Skip to main content

Examples of ransomware incidents

Read through the following case studies. Learn from other Australians how ransomware has affected them.

Meet the Croft family

Tania, Daniel, and their two children share a family desktop computer. It runs on Microsoft Windows 10. They use it for homework, storing family photos, and playing video games. They also use an iPad for social media. All the devices are connected over the home WiFi.

The incident 

One of the Croft children wanted Tania to read a school assignment. Tania sent the document from the home computer to her work email account. She edited it from her work laptop and sent it back.

When Tania reopened the assignment on the home computer, she noticed that all of the documents looked different. They did not have the usual “.docx” file extension. When she tried to open the file, it asked her for a password. Tania did not password protect the file, so she thought this was odd.

A few minutes later, instructions to pay a ransom of 1 bitcoin displayed on the screen.

Recognising this as ransomware, Tania performed the following steps:

  1. She did NOT pay the ransom.
  2. She immediately disconnected all the family’s devices from the home Wi-Fi.
  3. Tania took a photo of the ransom note on her screen. She also wrote down the details of the malicious file extensions.
  4. She then opened Task Manager. Tania noticed a program she did not recognise was controlling most of her computer’s disk usage. Using Task Manager, she force quit the application to stop the program.
  5. Tania then ran a full scan with Microsoft Defender Antivirus.
  6. Tania spoke to her children and found out one of them turned off automatic updates months ago.
  7. Tania then sought help from an IT professional. She searched “Computer virus experts near me” and contacted a supplier that offered help with ransomware attacks. They backed up her encrypted files to a blank external storage device and removed all ransomware from the computer.
  8. Once Tania had confirmation her device no longer contained ransomware, she reconnected her laptop to the Internet. She then updated to the most recent version of Microsoft Windows 10.
  9. Tania and her family then enabled multi-factor authentication and changed their passwords to more complex passphrases for all their social media and email accounts. 
  10. The IT professional restored a backup of Tania’s files using an existing backup drive Tania provided. Unfortunately, the backup was a few months old, so some data was lost.
  11. Tania and Daniel checked their iPad, work phones, and work laptops, and found no other changes. They reported the incident to the ACSC using the ReportCyber tool.
  12. Tania went through each of the family’s devices and followed the ACSC’s Prevention and Protection Guide to help protect against future ransomware attacks.
  13. The Croft family held onto the external storage device with the encrypted files. Tania is hopeful that one day a decryption key will be available.

After the incident

The family decided to never turn off automatic updates or Microsoft Windows Defender.

They agreed to backup files to an external storage device every fortnight.

One year later, Daniel told Tania that No More Ransom had released decryption tools. The tools unlocked the encryption for the same ransomware that encrypted her files. Daniel used the user guide on No More Ransom to decrypt her hard drive and recovered the locked data.

Learn what to do during an attack.

Icon of a backup drive

Always backup

The story

Jamil’s Car Hire is having trouble connecting to their servers. They can’t access any of their systems.

After checking the servers, Jamil sees the console desktop shows a ransom demand. The demand claims they are distributing explicit material from the system.

The note says that upon payment, the business will receive a decryption key. Jamil doesn’t want to pay the ransom, but their team can’t get past the encryption.

The outcome

Jamil’s Car Hire has recent backups that are not encrypted. This means the business can restore their systems to working order.

Jamil also reports the ransomware incident to ReportCyber.

Icon of a broken framed image with a cross in the bottom right corner

Losing everything

The story

One day, the team at Daisy’s Spa finds their system encrypted. Using No More Ransom as a guide, they think it’s because of a Dharma ransomware variant.

They find that all files on the system now have a .wallet extension. Unfortunately, these files include the system backup files.

The staff find a ransom note on their servers. The note tells them how to contact the cybercriminal to request the decryption key.

The outcome

Daisy’s Spa works with their IT team to find a decryption key, but are unsuccessful.

All system backups are also encrypted. This means Daisy’s Spa can’t restore their systems. The business suffers a significant financial loss while rebuilding their systems. They also lose large amounts of client data.

Daisy’s Spa reports the ransomware incident to ReportCyber. They also notify their clients and contacts about the breach.