A UK man has been given a non-custodial sentence this week, after a ransomware infection on his computer led him to report himself to police. The man’s computer held several hundred animal porn images, described in court as “extreme” and “revolting”.
According to local news reports, 61-year-old Victor Anthony Noble, now a resident of Scotland, was living in the Cumbrian village of Warwick Bridge in 2013, when his PC was hit with what sounds like a fairly typical ransomware attack of the low-grade screen-locking variety.
Unlike the more destructive cryptoware of recent years such as CryptoLocker or CryptoWall, this type of attack leaves your files intact, instead attempting to simply lock you out of your system and demanding a ransom to unlock it.
Typical techniques used to encourage payment include suggestions that illegal software, media or browsing has been detected, and that failure to pay up will result in your behaviour being reported to law enforcement.
In many examples, the malware pretends to be a message from police or FBI monitoring systems, to give a little extra weight to its scare tactics. Some variants, such as Reveton, even try to work out which police force to masquerade as, depending on your location.
In Mr Noble’s case, although he paid the £100 demanded, the promised unlocking was not provided, a fairly likely circumstance considering the moral background of those operating the scam.
So, Noble decided the game was up and handed himself in to local police, reporting to them the extensive stash of unsavoury images, which apparently mostly featured people “engaging in sex acts with animals” including horses, dogs and pigs.
Although he admitted downloading almost 600 images, Noble claimed to have no memory of ever actually viewing them.
The incident took place in May 2013, with Noble appearing before Carlisle magistrates in December 2014 and then at Carlisle Crown Court in March this year. He pleaded guilty to five counts of possessing extreme pornography, and was returned for sentencing this week.
He has been ordered to submit to a 12-month supervision order.
This is not the first case where a ransomware infection has tricked its victim into giving themselves up to the cops; also in 2013, a similar set of circumstances led a Virginia man to confess to the police, although in his case his guilty conscience was down to a collection of child abuse images.
For the most part, lockscreen ransomware can be recovered from fairly successfully with the right know-how, usually by booting from independent media such as a live Linux distribution (e.g. Sophos Bootable Anti-Virus) or in some cases just using Windows Safe Mode to bypass and disable the threat.
Quality anti-malware software and a regular patching regime should offer up-front protection from most variants too, but it’s important to keep backups of your important files just in case something slips past your defences, especially if it ends up being a file-encrypting attack – even those which make a mess of their cryptography can be a real pain.
Social engineering techniques, whether arriving via email or appearing in popups displayed by malware or dodgy web pages, regularly leverage fear and guilt to hustle us into rash actions, such as paying ransoms.
If you do get infected with ransomware, try to keep calm and apply some logic to the situation – no law enforcement agency really tries to impose spot fines via the internet.
Of course, if you have something real to feel guilty about, it’s usually a good thing to get it off your chest, and if you end up ‘fessing up to the police, at least you’ll get the benefit of proper justice, rehabilitation and, if necessary, psychiatric help.
One has to feel sorry for the poor police techs who have to wade through all this nasty stuff to gather evidence.
Image of keyboard locked in chains courtesy of Shutterstock.com
Laurence Marks
John Hawes wrote “For the most part, lockscreen ransomware can be recovered from fairly successfully with the right know-how, usually by booting from independent media such as a live Linux distribution or in some cases just using Windows Safe Mode to bypass and disable the threat.”
Another simple scheme is to:
1) Install the excellent and free Sophos Virus Removal Tool on a clean computer.
2) Remove the infected drive from the other computer and put it in a USB enclosure.
3) Attach the infected drive to the clean computer and let Sophos have at it.
I’ve done this a few times to help folks out (most recently last week). It especially is useful if the virus and anti-virus are consuming 100% CPU fighting one another and you are unable to execute any programs.
Paul Ducklin
Nice thinking :-) Sometimes, though, it’s tricky to remove the hard disk (e.g. many laptops). That’s when a clean-boot tool like Sophos Bootable Anti-Virus comes in handy:
https://www.sophos.com/en-us/support/knowledgebase/52053.aspx
GreyBeard
I heard of a case where a man brought his computer to a repair shop because it “kept crashing”. Turned out that simply the disk was full. The technician couldn’t help viewing part of the content, the less than scantily-clad persons looked underage and he reported the man to police.
The man was sentenced to a few months in custody (and some more on probation) for possession of child-porn. The investigation indicated that he was “just” a consumer, not member of a network, apparently collecting only what was freely available.
Less than two years later the man brought his PC to the same shop as it again “kept crashing” … this time he was in for a longer sentence. ‘Though you could almost take pity on him’ the officer who told me the story concluded.
Wonder if this one would have turned himself in.