How to detect a fake ransomware letter

As the number of ransomware demands increase, users should be aware of hollow threats.

fake ransomeware letter 1
Credit: Flickr/Nick O’Neil
Pay up?

In the 2016 Executive Application & Network Security Survey, among those who have not experienced a ransom situation, the majority say they would not pay a ransom. But among the few who have experienced a ransom attack, more than half in the U.S. did not pay. One respondent indicated that paying did not guarantee that the attacker would do their part.

So how do you know if a perpetrator actually has control of your network and is holding it hostage. Radware explains some tell-tale signs to watch out for.

fake ransomeware letter 2
Credit: Flickr/Antana
Assess the request

The Armada Collective normally requests 20 Bitcoin (approximately $6,000 at the peak of the attacks), while other campaigns have been asking for amounts above and below this amount. Fake hackers request different amounts of money. Low Bitcoin ransom letters are most likely from fake groups who are hoping their price is low enough for someone to pay rather than seek help from professionals.

fake ransomeware letter 3
Credit: Thinkstock
Check your network

Real hackers prove their competence by running a small attack while delivering a ransom note. If you can see a change in your network activity, the letter and the threat are probably genuine.

fake ransomeware letter 4
Credit: Flicker/Clay Junell
Look for structure

Real hackers are well organized. Fake hackers, on the other hand, don’t link to a website. Nor do they have official social media accounts.

fake ransomeware letter 5
Credit: Flickr/Cyril Béle
Consider other targets

Real hackers tend to attack many companies in a single sector. Fake hackers are less organized, targeting anyone and everyone in hopes of making a quick profit. Contact peers or information sharing organizations in your industry to see if there is a more widespread campaign underway.

fake ransomeware letter 6
Credit: Flickr/Bill abbott
Determine domain age

Determining the age of a domain name can assist in judging the validity of a threat. Receiving a ransom note from a relatively new domain name can be a telling sign that fake hackers may be at play.

fake ransomeware letter 7
Credit: Flickr/Emilien ETIENNE
Method of delivery

How was the ransom delivered? Most of the serious threats come via anonymous or darknet email services, but some groups like ezBTC Squad have been known to use social media to deliver their message. Real extortionists have not been known to use Gmail or other main stream services.

fake ransomeware letter 8
Credit: Flickr/Quinn Dombrowski
Determine where the email came from

Look up the source of the email by checking its headers. This will help determine if the email came from a reputable source or not. Furthermore, you can contact the service provider and notify them about the suspicious activity.

fake ransomeware letter 9
Credit: Flickr/Sammy0716
Determine the language

Fake ransom letters are often horrible imitations of the real notes and includes several spelling and grammatical errors.

fake ransomeware letter 10
Credit: Flickr/Zach Copley
Check the BTC address

Google the BTC address and look it up on the blockchain. If this address is not unique or already has money in the wallet it’s likely that the letter is a fake. Extortionists will not be able to tell if you paid the ransom if it’s not unique or has money actively flowing through it.

MORE RANSOMWARE: The history of ransomware