Beware, fake ransomware attacks are making the rounds again.

Don’t get me wrong, there are still tons of legitimate ransomware attacks circulating about but the fake ones seem to ebb and flow as well. Below is an email that we received this morning. The domain is one that’s legitimately ours but a) it’s unused and b) there’s no database there. So, it’s a complete farce but it’s an excellent opportunity to highlight some key things to watch out for to protect yourself. If you get a similar email (these tend to be pretty boilerplate), know that it’s likely false. Another popular pretext is that some random attacker has caught you in ‘compromising positions’ or watching ‘illicit material’.

  • The email is regarding an unused domain.
  • Since the domain name is unused, there’s no database there for the attackers to have download.
  • The email was sent to an honeypot address (it’s a good plan to have those)
  • The email suggests that a vulnerability was used to compromise the site. This is a good reminder of the importance of a comprehensive patch management program that includes not just your workstations and internal servers but webservers and applications as well.
  • The intent of the email is to spark a fear response to make the victim act instead of think. Think first and, in many cases, you’ll be fine.
  • Many organizations have policies in place to forward suspected phishing emails or malspam to their IT Department or Incident Response team. If you don’t have a team to help with this type of attack, definitely give us a call, we’d be happy to help.


We have hacked your website and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $1500 in bitcoins (BTC). 

Please send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive):

bitcoin address redacted

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 5 days after receiving this e-mail or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you to start with, or do a google search.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.