Undoubtedly, one of the most pernicious of the current crop of cybercrimes is ransomware.  Unlike many stealth-based approaches to profiting off system intrusion, ransomware is infuriatingly in-your-face.  In a ransomware attack, part or all of your system data is encrypted and locked off from access until you pay the attacker a fee, usually via Bitcoin due to its untraceability.  Ransomware has been spotted in the wild both on desktops and on mobile devices, and it is only growing in frequency.

Now, however, a new variation has begun to appear:  Copycat fake ransomware.  These attacks simulate typical warning messages seen with ransomware, warning that your files have been encrypted and starting a countdown to destruction … but nothing is actually happening.  It’s just a minimum-effort trick to try to con you out of a little money.  So be on the lookout! 

How to Spot a Fake Ransomware Demand

Reboot and see if it goes away. 

Don’t groan.  Yes, this IS a situation where rebooting is a valid option, particularly if the fake ransomware is so lazy it’s just being spawned in a browser pop-up. Legitimate ransomware will immediately re-appear with its demands upon rebooting.

Check your network activity. 

Here’s where those fancy network trackers and profiles can come in handy.  Real ransomware is almost always accompanied by noticeable attack vectors or unusual or fishy-looking domains accessing your network.  If you can’t find anything strange in the network logs at the time the warning popped up, there’s a good chance it’s fake.

Is there a brand name and/or support address? 

One of the most surreal aspects of ransomware is that the criminals behind it act like businesses to the point of having websites, branding, and “customer” support. Really!  This isn’t true of every ransomware operator out there, but the biggest and most prolific generally advertise their group names and have an address you can email for help setting up Bitcoin, making payments, etc.  Some will even haggle! The lack of ANY contact information besides a Bitcoin wallet number is often a tip-off that it’s not real ransomware.

Lowball demands. 

The amount of money demanded by ransomware can vary by quite a bit, but the average (according to a few sources) is generally in the $500-$1,000 range.  One of the reasons ransomware works is that the amount demanded is almost always far less than repairing the damage manually would cost. However, if the amount asked for is very low, like $100 or less, it’s almost certainly a fake.  They’re hoping you’ll pay such a low fee without thinking.

Look for modified files. 

Most common crypto-attack programs will change the filenames of the files they attack, often giving them new extensions like .lock or .crypt.  At the very least, there will be a lot of disk activity and a lot of files suddenly changed at once.  Depending on how locked-out you are, look through your own file system or use a Linux LiveCD/USB to get into the file directories.  A lack of noticeable changes is another red flag.

Stupid mistakes.  

Finally, it’s worth mentioning that most ransomware groups are semi-professional and put some time into proofreading. Likewise, they’re almost always using well-shielded darknet email addresses or social contacts.  If your ransomware letter is full of typos or is coming from a common email provider like Gmail, it’s probably fake.


Now, should you be hit with ransomware, don’t get your hopes up.  Fake ransomware letters are currently relatively rare. But by looking for a few telltale clues, we can help ensure they remain rare by not rewarding these tedious wannabe scammers.


About the Author: John Ciarlone is the VP of marketing and sales at Hummingbird Networks, a leading provider of business IT Solutions and Services.