respond to ransom Email Virus

Oscar
Oscar used Ask the Experts™
on
How to respond to a ransom email effectively?
A client received a ransom email (the client has a common email address that few employee login to webmail to respond to their customers inquiry) that shows their email password and indicated they visited a porn site and the hacker installed a key logger on their computer and stole their password, now the hacker request money in form of bitcoin or otherwise...
They do have SonicWALL firewall,  I need suggestion after I changed password of email, if they have to clean every device in office (10 Computers and a server) and install good antivirus on workstations.
 
Regards.
Oscar
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
You can scan with a top notch Virus Application (Windows Defender for Windows 10), followed with a scan using Malwarebytes.

There is never any guarantee that the above will work, but if you appear to have removed the malware, try it for a couple of days.

Do not pay ransom demands as that is criminal and blackmail.
Andrew CeohanSys & Net Admin

Commented:
There's a good chunk of these types of emails lately.

https://blog.barkly.com/new-sextortion-scam-real-passwords-fake-threat

If it was me, I'd still be suspicious and want to dig deeper.  It almosts sounds like they don't have AV per your post.  First thing I would do is look at a good AV vendor, I prefer ESET and recently found out it's used at Google.  The second thing I would do is make sure the SonicWALL is up to date firmware wise and security subscription wise.  If your not using CATP, buy it, if your not using DPI SSL, look into it.  Once you've verified the environment is indeed good and clean, then change passwords on PC's, Emails, ect.  It does not hurt to do this anyway, you should have a password policy in place.  After that, I would look into getting a Shared Email account setup as everyone should have their own and only access a shared account for that purpose.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
How to respond to a ransom email effectively?

You don't respond. Ever.

If the password reported is in use, change the password.

And, to be safest, generate a 16-32 byte unique string for every account's password, so the same password is never used twice.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
This is a common scam.  Some website was hacked where they used that user name and password and now the hacker is using that information as "proof" he's hacked your computer when he has no idea who you are, where you are, or what you've done, hoping you'll fall for it.

Look, there is a non-zero chance they really have done this... but in my OPINION, 99.99% this is part of a scam as I describe above.

What should be done is:

1. Stop sharing the account
2. Use different passwords for every site visited (because now that hacker, if they want, can potentially get in to any site where you used that password)
3. Put in appropriate security measures to prevent future issues.  (Antivirus, firewalls, web filters, training, IPS/IDS systems, etc).
yes, scam I had a client that opened a communication line with them, and they got more info, not sure how but it may be a trick.  I say ignore it.
J SpoorTME / Network Security Evangelist

Commented:
this so called ransom mail is a result from sites like LinkedIn being breached.

They are totally bogus. And can be safely ignored.

There are third party sites to see if certain accounts / email addresses have been breached, e.g. https://haveibeenpwned.com/

run the email address through their and make sure to change the password on any breached site. And possibly any other location that uses the same password.
J SpoorTME / Network Security Evangelist

Commented:
ps it happened to me with a very old password on LinkedIn.

ps ps, it's wisest to never use the same password on business apps as on social media sites. Instruct your users well.

Commented:
Please note, a clear sensible mind would've told you already this email is total bullocks.

If you actually read the email, you'd know it DOESN'T make any sense. Use your head. Really.
While there's a pressure mechanism at work, a clear head always prevails. Some people, are quite willing to pay the ransom even though:

The email claims the webcam has been hacked, and footage has been recorded. Most people WHO DO NOT HAVE A WEBCAM on their PC, STILL FREAK OUT!!!
The email claims you have to pay, and then your data is deleted. THERE'S NO WAY THAT IF YOU PAY, the other side even knows it's you who paid. There's no way for you to let "the ransom holder" know that you paid from this bitcoin address etc etc, and he should delete this specific personal data. This is a one way communication!!! (They use your own email address as reply address as "proof")

Despite these holes (there are many many more), people are just willing to pay up, it's really just unbelievable. It doesn't matter how many other untruths there are, people keep falling for it.
Distinguished Expert 2018
Commented:
Ignore the email. Change the password to something both unique and complex. Consider putting into place something like LastPass. Sounds like there might be some other systems where that same password was getting used. Change the password on those systems also. Make sure those passwords are also complex and unique.
Top Expert 2016

Commented:
When sites get breached their usename/email and password lists are dumped and available on the darkweb or via pastebin, then everyone is sent the email. Given the cost of email these days (almost nothing) then anyone that pays is pure profit for next to nothing effort. report the bitcoin address to the authorities i.e. FBI.  they may take action or just tell you to delete the email and continue on with your life.
OscarIT support

Author

Commented:
Thank you all. I ignored the email..
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Ignoring ransomware email == Good choice!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial