Note: To avoid the encryption virus, please don’t open attachments on emails that are generic or suspicious in anyway. Please back up all your files every week or so and then detach the backup drive. If you do get the virus, please turn off all your computers immediately and call us at Ducktoes. 403-219-3031.
Encryption Virus Strikes Again
Ducktoes has again helped a client (web design and SEO client, not IT client) recover their files encrypted by an encryption virus. And again the client paid the ransom. They thought they could not successfully operate their business without de-crypting the files, since it would have been exorbitantly expensive or impossible to manually remake them all. They couldn’t even remember what all the files were, much less recall the content.
Try Not to Pay
If not absolutely necessary, I don’t recommend paying the ransom for decryption. If no one ever paid the ransom, the cyber-criminals would stop creating and spreading the viruses. But in this case, I totally understand.
How They Got the Virus
The clients got the virus through email. An employee opened an email attachment that purported to be an “invoice” but really contained one of the encryption viruses in the attachment. Once opened, the encryption quickly virus spread to the client’s network and encrypted a hard drive containing all the scheduling and accounting information.
The Clients Call Ducktoes for Help
Not understanding what was going wrong with their computers, the clients called Ducktoes. They thought they were just missing a program and because of that the the files wouldn’t open. Human dynamo and very personable manager Colin Forrest immediately went into action. He went into one of their computers remotely to check the situation out and saw the encrypted files. He recognized the encryption virus since we’ve dealt with it many times before. The virus had changed all the Word and Excel files to the mp3 file format making them impossible to open. Colin told the clients to turn off their computers immediately. His immediate remote call and quick thinking saved them many files.
At the time I was picking up parts at our wholesale parts supplier. When Colin called me to tell me what was going on, I immediately drove to the clients’ office.
Emergency Onsite Call
Upon arrival, I turned off the router so the virus would not spread further and assessed the damage. Two computers and the external hard drive were infected. Two others had started to be infected but the files had not been encrypted yet. I brought the computers to the shop and put them in quarantine and we were able to remove the infection. Don’t remove the infection before you get the contact info of the cybercriminals so you can pay the ransom if you need to. Whenever we remove viruses from an encrypted computer, we have to make sure the infected computers are in quarantine on their own separate network, because the virus spreads quickly.
Paying the Ransom
To ransom the files I had to take cash to a bitcoin exchange office office called BitNATIONAL, located in a Waves Coffee House on 17th Ave SW and 9A St. SW. I was a little nervous because it seemed I was dealing with the underworld. I was. Our long time onsite tech extraordinaire Raz Rydstrom, and one of the smartest people anywhere, met me there since he is familiar with the process. The ransom was $500 US plus the bitcoin office fee. It totaled $770 Canadian. With labour costs, the clients had to pay around $1500 for decryption and virus removal. It is a hefty price for opening an infected file.
BitNational Helps Us
BitNATIONAL has a specialized ATM called a BTM which put the digital currency on my smartphone. Two great and friendly guys Matthew Haddon owner and Jason Butler partner and employee were working that day. The other owner is Drew Glover. I found them very helpful and immediately felt less nervous.
About BitNational
There are many BTMs throughout Calgary and other Canadian cities. Find one near you.
BitNational bought out another bitcoin exchange service called Bit Brains. Matt and Jason believe that bitcoin is a great investment and only starting to take off and will go up in value.
BitNational only does the currency exchange to and from bitcoin. They are a legitimate business and not involved in any way with the cyber-criminals. They are entrepreneurs in a pioneer sector.
A Nervous Moment
Back at the shop, we paid the ransom and then discovered that the websites to communicate with and pay the encryption virus creators had disappeared. This caused a panic moment for me. I had already paid the money and worried I might not be able to retrieve the decryption code since the cybercriminal’s websites had vanished. Yet one of my techs, Garett Belkie, was able to install a Tor browser and retrieve the code that way. Then he decrypted all the encrypted files on the computers and hard drive. Our hero. (Another awesome senior tech, our data recovery and virus removal specialist. He can get data off a stone and remove viruses in a twinkle of an eye.)
Here’s another blog post about how I personally saved a law office from a encryption virus in 2014 before most computer IT support companies even knew what encryption viruses were. It is a very exciting story. Lol. I was my own hero. |
Returning the Computers
Once the files were decrypted, we removed the encryption virus and returned the computers and reinstalled everything to the network. Tech Rey Berse and I did this together. He’s a brilliant soft spoken senior laptop tech (he specializes in hardware and circuitry, soldering and electronic circuits etc. and software, a total computer genius) and an incredible onsite tech with our onsite IT support too).
Sometimes We Don’t Need the Ransom
Using guidance learned from Bleeping Computer, we have actually decrypted certain strains of the encryption virus ourselves without paying the ransom.
The Ducktoes Team is More than One Tech
You get more than the skills and knowledge of your one IT support tech at Ducktoes. You may only see one tech, but you are getting much more. You are a getting an entire group of techs at your back that are constantly learning and upgrading our computer repair and virus removal skills. We work together as a team to solve and prevent computer problems, so when you hire us, you are getting an entire team of problem solvers and computer experts all educated at SAIT. We are constantly researching computer issues and learning new skills, the encryption virus prevention and removal being one of them. The pool of our combined knowledge and skill makes us a formidable force against viruses and computer problems. Among us we know hardware including difficult laptop hardware including soldering motherboards and capacitors, fixing laptop screens, jacks and video and wifi hardware, server issues, networking, virus removal, crisis prevention, backup, data recovery, and anything you throw at us.
Smiles and Laughter
It was really rewarding and fun to return the computers and data all fixed and working well so our clients could return to business as usual. Now that they are IT clients we have them backed up to the cloud with Dropbox so this will never happen again. There was a lot of smiles and laughter while we worked and finished up with them.
Encryption Virus Experts
Ducktoes Computer Services has become an expert on the encryption virus. We’re experts on removing it, de-crypting it, and preventing it. If you need help with the encryption viruses, or any virus, we’re the best choice in Calgary since we’ve specialized in virus removal and prevention for years.
If You Need Us
If you need Onsite IT support or virus removal or any computer repair or support at all, call our team at Ducktoes. We’ll bring smiles and laughter back to your office or home.
2 Responses
Hello Ducktoes,
We have a laptop repair company in Greece and ramsonware is the worst kind on virus. We would like to add that paying isn’t really a solution. There many situations that many customers rushed to pay the ramson but they didn’t get all their files back. Sometime the even get less than 70% of their files. This happened due to the kind of encryption, that damaged completely some of the files.
It’s good to have this kind of post from professionals like you. Have a great weekend guys!
I agree. We’ve always gotten the files back but there may be a time when we don’t. Hope you have a good weekend too! Hope your computer company is doing well.