How Ransomware Stole Christmas

Chris Hartwig

wpd_ransomware_grinch.pngWe are all familiar with the story How the Grinch Stole Christmas! written by Dr. Seuss and published December 25th, 1956. A children’s story about a Grinch who attempts to end Christmas by stealing all the food, candies, decorations, and presents in Whoville, it captured the hearts of generations of children and adults alike. If you’re like me, you remember having the story read to you in elementary school and watching the animated movie every year on or around Christmas time.

CryptoStopper Tour

At the end of this heartwarming story, the Grinch is surprised to hear the residents of Whoville singing a joyous Christmas song instead of cries of sorrow due to their stolen Christmas presents. Upon hearing the song, the Grinch ponders for a moment that “maybe Christmas, perhaps, means a little bit more" than just presents and feasting. The Grinch's heart suddenly grows three sizes larger, and he decides to return all the presents and trimmings he had stolen. The Grinch is then invited to the Who’s feast where he has the honor of carving the Roast Beast, and everyone lives happily ever after.

A 21st Century Grinch 

bigstock-Zombie-Santa-Claus-75820165.jpgFast forward 60 years and the Grinch who stole Christmas is not a bitter, cave-dwelling green monster. Instead, he is a cybercriminal composing emails and spamming tens of thousands of businesses and individuals with the goal of encrypting sensitive data and holding it for ransom. Christmas is a wonderful time for ransomware attacks because the main attack vector used by ransomware is your email.

In a typical attack, a cybercriminal sends out spam emails containing an invoice or past due bill. Once opened, the document runs a macro or script that downloads ransomware onto your workstation and that ransomware immediately starts encrypting data. Only after the attack has finished does the ransomware produce the actual ransom notes to demand payment.

According to Fortune magazine e-commerce sites will hit a major milestone this holiday season as digital sales are expected to reach $94.74 billion this Christmas period.  That means total online holiday season sales will surpass the 10% mark for the first time.

Putting it all Together 

The fact that such a large number of purchases will occur between today and December 25th and so much of it will be purchased online means companies will be emailing receipts, invoices, statements and past due notices to millions of customers worldwide. Since the main attack vector in a ransomware attack is a spoofed email with a fake invoice, the holidays are an excellent time for a cybercriminal to run a ransomware campaign where their messages blend in with all the other legitimate emails customers are expecting to receive from online retailers.

Ded Crypto the Christmas Ransomware wpd_santa_ransomware.jpg

 Ded Crypto is a ransomware variant that targets both Russian and English-speaking victims. Once installed, the victim’s desktop will be changed to a ransom notice with a picture of an evil-looking Santa while it encrypts your files. The notice demands a payment of 2 Bitcoins, which as of today is almost $1,500! At that rate, I predict many Christmas funds will be depleted paying for file decryption since there is no known decryptor for Ded Crypto.

How to Protect Yourself from Christmas Ransomware 


  • Hover over links to identify spoofed links; make sure that an embedded link is taking you to the exact website it presents
  • Inspect emails for obvious red flags: misspelled words, incorrect URL domains, unprofessional and suspicious visuals and unrecognized senders
  • Visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on the retailer’s homepage

Do Not:

  • Do not click on any links in any email sent from unknown or suspicious senders
  • Do not forward the suspicious email as you may just help spread the threat to others
  • Do not download content that your browser or Antivirus identifies as malicious
  • Do not give away personal information like your credit card number, home address, or social security number to a site or e-mail address you think may be suspicious

The Best Protection Against Ransomware  

There is a wide range of things you can do today to protect your network from ransomware attacks. In the article Best Ransomware Protection we outline a number of steps you can take to stop ransomware, but out of all the suggestions, there is only one way to stop ransomware that doesn’t require constant administration of updating things like whitelists or software restriction policies and doesn’t rely on signatures like antivirus. CryptoStopper, which was developed by WatchPoint, uses Deception Technology in the form of watcher files placed in your important network shares. CryptoStopper continuously monitors the watcher files for the encryption process to start and will identify the ransomware attack in seconds. CryptoStopper will immediately isolate the infected workstation from the network then shut down the workstation. Lastly, it will send you an email notification letting you know a ransomware attack has been discovered and contained.  

Watch CryptoStopper Stop a Ransomware Attack

 Further Reading:

·        Cybersecurity Spending to Top $100 Billion by 2020

·        Three Common Ways Ransomware Enters Your Network

·        Steps to Protect Your Network From Ransomware Attacks

·        Deception Technology in Action - CryptoStopper Bait Files Deceive Ransomware

·        Banks Saving Bitcoins for Ransomware Payments

Share this:

Entrepreneur Link



Subscribe to Email Updates

Recent Posts

Posts by Topic

see all