Ottawa-area consultant pays ransomware with bitcoin – and actually gets his files back

This is a guest contribution by Bill Dunnion, director of the Cyber Resilience Office at Calian Group.

Sometimes, your work gets personal. I found myself in that situation recently when I received an urgent message from a friend whose small business had come under a ransomware attack. As the director of Calian’s Cyber Resilience Office, I had the opportunity to offer some friendly advice.

This friend – let’s call him Dave to allow for his privacy – runs a consulting business in the Ottawa area. He logged on to his machine one morning in November and realized he couldn’t open any of his files. Naturally, he tried rebooting his system. That prompted a text box informing him his files had been encrypted. His entire Windows-based network of four computers and two laptops now contained unreadable .fat32 files. Even his external drives, which were connected for regular backups, were encrypted.

The text box on his screen asked for 0.1 bitcoins (at the time about $700 USD) to decrypt everything. It provided an encrypted email address for communications, and offered him a test – email the attackers any two encrypted files – so they could demonstrate their capability to decrypt them. The pop-up warned Dave that trying to use a false encryption key could cause the permanent loss of all data. And, he didn’t have a lot of time to ponder his next course of action. “You must pay within 72 hours,” the message said, “or the price will be more.”

Not having many options, he rightly reached out to myself for advice and some local IT firms for help. Knowing that it would likely cost $5,000 to $10,000 for services to try to decrypt the files, he opted to take a chance and pay the ransom. After testing the hackers with two files, which they returned decrypted, he enlisted some help to purchase 0.1 bitcoins and send them through an online exchange by the deadline. The payment worked. He received an executable file and instructions to run a decryption program that took about five hours to fix all the files on his system.

Dave was lucky. An industry rule of thumb says that one in five ransomware victims never get their data back. Sometimes the payment doesn’t result in decryption. Sometimes it triggers a request for even more money. These are criminals and the results are unpredictable.

While Dave’s experience was once an anomaly, today it’s buried in the statistics. The number of ransomware attacks are rising by the month and evolving in sophistication. Many of these attackers are criminal entrepreneurs, who on the dark web can purchase ransomware products and kits. The ransomware marketplace had more than 45,000 ransomware product listings at the end of 2017, with the product black market growing by 2,500 per cent from 2016, according to a recent report by Carbon Black.  The data show these attackers are successfully hitting businesses and extracting money. Total ransom payments amounted to about $1 billion USD in 2016, up from $24 million USD a year earlier.

The danger of these attacks is not just that they are more prevalent – they are becoming more sophisticated. Cyber security professionals like myself are preparing for more file-less attacks, which run script from memory as opposed to files. These stealth predators leave no tracks as they silently steal intellectual property, private information or corporate intelligence from right under your nose.

For Dave, the hard work was attempting to learn how the breach happened. He believes the malware spread from a client of his who had been the victim of the same ransomware. After decrypting his files and disconnecting his servers in the event the attackers returned, he ran tests that didn’t reveal any gaps. That said, Dave suggests there were three possible entry points for the malware, and none of them involved email because, as he’s told me, he’s very cautious about spam and attachments.

One possibility, he believes, is through the Windows remote desktop connection, which he had used with the affected client. Another possible avenue is Bomgar, a remote support system he had been running. A third possibility was that his ISP-supplied wireless router was breached. While those are his theories, he acknowledges he may never know the attackers’ specific path in.

All told, Dave spent close to $10,000 on new equipment, devices, software and expertise. Upgrades since the attack included a networking switch and dual radio access point for more secure wireless. He connected a cloud key remote control device for secure access to any of his network deployments. He also installed a mini PC as a firewall gateway and an extra layer of network security. And, he hasn’t forgotten about vulnerabilities through memory sticks. Dave has switched to Corsair’s more secure devices.

When I asked him to review the experience, Dave offered one word: “Brutal.” And he’s one person with six computers. Imagine running an organization the size of Equifax or Uber. Costs can run into the hundreds of millions – and that’s putting aside any longer-term setbacks like organizational performance or reputation harm. What I tell Dave is what I tell our clients: You’re not going to be measured by whether you’re the victim of an attack; you’re going to be measured by how well you’re protected.


Bill Dunnion is director of the Cyber Resilience Office at Calian Group, a diversified professional services company headquartered in Ottawa.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight