CIO.com
How to detect a fake ransomware letter
By: Ryan Francis, CSO
Pay up?
In the 2016 Executive Application & Network Security Survey, among those who have not experienced a ransom situation, the majority say they would not pay a ransom. But among the few who have experienced a ransom attack, more than half in the U.S. did not pay. One respondent indicated that paying did not guarantee that the attacker would do their part.
So how do you know if a perpetrator actually has control of your network and is holding it hostage. Radware explains some tell-tale signs to watch out for.
Assess the request
The Armada Collective normally requests 20 Bitcoin (approximately $6,000 at the peak of the attacks), while other campaigns have been asking for amounts above and below this amount. Fake hackers request different amounts of money. Low Bitcoin ransom letters are most likely from fake groups who are hoping their price is low enough for someone to pay rather than seek help from professionals.
Check your network
Real hackers prove their competence by running a small attack while delivering a ransom note. If you can see a change in your network activity, the letter and the threat are probably genuine.
Look for structure
Real hackers are well organized. Fake hackers, on the other hand, don’t link to a website. Nor do they have official social media accounts.
Consider other targets
Real hackers tend to attack many companies in a single sector. Fake hackers are less organized, targeting anyone and everyone in hopes of making a quick profit. Contact peers or information sharing organizations in your industry to see if there is a more widespread campaign underway.
Determine domain age
Determining the age of a domain name can assist in judging the validity of a threat. Receiving a ransom note from a relatively new domain name can be a telling sign that fake hackers may be at play.
Method of delivery
How was the ransom delivered? Most of the serious threats come via anonymous or darknet email services, but some groups like ezBTC Squad have been known to use social media to deliver their message. Real extortionists have not been known to use Gmail or other main stream services.
Determine where the email came from
Look up the source of the email by checking its headers. This will help determine if the email came from a reputable source or not. Furthermore, you can contact the service provider and notify them about the suspicious activity.
Determine the language
Fake ransom letters are often horrible imitations of the real notes and includes several spelling and grammatical errors.
Check the BTC address
Google the BTC address and look it up on the blockchain. If this address is not unique or already has money in the wallet it’s likely that the letter is a fake. Extortionists will not be able to tell if you paid the ransom if it’s not unique or has money actively flowing through it.
