‘This morning, my whole business came to a screeching stop’

Rockport business owner’s computers held hostage for Bitcoin ransom

Beware the emails touting undelivered packages, unpaid invoices...
Wed, 06/22/2016 - 7:00pm

Story Location:
271 Commercial Street
Rockport, ME 04856
United States

    ROCKPORT — As she does nearly every morning, Jan Campbell, president and owner of Rockport Automotive on Route 1, finished the previous day's deposit and logged on to check emails.

    "I clicked that one email from FedEx and within a second, eight computers were frozen and locked down," said Campbell. "Before I could even call down to Justin [Holmes] the service manager, he was calling up to me to say everything was frozen. It all happened so fast."

    Campbell said the email she opened did not look suspicious and used the right language, and that she gets a lot of deliveries from FedX, UPS and other carriers, so didn't think too much about this communication.

    But this communication, the email Campbell clicked and opened, was not from FedEx, but from a digital criminal. And she had just become a victim of Internet extortion, according to the Federal Bureau of Investigation Internet Crime Complaint Center online.

    And as she said, "My whole business came to a screeching stop."

    And what happened next was just as shocking.

    "On the screen, a notepad message popped up and it said 'Attention, we now have control of your computers. Everything is encrypted. We want .3985 in Bitcoin in exchange for the encryption key to unlock your computers.'"

    Campbell said she was directed to obtain the Bitcoin payment, which amounted to $260 in cash, and go to a specific website to make the transaction.

    Instead of negotiating, or responding to the nocuous message, Campbell called Fred Gildred of EES Consulting in Rockland, her "IT guy," who would later become her "guardian angel."

    Gildred told Campbell to immediately turn off all the shop's computers, and that he would be there in 10 minutes. And he was there in 10 minutes, she said, as promised.

    After learning that she had fallen victim to a scam that puts a computer virus, called "ransomeware," on your computer once you take a step and open a .zip or other attachment containing it, she and Gildred discussed the options.

    If she made the payment to the criminal on the receiving end of the message, she had a 50-50 chance that she would get an encryption key to access her files again. And even then, it was possible that what happened now could happen again.

    In addition to locking down her computer today, the malware could have introduced another, albeit dormant form of malware into her now-encrypted files, which could in the future reinfect her system without her doing anything like she did this time. And then she would be right back where she was today.

    Campbell said that Gildred told her that kind of thing happened to law enforcement computers in Lincoln County, after they were originally infected and then paid the ransom to get their files back.

    Gildred also told her that a Rockland art gallery was hit with the ransomware malware recently, but was able to avoid paying because they had adequate backup of their systems and files.

    "It took him 52 hours to bring them [the art gallery] back up, but he did it," said Campbell.

    Not wanting to give in and pay the ransom either, and because she too  had backup, both to the cloud, via Carbonite, and via external disk drive, Campbell and Gildred decided he would attempt to restore her system.

    "We have a disk backup that we do everyday, but unfortunately I found that it had not been plugged into the back of my computer since Nov. 15, 2015," said Campbell. "So we weren't able to use that backup and we thought I was going to have to pay the ransom after all."

    But she said that the Carbonite backup went back two years, and that since some of her backed-up files were stored in a 'Miscellaneous' file, the encryption missed it and they were able to access those too.

    "That was the only saving grace for my shop software files," said Campbell. "Otherwise, I would have been at the mercy of paying the money to God knows who and take a 50-50 chance of getting my files back."

    As of 3:30 p.m. Wednesday, the backup was still running on her computer from the cloud and it still had 59 percent to go. She said when the backup is complete, they will have only lost the online appointments customers made Tuesday.

    "If anyone made an appointment yesterday, and they come in during the next few days and we have a blank look on our faces about it, this is why," said Campbell.

    If there is a silver lining in all this, it's that she found out the daily disk backup was not connected to her computer – but it is now. That disconnection also kept the ransomeware from accessing that external drive, if such access was written into its code.

    And her advice to fellow business owners is to make sure they have a solid back up plan, that it's working, and that it is in use every day.

    "Then check it, double check it, and check two more times to make sure it works," said Campbell. "And don't under any circumstance open one of those emails from FedX about a problem delivering your package."

    Gildred is also officially a guardian angel, if not Campbell’s “knight in shining armor.”