Encryption Virus (Again!)

[ad name=”new”]
Note: To avoid the encryption virus, please don’t open attachments on emails that are generic or suspicious in anyway. Please back up all your files every week or so and then detach the backup drive. If you do get the virus, please turn off all your computers immediately and call us at Ducktoes. 403-219-3031.

Encryption Virus Strikes Again
Ducktoes has again helped a client (web design and SEO client, not IT client) recover their files encrypted by an encryption virus.  And again the client paid the ransom. They thought they could not successfully operate their business without de-crypting the files, since it would have been exorbitantly expensive or impossible to manually remake them all. They couldn’t even remember what all the files were, much less recall the content.

Try Not to Pay
If not absolutely necessary, I don’t recommend paying the ransom for decryption.  If no one ever paid the ransom, the cyber-criminals would stop creating and spreading the viruses. But in this case, I totally understand.

Employee upset after laptop gets the encryption virus.

It is a difficult decision whether or not to pay the ransom for the encryption virus.

How They Got the Virus

The clients got the virus through email. An employee opened an email attachment that purported to be an “invoice” but really contained one of the encryption viruses in the attachment.  Once opened, the encryption quickly virus spread to the client’s network and encrypted a hard drive containing all the scheduling and accounting information.

Emails floating through air as envelops. The encryption virus comes through email.

Encryption virus comes as an email attachment.

The Clients Call Ducktoes for Help
Not understanding what was going wrong with their computers, the clients called Ducktoes. They thought they were just missing a program and because of that the the files wouldn’t open.  Human dynamo and very personable manager Colin Forrest immediately went into action. He went into one of their computers remotely to check the situation out and saw the encrypted files. He recognized the encryption virus since we’ve dealt with it many times before.  The virus had changed all the Word and Excel files to the mp3 file format making them impossible to open. Colin told the clients to turn off their computers immediately.  His immediate remote call and quick thinking saved them many files.

At the time I was picking up parts at our wholesale parts supplier.  When Colin called me to tell me what was going on, I immediately drove to the clients’ office.

Emergency Onsite Call
Upon arrival, I turned off the router so the virus would not spread further and assessed the damage.  Two computers and the external hard drive were infected.  Two others had started to be infected but the files had not been encrypted yet.  I brought the computers to the shop and put them in quarantine and we were able to remove the infection.  Don’t remove the infection before you get the contact info of the cybercriminals so you can pay the ransom if you need to.  Whenever we remove viruses from an encrypted computer, we have to make sure the infected computers are in quarantine on their own separate network, because the virus spreads quickly.

Waves coffeehouse where there is a bitcoin exchange.

Where BitNational is located.

Paying the Ransom
To ransom the files I had to take cash to a bitcoin exchange office office called BitNATIONAL, located in a Waves Coffee House on 17th Ave SW and 9A St. SW.  I was a little nervous because it seemed I was dealing with the underworld.  I was.  Our long time onsite tech extraordinaire Raz Rydstrom, and one of the smartest people anywhere, met me there since he is familiar with the process. The ransom was $500 US plus the bitcoin office fee.  It totaled $770 Canadian. With labour costs, the clients had to pay around $1500 for decryption and virus removal.  It is a hefty price for opening an infected file.

A photo of Matt and bitcoin exchange office.

Here is the BitNational office.

BitNational Helps Us
BitNATIONAL has a specialized ATM called a BTM which put the digital currency on my smartphone. Two great and friendly guys Matthew Haddon owner and Jason Butler partner and employee were working that day. The other owner is Drew Glover. I found them very helpful and immediately felt less nervous.

About BitNational
There are many BTMs throughout Calgary and other Canadian cities. Find one near you.

 Jason and Matt standing by their BTM machine.

This is Jason and Matt standing by their BTM machine.

BitNational bought out another bitcoin exchange service called Bit Brains. Matt and Jason believe that bitcoin is a great investment and only starting to take off and will go up in value.

BitNATIONAL owner Jeff shows how bitcoin will take off but wearing an orange Nasa suit.

Here’s Jason in a NASA suit demonstrating how bitcoin is going to take off. They don’t have the helmet yet.

BitNational only does the currency exchange to and from bitcoin.  They are a legitimate business and not involved in any way with the cyber-criminals.  They are entrepreneurs in a pioneer sector.  BitNational-logo

A Nervous Moment
Back at the shop, we paid the ransom and then discovered that the websites to communicate with and pay the encryption virus creators had disappeared.  This caused a  panic moment for me. I had already paid the money and worried I might not be able to retrieve the decryption code since the cybercriminal’s websites had vanished. Yet one of my techs, Garett Belkie, was able to install a Tor browser and retrieve the code that way.  Then he decrypted all the encrypted files on the computers and hard drive. Our hero. (Another awesome senior tech, our data recovery and virus removal specialist.  He can get data off a stone and remove viruses in a twinkle of an eye.)

Here’s another blog post about how I personally saved a law office from a encryption virus in 2014 before most computer IT support companies even knew what encryption viruses were.  It is a very exciting story.  Lol. I was my own hero.


Returning the Computers
Once the files were decrypted, we removed the encryption virus and returned the computers and reinstalled everything to the network.  Tech Rey Berse and I did this together. He’s a brilliant soft spoken senior laptop tech (he specializes in hardware and circuitry, soldering and electronic circuits etc. and software, a total computer genius) and an incredible onsite tech with our onsite IT support too).

Photo of a laptop with chain and padlock symbolizing laptop virus.

Ducktoes can help your unlock your files.

Sometimes We Don’t Need the Ransom
Using guidance learned from Bleeping Computer, we have actually decrypted certain strains of the encryption virus ourselves without paying the ransom.

The Ducktoes Team is More than One Tech
You get more than the skills and knowledge of your one IT support tech at Ducktoes. You may only see one tech, but you are getting much more.  You are a getting an entire group of techs at your back that are constantly learning and upgrading our computer repair and virus removal skills.  We work together as a team to solve and prevent computer problems, so when you hire us, you are getting an entire team of problem solvers and computer experts all educated at SAIT. We are constantly researching computer issues and learning new skills, the encryption virus prevention and removal being one of them. The pool of our combined knowledge and skill makes us a formidable force against viruses and computer problems.  Among us we know hardware including difficult laptop hardware including soldering motherboards and capacitors, fixing laptop screens, jacks and video and wifi hardware, server issues, networking, virus removal, crisis prevention, backup, data recovery, and anything you throw at us.

Two techs work on computers at Ducktoes.

You get a team of computer experts at Ducktoes.

Smiles and Laughter
It was really rewarding and fun to return the computers and data all fixed and working well so our clients could return to business as usual.  Now that they are IT clients we have them backed up to the cloud with Dropbox so this will never happen again. There was a lot of smiles and laughter while we worked and finished up with them.

Encryption Virus Experts
Ducktoes Computer Services has become an expert on the encryption virus. We’re experts on removing it, de-crypting it, and preventing it. If you need help with the encryption viruses, or any virus, we’re the best choice in Calgary since we’ve specialized in virus removal and prevention for years.

If You Need Us
If you need Onsite IT support or virus removal or any computer repair or support at all, call our team at Ducktoes.  We’ll bring smiles and laughter back to your office or home.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather

Finally, a Cure for Cryptolocker

[ad name=”new”]

Some of our clients’ computers have been infected with the virus Cryptolocker which encrypts all the files on the computer, and often, unfortunately, the business data and photos. People lose all their baby photos, once in a lifetime travel photos, or photos of a deceased family member or friend. They lose important business data. Now two IT cyber security companies, FireEye and Fox IT have partnered to provide a free service that will decrypt the files.

The virus creators were stopped for awhile by the FBI and RCMP’s Operation Tovar which took down many of the cyber-criminals’ servers. After a couple of weeks, however, Cryptolocker was back, although not as rampant as before, it seems, from my experience. During Operation Tovar decryption keys were obtained and FireEye and Fox IT

These companies have a created website www.decryptcryptolocker.com that will help you get a free decryption key.


On the website, you have to upload a encrypted file and send an email address and they will send you a decryption key.

If anyone needs help with doing this or has been infected with Cryptolocker in the past, Ducktoe’s anti-virus lab would be glad to help you recover your encrypted files.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather

Be Careful: Cryptolocker Back after Two Week Hiatus

Cryptolocker is back after a two week break.  This ransomware encrypts all the files on your computer’s hard drive and will not decrypt them you pay the ransom.  Two weeks ago the FBI and Mounties took down Gameover Zeus servers which also contained the Cryptolocker virus and put both out of commission.  We at Ducktoes were so relieved because as a virus removal service dedicated to helping you and fixing your computers quickly and effectively we often have to deal with this horrible virus.  After a computer is infected there is very little we can do to bring the files back.  Cryptolocker is devastating to businesses that lose business files and individuals who lose all their files, especially photos.

Unfortunately, Cryptolocker is now being used as a stand-alone program without Gameover Zeus.  It is back in service.

Read more.



What we can do at Ducktoes is prevention and help you not get the virus in the first place.  Please be careful and do the following:

  1. Don’t open pdfs or any attachments unless you are ENTIRELY sure about them.
  2. Backup your computer right now and then disconnect the backup drive from your computer.  Backup often.
  3. Install Malwarebytes Premium.  It prevents the virus.  We have it on sale at the shop.


FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather

Cryptolocker is Back Already

According to a recent article, which I will cite later, Cryptolocker is already back in operation.  Thank you to friend. former classmate, and fellow tech Paul Maslak for that information.  I’ll write more about it later today if I can.

In the meantime please don’t download any pdfs from FedEx, UPS, Canada or US Post and other businesses. Just don’t.  Put Malwarebytes Premium on your computer.  It prevents Cryptolocker.  We can help you do that.  Just call our remote support.  I’ll do it for free even, the installation that is.  The program costs around $36.  403-219-3031.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather

Worst Virus Ever Cryptolocker Stopped for Now

[ad name=”new”]
Mastermind behind Cryptolocker and Gameover

The worst virus Ducktoes has ever seen, Cryptolocker, has been stopped, at least for now, and maybe for good. We’ve had a few clients infected with it. The worst affected was a woman who lost her family photos. She didn’t want to pay the cybercriminals for decryption so decided to lose the photos instead. Another was a lawyer’s office but I was able to disconnect all the computers from the network before it spread so they lost only one user’s files. Another was a business who called in the middle of the night and I happened to be up. I told the client to shut down all her computers until I could get there early in the morning. The data loss from those two clients was minimal. Another business client had the virus and lost his files but had them backed up so was able to recover them.

The main suspect behind this virus and its sister virus “Gameover Zeus” according to the FBI Wanted Poster is Evgeniy Mikhaylovich Bogachev.  Bogachec a thirty-year-old Russian man living in a Black Sea resort town, according to the Globe and Mail and other sources.

What made the virus so bad was that there was no way to unencrypt the files so the clients would have to pay for the decryption key or lose their files forever. Also it was highly contagious and would infect all other computers on the network.  At businesses this can be devastating.  In our computer repair lab, we had to put all infected computers in quarantine on a completely separate network.

The RCMP in cooperation with the FBI has shut down two servers in Montreal that were used to spread the two viruses Gameover Zeus and Cryptolocker. According to a Globe and Mail article, “As part of a major crackdown in a dozen countries against Russian cyber-criminals, the RCMP has shut down two computer servers in Montreal that were part of a network that extorted millions of dollars from businesses and consumers.

The operation disrupted malicious software called Gameover Zeus (GOZ), which has infected up to a million computers around the world and caused losses of more than $100-million (U.S.).”

Gameover would get computer users’s bank account information and withdraw or transfer money to the cybercriminal’s account. It also would infect the computer with Cryptolocker which encrypts the client’s files such as business data, personal records, photos, and videos. Some businesses lost a fortune without their files. Many clients lost all their family photos.

According to Grinler of Bleeping Computer, Cryptolocker was downloaded in infected pdfs purporting to be from Fedex, UPS, tax companies and other business related companies.

Other servers were in Ukraine and Kazakhstan, besides the ones in Montreal.

At Ducktoes we can remove viruses like this one and restore and fix your computer back to normal in a computer repair lab. We can also prevent viruses like this in the first place with our anti-virus cocktail.

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmailby feather