The Anatomy of a Ransomware Email

I’m sure we all have received these emails. I get them at least five times a week.  The email claims that there has been a breach on my computer and the person has gained full access to my computer. They further claim that they have recorded me in compromising situations. In order to remedy this situation I must pay them. They promise if I pay them all will be well.
This type of email can be alarming the first time. I’m going to take you through this particular email to show you why I know it’s false.
Hi!
Sadly, there are some bad news that you are about to hear.
About few months ago I have gained a full access to all devices used by you for internet browsing.
Shortly after, I started recording all internet activities done by you.
Below is the sequence of events of how that happened:
Earlier I purchased from hackers a unique access to diversified email accounts (at the moment, it is really easy to do using internet).
As you can see, I managed to log in to your email account without breaking a sweat: (albert@cytruslogic.com).
Within one week afterwards, I installed a Trojan virus in your Operating Systems available on all devices that you utilize for logging in your email.
To be frank, it was somewhat a very easy task (since you were kind enough to open some of links provided in your inbox emails).
I know, you may be thinking now that I’m a genius…..^^)
With help of that useful software, I am now able to gain access to all the controllers located in your devices
(e.g., video camera, keyboard, microphone and others).
As result, managed to download all your photos, personal data, history of web browsing and other info to my servers without any problems.
Moreover, I now have access to all accounts in your messengers, social networks, emails, contacts list, chat history – you name it.My Trojan virus continues refreshing its signatures in a non-stop manner (because it is operated by driver), hence it remains undetected by any antivirus software installed in your PC or device.
So, I guess now you finally understand the reason why I could never be caught until this very letter…
During the process of your personal info compilation, I could not help but notice that you are a huge admirer and regular guest of websites with adult content.
You endure a lot of pleasure while checking out porn websites, watching nasty porn movies and reaching breathtaking orgasms.
Let me be frank with you, it was really hard to resist from recording some of those naughty solo scenes with you in main role and compiling them in special videos that expose your masturbation sessions, which end with you cumming.
In case if you still have doubts, all I need is to click my mouse and all those nasty videos with you will be shared to friends, colleagues, and relatives of yours.
Moreover, nothing stops me from uploading all that hot content online, so all public can watch it too.
I sincerely hope, you would really not prefer that to happen, keeping in mind all the dirty things you like to watch, (you certainly know what I mean) it will completely ruin your reputation.
However, don’t worry, there is still a way to resolve this:
You need to carry out a $1350 USD transfer to my wallet (equivalent amount in bitcoins depending on exchange rate at the moment of funds transfer), hence upon receiving the transaction, I will proceed with deleting all the filthy videos with you in main role.
Afterwards, we can forget about this unpleasant accident. Furthermore, I guarantee that all the malicious software will also be erased from your devices and accounts. Mark my words, I never lie.
That is a great bargain with a low price, I assure you, because I have spent a lot of effort while recording and tracking down all your activities and dirty deeds during a long period of time. In case if you have no idea how to buy and transfer bitcoins – feel free to check the related info on the internet.
Here is my bitcoin wallet for your reference: 15L57f8 G22cPmD tq2devc Qw6J4Sb C8EX8b
Attention please! I have specified my Bitcoin wallet with spaces, please make sure that you key-in my bitcoin address without spaces to be sure that your coins successfully reach my wallet!
From now on, you have only 48 hours and countdown has started once you opened this very email (in other words, 2 days).
The following list contains things you should definitely abstain from doing or even attempting:
~>> Abstain from trying to reply this email (since the email is generated inside your inbox alongside with return address).
~>> Abstain from trying to call or report to police or any other security services.
In addition, it’s a bad idea if you want to share it with your friends, hoping they would help. If I happen to find out (knowing my awesome skills, it can be done effortlessly, because I have all your devices and accounts under my control and unceasing observation) – kinky videos of yours will be share to public the same day.
~>> Abstain from trying to look for me – that would not lead anywhere either. Cryptocurrency transactions are absolutely anonymous and cannot be tracked.
~>> Abstain from reinstalling your OS on devices or throwing them away.
That would not solve the problem as well, since all your personal videos are already uploaded and stored at remote servers.
Things you may be confused about:
~>> That your funds transfer won’t be delivered to me.
Chill, I can track down any transactions right away, so upon funds transfer I will receive a notification as well, since I still control your devices (my trojan virus has ability of controlling all processes remotely, just like TeamViewer).
~>> That I am going to share your dirty videos after receiving money transfer from you.
Here you need to trust me, because there is absolutely no point to still bother you after receiving money.
Moreover, if I really wanted all those videos would be available to public long time ago!
I believe we can still handle this situation on fair terms!
Here is my last advice to you… in future you better ensure you stay away from this kind of situations!
My advice – don’t forget to regularly update your passwords to feel completely secure.
This is one of my favorite ransomeware emails. Let’s break it down and show why I now this is 100% fake and grasping at straws. There are some obvious clues.
  1. I don’t engage in such behavior and so there is nothing to ransom.
  2. The email address that they are claiming they have access to does not exist in any form and has never existed on the domain.
  3. The email went to SPAM. Since the email address doesn’t exist there is no DKIM, SPF, or DMARC record associated with the email and the email server could not verify that the sender was who it claimed to be and marked it as spam.

It’s easy to see from a technical point of view how this is email is fake. This is why it is SO important to have DKIM, SPF, ad DMARC records setup. These records ensure that your email is from who it says it is and not from a third party. If these records are not in place your emails will often go to SPAM or be deleted outright even if the email is legitamate.

From a linguistics perspective this email is also interesting. It plays on fear. It’s intended purposes is to bring a sense of fear but then also bring that fear down by using nurturing and supportive language.

The first part of the email is the  author’s attempt to prop themselves up as a genius and very clever.  This is not just boastful language. There is a purpose behind it.  The purpose is not to prop up the author but to subdue the receiver. It’s classic bully language. The author is trying to show how naive and dumb the user is. He uses the following phrases:

  1. Earlier I purchased from hackers a unique access to diversified email accounts (at the moment, it is really easy to do using internet).
  2. As you can see, I managed to log in to your email account without breaking a sweat
  3. …I installed a Trojan virus in your Operating Systems available on all devices that you utilize for logging in your email. To be frank, it was somewhat a very easy task
  4. I know, you may be thinking now that I’m a genius

Once he has propped himself up as smarter than the receiver and attempted to control dominate the reciever by comparing intellects, he starts in on another form of control language. That the the receiver is gross and unworthy in society. This language is as follows:

 

  1. You endure a lot of pleasure while checking out porn websites, watching nasty porn
  2. naughty solo scenes with you in main role
  3. nasty videos with you
  4. keeping in mind all the dirty things you like to watch (you certainly know what I mean)

Nasty, naughty, and dirty are all subjective terms based on a collective understanding. They are moral in nature so the author is trying to create an image in the mind of the reader that they are not moral in terms of societies norms an values.  The author uses contrast to reinforce this by not only stating that the recieve is engaging in such activity but that the receiver is enjoying it. The words like and pleasure are used in contrast to the negative words Nasty, naughty, and dirty.

After the author is done trying to subdue the receiver they take another linguistic approach and that is the role of the helper.

  1. However, don’t worry, there is still a way to resolve this:
  2. I never lie.
  3. That is a great bargain with a low price
  4. In case if you have no idea how to buy and transfer bitcoins – feel free to check the related info on the internet.
  5. Here you need to trust me
  6. I believe we can still handle this situation on fair terms!
  7. Here is my last advice to you… in future you better ensure you stay away from this kind of situations!
  8. My advice – don’t forget to regularly update your passwords to feel completely secure.

So in the end, the email is design to break down the receiver by making them feel unintelligent and gross. Then to build them back up by offering advice, bargains, and comfort in the situation. This is all designed to gain money for a bogus email that never had actual info in the first place. Don’t fall for this. If you want to know how to protect your email and organization from these types of attacks contact one of our Progress Coordinators.

You can also check if you have DKIM records setup at the MX ToolBox

 

 

 

Jacob Billings
PhD Candidate - Complex Systems

I am a software engineer, linguist, and researcher of Complex Systems. I hold a bachelor's degree in Middle Eastern Studies from the University of Utah, a Master’s degree in linguistics from Francisco Marroquín University in Guatemala City, and I am a doctoral candidate in Complex Systems at the Polytechnic University in Madrid, Spain.

Software Development: I bring over 20 years of experience in developing software for multiple clients in various environments. I have a solid knowledge of PHP, Javascript, MySQL, NoSQL, Python, and Java.

Over my career, I have had the opportunity to work on projects for some of the most recognized brands on the planet. Brands like Marriott Hotels, Microsoft, Ashland Chemical, Capital One Credit Cards, Cadbury Schweppes, GE and more. This has given me an in-depth understanding of my client's challenges as they grow. I know how to get a company from startup to maturity with technology. My specialties are in E-commerce(specifically Magento), process automation, and security.