Scam Alert: #Anonymous nOPes

By raincoaster on November 4, 2014 • ( 2 )

Guy can see you

Just FYI Anonymous isn’t really holding your PC for ransom.

A friend just got this email, CryptoWall virus, claiming to be from Anonymous. http://t.co/1BZIzASwcE #fail #Anonymous (Do not pay them)

— Gregg Housh (@GreggHoush) November 2, 2014

Gregg Housh has the unique honour of being the first person to get famous for being Anonymous. That’s not just “anonymous” but Anonymous; his involvement with the anti-Scientology operation Project Chanology led to his being outed, the first Anon ever publicly exposed.

On November 1, he tweeted that a friend had received an extortion demand from Anonymous, and put it up on Pastebin for all to see. It’s now had approximately 1,100 reads, presumably most of them from the disappointed extortionist.

From: Guy Fawkes <guy_fawkes@sigaint.org>
Date: October 31, 2014 at 3:15:06 PM EDT
Subject: Do Not Ignore This Message

Greetings from Anonymous.
If you don’t know who we are, I suggest you read this first:

https://en.wikipedia.org/wiki/Anonymous_%28group%29

All of you that have received this message have been chosen to be infected
with our very own version of the CryptoWall virus. If you don’t know what
it is, look it up. You are getting this message because you already have
the virus dormant in your systems, and reporting information back to us.
But we will give you a fighting chance. To avoid activation of the virus,
simply send 10 Bitcoins to the following address:

1BRQkZDNqycdhBunhPAcTVx2TQ3UuGtALH

If you do not know how to obtain BitCoins, there are various resources
online.

Due to the nature of Bitcoins, we have no way of knowing which of you have
sent the required 10 Bitcoins. So after you send them, you must respond
to this e-mail with the last 10 characters of the address you sent the
Bitcoins from and we will remove you from our list and provide you with
instructions on how to find and remove the virus residing on your
computer.

For those of you that do not want to pay in advance, you can find many
reasons online about why you really don’t want us to activate the virus.
You all have 5 days to make the payment. Once the virus is activated, all
of your files will be encrypted, and will require a decryption key, which
we will provide after receiving a much larger payment.

So your options are to pay 10 Bitcoins now and avoid any further
“complications” or ignore this message and pay at least 50 Bitcoins later
to receive the decryption key.

The choice is yours – choose wisely.

PS: Don’t waste time trying to find and remove the virus. Governments
can’t find it in their systems, so neither can you.
Guy Fawkes
ANONYMOUS

Well, as you might suspect, that’s not how Anonymous works. It’s not even how CryptoWall works, really. And the Wikipedia article the email cites actually mentions Housh by name. Seems as if someone is having a bit of a larf, but then they might also be seriously trawling, hoping to catch some sucker unawares an panicked.

After all, if spam didn’t work, half the GNP of Nigeria would simply vanish.

The CryptoWall virus is very real ransomware, and very dangerous, encrypting the contents of your hard drive and making them inacessable to you unless you comply with the ransomer’s demands. Its presence is not difficult to confirm or eliminate, however. At the root of each directory in your file system, you should look for three files: DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.html, and DECRYPT_INSTRUCTION.url. If they are there, click on one and it will take you to the ransom instructions. If they are there, in other words, you have been infected. PreciseSecurity has instructions on removing the virus. It has infected fewer than 50 computers, according to Symantec.

If those three files are not there, you have not been infected; you have been the victim of a bluff. Make no mistake; bluffs are still extortion. In this case, the repeated “Don’t even try to find it” warnings are a bit of a tipoff that there is, in fact, nothing to find. Except the perpetrator.

In this case, we know two things about the attempted extortioner: His Bitcoin wallet address is 1BRQkZDNqycdhBunhPAcTVx2TQ3UuGtALH, and his email is guy_fawkes@sigaint.org, neither of which occur on the open web in any context except Housh’s Pastebin. Sigaint is a free email service aimed at those who wish not to be traced. And the Bitcoin wallet has recorded no transactions, either out or in, according to the Blockchain.

We also know he thinks big, since the normal CryptoWall decrypting ransom is $1,000 and in this case he was asking for between three and fifty times as much, depending on when the transaction took place.

Well, the original Guy Fawkes was a big thinker, too, and look where that got him.