How To Tell If a Ransomware Message Is Real or Fake

Imagine that you are working at your computer and, thanks to a bad internet search result, you end up clicking on a link that opens a sketchy website. You immediately click away, but a couple of minutes later you are presented with the dreaded ransomware message and a demand for payment. What do you do next?

Before you start restoring backups or shelling out Bitcoin payments, take a few moments to determine whether you have actually been infected with ransomware. Believe it or not, there is no shortage of fake ransomware attacks.

Why Would Anyone Create a Fake Ransomware Attack?

There is obviously no shortage of real ransomware attacks, so why would anyone bother creating a fake one? This question seems especially odd given that do-it-yourself ransomware kits are readily available.

Any number of reasons could explain why someone might create fake ransomware. One possible reason is that a cybercriminal may believe that they can escape prosecution (or receive a lighter sentence) if they can prove that the ransomware is harmless.

Another possibility is that the fake ransomware author simply lacks the skills to create real ransomware. Even though they could purchase a plug-and-play, DIY ransomware kit, these kits almost always require sharing ransom payments with the kit’s creator. A cybercriminal who creates fake ransomware may simply want to avoid having to share the profits with anyone.

Related:8 Tips for Creating a Ransomware Response Plan

One more possibility is that the criminal is acting opportunistically. There is no need to create real ransomware if there is a good chance that victims will see the fake ransomware message, assume that it is real, and pay the ransom.

How Can I Tell if a Ransomware Message Is Fake?

It can be a little bit harder to distinguish between a real ransomware infection and a fake one than you might think. To show you what I mean, see Figure 1. Do you think that this is a real ransomware infection or a fake one?

Fake Ransomware 1

Figure 1. Is this ransomware message real or fake?

Believe it or not, this is a fake ransomware message, although it looks real. It includes many of the same elements that you would expect to see, such as a threatening message complete with bad grammar and typos. It even has a menacing countdown timer.

In this case, what you see in Figure 1 was created by a tool called Crypto Prank. Despite its name, this tool is sometimes used as a cybersecurity teaching aid.

But let’s suppose that you walked up to a computer and saw the screen displayed in the figure above. How could you figure out that the machine is not actually infected?

The first thing that I would recommend doing is launch the Task Manager. Figure 2 shows what happened when doing so.

Fake Ransomware 2

Figure 2. This is what happens when I open Task Manager.

Task Manager revealed that the only application running is the Microsoft Edge browser. So, where did the ransomware go? The ransomware attack was in fact being displayed in a browser window. Pressing the F11 key causes the browser to go to full-screen mode (hiding the address bar and the toolbar). If you look closely at the screen capture shown in Figure 1, you will notice the close button in the upper-right corner of the screen. A real ransomware module probably isn’t going to feature a close button.

Incidentally, the authors of Crypto Prank added a little bit of extra realism by triggering a fake blue screen of death (BSOD) when you click the close button, like the one shown in Figure 3. Again, though, a quick check using the Task Manager reveals that the BSOD is just a page displayed in a browser. In fact, pressing F11 to take the browser out of full-screen mode confirms that it is a browser page and fake ransomware screen.

Fake Ransomware 3

Figure 3. Attempting to close the ransomware triggers the blue screen of death.

Fake Ransomware 4

Figure 4. Even the blue screen error is just a webpage.

Checking the Task Manager and pressing F11 are good preliminary steps for determining if a ransomware message is real or fake.

However, a fake ransomware message can sometimes take things a little bit further to convince you to pay a ransom. I once saw a “fake” ransomware infection that renamed files but did not actually encrypt them. The files were given an extension of .Encrypted, which, of course, broke the file associations. Simply renaming the files returned them to their original state.

Conclusion: Can Fake Ransomware Point to a Real Problem?

Unfortunately, even a fake ransomware attack can signal a real security vulnerability (assuming the attack used something more elaborate than Crypto Prank). After all, it means that a wannabe ransomware author managed to run code on your system.

Even though the code eventually proved to be relatively benign, the simple fact that the code ran at all shows that your system is vulnerable.

Recommended: Check out our new 2022 Ransomware Security Report