continue.