The Case Of The Doctor’s Ransom

Dr Keith was a pillar of the community: three days a week at the local medical centre, formerly an alderman before everything got amalgamated in the 1980s. He seemed a little sheepish on the phone, and when I popped round to his rather nice house in Dover, I quickly saw why. His computer screen was showing one of those ransomware messages, all flashing text and spelling errors. He was sure it must have been a website he was looking at, but it all happened so fast that he wasn’t sure. A popup message, a foolish click, and everything went away.

Cryptolocker ransomwareRansomware is in the news at the moment, with the latest example, WannaCry, causing panic from Patagonia to Portsmouth. It relies on encryption, the same technology that makes your internet banking secure and allowed the Germans to think their radio messages were secret in World War II. The Germans were defeated by Alan Turing and Colossus, but the mathematics has gotten a lot tougher to crack since then. Nowadays, if you encrypt a file and lose the key, you’d better hope you have backups.

Dr Keith’s scary message made the usual claims. Your files, it assured him, have all been encrypted. You can’t get at them unless you have the encryption key. You can’t get that unless you pay the S00par Wizzardz K0llektiv umpteen hundred dollars in Bitcoins. Dr Keith didn’t even know what a Bitcoin was, so he called me in.

This was a while ago, so it was the first case of ransomware I’d seen with my own eyes. Immediately, something made me suspicious. Understand that these things are never very well written. For a start, the text in them is most often composed by someone with a limited grasp of English — WannaCry is probably Chinese, for example, based on some clever linguistic analysis. Writing any kind of computer program is usually a group effort, but these nasties tend to be assembled by smaller groups of people, maybe even just a single “script kiddie” working alone. As a result, they look pretty flaky, even the successful ones. But this one… even by the very low standards of malware, this looked like it was stuck together with chewing gum and string.

A little detective work revealed that the popup message appeared in the Task Manager, a system program that can be used to monitor how a computer is running. That was unsurprising: it could hardly be popping up otherwise! But something else was not appearing in the same system program: the Desktop, the part of Windows that displays your icons and buttons and lets you launch other programs. That suggested an intriguing possibility: maybe the popup message was blocking Desktop from starting somehow. But if so, why?

Task Manager gives you all sorts of capabilities. One of them is the ability to stop a program starting up automatically. There are a lot of automatic programs in a typical computer: they handle everything from the mouse cursor to the printer, and without them your computer would be little more than a large electric paperweight. But the auto-starting program called C:\Users\Keith\Local Settings\jdlkalkschheijscnkjw.exe seemed a little outside the norm. I killed it — another of Task Manager’s helpful tricks — and the popup message disappeared. Progress!

Veeeeery carefully, I now started up Desktop and took a look at the damage. The mysterious jdlkalkschheijscnkjw.exe was sitting there, inert now, so I deleted it, and did a quick search for any lurking copies. There were none. I also checked his browser history, half expecting something rude, but it turned out to be almost boring: a website selling hats that just happened to play host to a dodgy advertisement. The site was now down with just a “please wait” message, meaning the owners must have found the problem, so that was good. I checked his downloads folder and removed the supposed advertisement that had borne the fatal payload. That was easy to kill. But as for encrypted files, there were none, anywhere on his computer. Everything was safe and sound. The ransomware had lied!

I know. Shocking, right? Criminals telling untruths! What is the world coming to?

The chain of events seemed to be this: Dr Keith had felt a need for a new hat, so followed a chain of googles and recommendations to an online shop that was playing host to a dodgy advertisement. The advertisement was clever enough to get through the good Doctor’s defences, both mental and technical. It downloaded a file to his computer. That file created the jdlkalkschheijscnkjw.exe program, and installed it in such a way that it ran before Desktop. It then rebooted his computer. When the computer started again, jdlkalkschheijscnkjw.exe started up, prevented Desktop from running, and popped up the scary message. What it did not do, as far as I could tell, was encrypt any files or do any other damage.

It’s like: what if the mafia tells you they’ve burnt your house down, but all they did was put red paint over your glasses? It’s the ultimate in criminal laziness. I’m almost impressed.

Dr Keith’s files, meanwhile, were safe. I made sure he had a responsible backup procedure in place, and that his anti-virus and Windows Updates were all working. He promised he wouldn’t go shopping online any more, and wondered if I knew where he could pick up a nice hat. I told him I couldn’t help there. I’m not the IT mad hatter. I’m just an IT blacksmith.

By Paul Sleigh | Tales From The Forge | Link