Many Australians Forced To Pay For "Unbreakable" Cryptolocker Ransomware

An anonymous reader writes: Australians are paying thousands of dollars to overseas hackers to rid their computers of an unbreakable virus [Cryptolocker]. The deputy chairwoman of the Australian Competition and Consumer Commission, Delia Rickard, said over the past two months there had been a spike in the number of people falling victim to the scam. The commission has received 2,500 complaints this year and estimates about $400,000 has been paid to the hackers. Bad news for Australians: this is just one of many targetting the country.

Every customer of mine

[dwywit]

Gets Cryptolocker installed. Via Group Policy, it prevents, among other things, anything being executed from the user's temp directory/ies - which is where email attachments are placed for whatever operation they require - picture preview, etc. It's not a guarantee, but it presents a big obstacle to any attacker attempting to fool a user into executing their code simply by opening an email.

Not affiliated, just a happy user.

Re:Every customer of mine

[Billly Gates]

It can still get on via angler malware kit. The type from yahoo.

It is run only from ram making it impossible to block or detect.

Re:

[Dutch Gun]

Every customer of yours gets Cryptolocker installed? You must not have a lot of repeat customers!

I'm guessing you meant to type something other than "Cryptolocker" there?

I'm sort of curious how this ransomware is being executed by clicking on a single link in an e-mail, as is implied in the stories. Surely this can't be done without an exploit in a modern browser and OS, right?

Re:

[Z00L00K]

I assume that it's Bitlocker, not Cryptolocker.

Re:Every customer of mine

[dwywit]

Oh, bloody hell.

Cryptoprevent from FoolishIT

Re:Every customer of mine

[dbIII]

I'm sort of curious how this ransomware is being executed by clicking on a single link in an e-mail

How?
"Outlook not so good."
Actually it's the combination of MS Outlook and IE that have such a "feature" for convenience. All it takes is for IE to be directed to the site and it helpfully runs the malware - no questions asked.

Some of the emails have been from the tax office (equivalent to IRS), some have been about package deliveries with a tracking link and others have been about speeding fines. They are aimed squarely to catch people who are not idiots, just not as paranoid about computers as is required these days.

There have been a few articles about it over the last year apart from the article linked above.

Downmod by a fanboy?

[dbIII]

Now that's just pathetic - modded down for pointing out the vector of infection by some fanboy that wants to pretend even MS products being discontinued are perfect.
There is nothing inaccurate in the above post. Not liking reality is no reason to mod down a post describing reality.

Re:

[dbIII]

It's at the top of the post - the portion quoted.

Re:

[Dutch Gun]

I suspect you got downmodded because you're making a very extraordinary claim. You're telling me that Outlook or IE actually runs an executable with no additional warnings? I'm sorry, but unless you show me some proof of that, I find it incredibly hard to believe.

Take a look at this simulation video showing the infection process [box.com]. How many steps did the user have to take to extract and then execute the Cryptolocker installer? They had to click on the attachment and save it to disk, unzip the contents, an

Re:

[dbIII]

You're telling me that Outlook or IE actually runs an executable with no additional warnings? I'm sorry, but unless you show me some proof of that, I find it incredibly hard to believe.

Wow!
I'm not sure why you are commenting on this thread since you don't know of the most complained about problem with MS Outlook. I suggest you google it and whatever article on an antivirus site that turns up looks as if it's the most interesting. It's big business building a third party wrapper around MS Outlook to provid

Re:

[dbIII]

or we'd all be swimming in malware by now

Yes
It's a malware swamp beyond the dreams of bad SF out there. Hundreds of new "owned" systems are trying to break into my network daily before being blacklisted, not to mention thousands of spam messages from spambots, and that's just one IP address on the net that the script kiddies don't know from any other. Systems that are actually being targeted have to deal with far more.

Re:

[dbIII]

I saved you the trouble of googling - move down to the heading "Be Careful of Links" to see where the problem still lies:
http://www.howtogeek.com/13554... [howtogeek.com]

Clicking on the wrong link will helpfully open IE which will then helpfully run the script that installs and runs cryptolocker - hence the problem discussed here!
In news reports it has been links that are supposed to be about speeding fines, parcel tracking and tax refunds. I've seen a couple where the link said "here is your invoice", and the sort of

Re:

[dbIII]

I mean ... how many millions of bad examples does someone need before they start taking this more seriously?

Millions of bad examples to people like us that pay attention to computers, but the first one to secretarial staff who do not. Better spam filtering has just led to people who don't understand that there is a deluge of shit flooding the internet, so they trust the bits that float through. I had one today that opened up a very suspicious email in MS Outlook just so that they could send me a screensho

Re:

[Lumpy]

Which blows my mind that windows allows to begin with.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[dwywit]

Try this:

http://serverfault.com/questio... [serverfault.com]

Go Mel Gibson on this.

[Z00L00K]

Like the movie Ransom [imdb.com] with Mel Gibson.

But having backup of your files is always a good idea.

Re:

[jez9999]

DUMB.

Re:

[moeinvt]

So, make a public announcement offering double the number of bitcoins the extortionist is demanding as a reward for the person's capture?

Re:

[Jeremi]

So, make a public announcement offering double the number of bitcoins the extortionist is demanding as a reward for the person's capture?

"The extortionist" is usually an entire gang of people, not just one person. I don't know how many bitcoins you'd have to offer to get someone to capture the Russian Mafia, and I can't imagine that gambit ending well in any case.

How come?

[ruir]

Quick, you should pass a law for all that non taxable revenue....

Re:

[Z00L00K]

How do you know that it's not taxable? The problem is to figure out where the taxes should have been paid.

Re:

[Rei]

One can be pretty confident that the answer is "Russia".

And they've probably already IDed some if not all of the people involved, but there's no way they'd serve Russia with a warrant for their arrest (Russia would never hand them over) rather than keeping sealed charges on them and waiting for them to slip up and travel internationally.

Re:

[ruir]

Id love you to explain how they have IDed them with virus-like propagation and bitcoin payments...

Re:

[ruir]

I am just being ironic about australia being a hole where everything technology based and made being restricted and ridiculous expensive due to taxes.

maybe they learn something

[hvulin]

Maybe they learn something from this... If not, there is allways the next time!

Re:

[Z00L00K]

You mean that the successor to Cryptolocker will be worse?

Hello I am from Telstra Internet Services

[trabby]

Private Number: "Hello I am from Telstra Internet Services and you have a problem with your computer"
Me: F**k o** you scamming c***
*End Call*

Been getting those at least once a month now.

Re:

[MrNaz]

Do a reverse fish. Tell them that you'll give them anything they want, but you've run out of prepaid broadband credit. They need to send you $30 so you can buy another voucher.

Industrial scamming

[dbIII]

They do hundreds a day and have a script - your reverse pfish is not in the script to deal with so even if they are gullible enough it's not going to happen.
The best I've done is ask one Indian lady on the line why she's working for such criminals despite having perfect English - that got a bit of an offscript response. I no longer have a phone on my landline so no longer have to put up with those scammers.

Re:

[dwywit]

Oh, surely you can do better than that?

"which computer? I have seven"
"all of them sir"
"even the ones not connected to the internet? which one do you want me to turn on?"
"any computer, sir"
"so, what are the error messages?"

and so on. Had one of them on the line for almost 20 minutes. In the end he screamed obscenities at me and HE hung up. I told one girl her mother would be ashamed of her, I told another one I couldn't get to the computer because I had a broken leg. Even told another that the call would be

Re:

[U2xhc2hkb3QgU3Vja3M]

You could try the classic "Your mother was a hamster and your father smelt of elderberries!"

Re:

[donak]

I told one woman "I use Linux on my computers".
She apologised for wasting my time and hung up ... leaving me flabbergasted.

Education, education, education...

[jandersen]

1) Make sure users, especially Windows users, are well educated enough to not run things or accept things that pop up in the browser or is sent in an email.

2) Make sure that all users have Adblockers, No-Script etc installed by default. It is more trouble initially, but it gives you a chance to stop and think, and after a while you will have trained yourself and your browser to allow you to do your work with a minimum of pain.

3) Always run Windows in a VM under Linux - and make regular, dated backups of the

This is slashdot...

[TapeCutter]

...we start lists at zero around here.

0 - Prevention is preferable to cure, avoid giving your PC the power to crash your life in the first place.

Re:

[U2xhc2hkb3QgU3Vja3M]

So... get them an iPad instead of a fuckin' Windows PC?

Re:

[Mashiki]

The same type of ransomware has been hitting mac's for at least two years now.

Re:

[sims 2]

I haven't seen any malware that affects ios yet.

Well aside from cydia, cydia has infected about 14 million devices. It allows users to run apps not approved by apple its Awful.

To think some people could use their phone as a flashlight without apples approval. The horror!

Re:

[U2xhc2hkb3QgU3Vja3M]

Apple has a "flashlight" mode/icon right on the... bottom-up-swipe-thingy page. Not sure what to call it.

Re:

[sims 2]

Just fyi there was a time when apple did not allow apps to use the camera flash as a flashlight. They said it was a inappropriate use of hardware. Years ago now but some of us still remember. http://www.engadget.com/2010/0... [engadget.com]

http://www.macrumors.com/2010/... [macrumors.com]

Re:

[dbIII]

1) Make sure users, especially Windows users, are well educated enough to not run things or accept things that pop up in the browser or is sent in an email.

"I know I'm not supposed to do it, but I was expecting a ..."
We can't really blame the users for this one and education hasn't fixed the problem. The malware swamp we are sinking into would not be happening if the software environment was not such a mess.

3) Always run Windows in a VM under Linux

One thing that is getting victims is encryption of files o

Re:

[U2xhc2hkb3QgU3Vja3M]

Real offline backups are of course the only way to be really sure.

But only if they're nuked from orbit.

Re:

[donaldm]

1) Make sure users, especially Windows users, are well educated enough to not run things or accept things that pop up in the browser or is sent in an email.

You do realise that trying to educate most MS Windows users is like trying to drain a lake with a colander.

2) Make sure that all users have Adblockers, No-Script etc installed by default. It is more trouble initially, but it gives you a chance to stop and think, and after a while you will have trained yourself and your browser to allow you to do your work with a minimum of pain.

Well I suppose if you are the System Admin but that would be a really thankless job.

3) Always run Windows in a VM under Linux - and make regular, dated backups of the Windows disk images (the VM disk images!). If shit happens, you can quickly go back to a version that works.

Honestly lets be real here. How many MS Windows users would even know how to install a Linux distribution much less run a virtual machine with MS Windows running in it and as for making backups of the virtual images - err lets not go down that path. In fact how many people actually know how to install MS Widows from scr

Re:

[david_thornley]

1) The attacker gets numerous attempts to fool the user, and only has to win once. By chance the attackers are likely to hit on something that will fool some users sometime.

2) NoScript is a pain to use properly. I have it, but I couldn't recommend it to unsophisticated users. They're going to get into a reflex of "allow all on page", and eventually will switch to allowing everything, because "temporarily allow on on page" does not always work.

3) Does all software run satisfactorily in a VM? Is it

Solution

[sociocapitalist]

Backup in depth:
'real time' (ie Apple's time machine)
+ Daily
+ Weekly (put aside)
+ Monthly (stored offsite)
+ Yearly (stored off-offsite)

Re:

[sociocapitalist]

More important than having a backup is having a backup that isn't also encrypted. Cryptolocker takes some time before it reveals itself, so if you do things normally (backup to external drive of sorts), you have to go back to an old backup and lose everything you created since then. Backups on drives which are in reach of Cryptolocker are useless because they're also encrypted, so you might even have lost backups from before your computer got infected. A proper backup routine requires a secondary machine which reads from the host and writes to a drive which is at most read-only accessible to the host. At the moment, that would give you a working recent backup, but obviously Cryptolocker could detect this and not decrypt the data for the backup agent. Then you'd also need to check the validity of the data on the backup system.

Which is why I said 'put aside' and 'offsite' and off-offsite' and 'over time' - all of which are unreachable by Cryptolocker as they're not connected to the system after the backup is taken.

With the schema I described you have a minimum of 25 full backups of various times from one day to however many years you feel like backing up. Nothing that was backed up before the cryptolocker got in would be lost.

Scam?

[Kjella]

Scam would imply this is some kind of fraud or swindle, like a con artist trying to trick you. This is plain extortion, they've kidnapped your data and is holding it ransom. If bad things really do happen if you don't pay, it's not a scam any more than being robbed at gunpoint is.

Re:

[Black Parrot]

Scam would be if they didn't unlock it when you pay.

Re:

[Ihlosi]

Scam would imply this is some kind of fraud or swindle, like a con artist trying to trick you.

Yes. They're tricking you into going to their landing page. Otherwise, you would voluntarily access a page that solely exists to unleash an exploit kit on whoever accesses it.

Correction

[Ihlosi]

you would... ... not ...

GST?

[nighty5]

I hope that the ATO is getting their fair of the GST on these ransomware demands.... The lack of tax on overseas purchases are taking our jeeerbs!

Re:

[dwywit]

We just found Gerry Harvey's /. handle.

Seriously, they want to drop the threshold to AUD$20? I thought it was uneconomic to collect the tax below purchases of AUD$100?

I'll just buy books one at a time. Makes no difference to me, the book depository has free shipping.

Re:

[petermgreen]

Seriously, they want to drop the threshold to AUD$20? I thought it was uneconomic to collect the tax below purchases of AUD$100?

mmm, thats the situation we have in the UK (and I belive the EU in general) and it sucks. Order a £16 (inc delivery) item from outside the EU, pay £3.20 VAT and pay ~£10 handling charge for collecting the VAT.

One client has fallen for it four times

[Gumbercules!!]

I know someone who personally accounts for 4 of those installations. On the same computer. Because she's fallen for the same frikkin scam four times. Every time I ask her "why did you open an email claiming to be from the IRS, when we don't have an IRS in Australia", she tells me "because it sounded real". You should see the grammar in these scam emails, too: they're written like "please effective the transactionments with the rapid or we can has your cheeseburgers". Yet she's still fallen for it. Four. Times.

Fortunately, I back that site up effectively.

Re:One client has fallen for it four times

[MrNaz]

Have you considered replacing her computer with one of those Fisher Price toy computers that just makes beeping noises when you press the keys? From what you say, it doesn't seem like she'd notice.

Re:

[Gumbercules!!]

Yeah it's not a stupid idea, either. From what I can tell, her job description is mostly to make up work to do to keep herself busy.

Re:

[Gumbercules!!]

Ha! She was probably very pretty about 30 years ago - and her boss is also a later-middle aged woman, so I think that's... improbable. So far as I can tell, her job description is 100% to shield her boss from having to deal with anyone (she's a P.A.). And she's very good at it - if you even meander slightly near her boss's door, she'll just about spear tackle you to stop you going in there and she's no different when it comes to phones or other forms of shielding her boss from annoyances. But when it comes

Re:

[dbIII]

Have you considered replacing her computer with one of those Fisher Price toy computers that just makes beeping noises when you press the keys? From what you say, it doesn't seem like she'd notice.

That's the problem - after 2000 we replaced the real computers with Fisher Price toys with some insecure shit from Microsoft on it.
Outlook not so good.

Re:

[operagost]

Obligatory Dilbert:

http://dilbert.com/strip/1995-... [dilbert.com]

Re:

[ebvwfbw]

I remember when this came out. http://dilbert.com/search_resu... [dilbert.com]

Re:

[dwywit]

I hope your service fee increases by the square of the number of incidents?

On a related note, I have to thank Microsoft for Windows 10. I think it'll make me rich. I've bumped my hourly rate by 10% for Win 10 service calls.

Re:

[account_deleted]

Comment removed based on user account deletion

Sue Microsoft for making shitty software

[AndyKron]

Sue Microsoft for making shitty software.

Re:

[CastrTroy]

It's not Microsoft's fault. Pretty much any operating system can have this problem. There's a version of Cryptolocker that attacks Mac OSX machines as well. Unless you want to be stuck inside something like iOS, where you can only run an approved list of programs, then you're going to end up with people who run anything and everything causing security problems for themselves.

You can typically get *some* data back...

[iMouse]

CryptoWall/CTB-Locker/Cryptolocker (or whatever the variant's name is this month) seems to have difficulty with or is rather slow at getting to data stored in the container for the Volume Snapshot Service. For businesses that do not allow their users to run as administrators (or have them elevate from a privileged account), they can typically restore a reasonably recent snapshot of data folder by folder using the Previous Versions option.

If the user is an admin, I've found that the window for recovery using VSS is smaller, but certainly better than nothing. Network shares should be restored from backups or VSS from the server (if Windows). I haven't figured out what to do with flash drives quite yet....even most data recovery software doesn't find much since the files are never really erased, just overwritten with encrypted copies.

Question

[sociocapitalist]

It seems like it shouldn't be too hard to MD5 / SHA / whatever hash every file of the types that are targeted - a la tripwire.

Do such solutions exist for the various targeted OSs?

Just makes you wonder...

[JustNiz]

Kinda like suddenly running into the middle of a busy road and getting hit by a car. Even though pedestrians have the right of way, any court of law would blame the pedestrian.

So there is a much better, more secure, more useable and more professional product out there than Microsoft Windows, and its even free (Gnu/Linux), yet many dumbasses still choose to buy and use Windows instead and also not even back up their files, even though Windows has a decades long history of being easily hacked and Microsoft ha

Re:

[techno-vampire]

Even though pedestrians have the right of way, any court of law would blame the pedestrian.

Wrong. The pedestrian has the right of way, therefor the driver by law is automatically at fault.

Re:

[JustNiz]

so if someome just steps off the pavement right infront of a car, close enough that the driver had no possibility of avoiding him, then its still the drivers fault?

Re:

[techno-vampire]

IANAL, but my guess is that that would be considered extenuating circumstances as far as legal action is concerned, but it would still go on the driver's insurance.

Re:

[techno-vampire]

That may be true where you live, but where I live the pedestrian's right of way is absolute and can't be waived. If a pedestrian is in the street and waves a car past, the car's driver can (but probably won't) get a ticket if a cop sees it.

Scam == one more type of drive corruption

[Jeremi]

Sociological issues aside, getting bit by one of these scams is functionally equivalent to having your hard drive become corrupted, and the obvious solution is the same -- restore your data from backup.

The thing that motivates people to pay $$$ to the scammers (and thus motivates the scammers to keep causing trouble) is that too many people don't back up their data, and thus it costs them less to pay off the scammers than it would to reconstruct whatever was on their hard drive.

Given the low cost of hard dr

look they're just not paying attention

[DrKarlEvanHallowell]

Australians are known for that.

Re:

[greenfruitsalad]

but shouldn't they be used to this? i mean EVERYTHING in that country evolved to kill them. what's a bit of ransomware compared to magpies attacking their eyes when they go shopping? ever touched gympie gympie? just look at children armed with dingo sticks on their way to school... WTF is ransomware compared to that? on a scale of 1 to 10, this sofrware must be -5.

Re:Silly bogans...

[mjwx]

The real risk are the Drop Bears. Suicidal little buggers. Gotten worse since they figured out how to make explosives.

Seriously, a lot of Australians are just idiots. Computer technology has proliferated in the last 20 odd years but brains haven't. Almost everyone now has some kind of computer and has to use one for work but cant seem to grasp the basics of security. I have to wonder if these people would open a package some random stranger gave them on the street.

Combine this with the fact there is a large subculture glorifying idiocy and backwards thinking in this country (that's about to become a serious problem, but that is for another thread) and it's little wonder that people are getting Cryptolockers.

I have no sympathy for them, its the sysadmins that have to restore backups that I feel sorry for. Inevitably Braindead Bruce will get angry at the sysadmin when they find out that Bruce didn't keep backups of his important files (read: porn and car pictures).

Re:

[Lumpy]

Sounds exactly like the United States.

Re:

[U2xhc2hkb3QgU3Vja3M]

Sounds exactly like the south of the United States.

FTFY.

Re:

[bev_tech_rob]

Sounds exactly like the south of the United States.

FTFY.

To be more precise, Texas..

Re:

[kilfarsnar]

Sounds exactly like the south of the United States.

FTFY.

Don't kid yourself.

Re:

[Curunir_wolf]

Sounds exactly like the south of the United States.

FTFY.

Didn't you get the memo? It's not the South that's standing in the way of the Progressive New World Order any more, it's "Rurl 'Merica" [cnsnews.com].

Re:

[Chrisq]

The real risk are the Drop Bears. Suicidal little buggers. Gotten worse since they figured out how to make explosives.

The drop bears have become Muslims?

Re:

[Anonymous Coward]

Of course Australians are a massive target. Unlike the Americans and Europeans they have jobs and money.
No point targeting the Euros as they have enough problems with their banks running out of cash and them having to live on $100/week. The USA ??....lol....they're either all on food stamps or they can't pay the electric bill, let alone have enough left over to send as bitcoin for a ransom.

Nah....it's a canny move by the ransomware authors. Hit the affluent, ignore the destitute.

Re:Silly bogans...

[Ihlosi]

WTF is ransomware compared to that?

Current ransomware will just destroy your data. But wait until the crimeware authors switch to "pay us X btc, or we'll make make your online activitiy look like that of a terrorist."

Re:

[Christian Smith]

WTF is ransomware compared to that?

Current ransomware will just destroy your data. But wait until the crimeware authors switch to "pay us X btc, or we'll make make your online activitiy look like that of a terrorist."

And you'll have the crimeware alibi as well to provide reasonable doubt. Wouldn't get a cent out of me.

Re:Silly bogans...

[Ihlosi]

And you'll have the crimeware alibi as well to provide reasonable doubt

If you survive the raid on your house.

Think "swatting", just done for profit and on a larger scale. And these criminals usually don't get caught, unlike the usual revenge swatter.

Re:

[dbIII]

ever touched gympie gympie

It's only ever killed one person from memory - a twenty metre tall tree does that to you if it falls on you, stinging leaves or not. However there's plenty of immature trees with leaves at heights that can sting anyone walking past.

http://anpsa.org.au/APOL2007/sep07-s2.html

It hurts like stinging ant bites, a bit of pain to start with and then it fades a bit but is still there. Adding water later makes it hurt again, as much or more than the initial sting. There's not a lot you

Re:

[KGIII]

I have (had, really) a lady friend who was fairly young and lived in a tiny place called Cann River. We met online and I, being a pervert, went to Australia to meet them in person. I stayed for a couple of weeks the first time and then for about a month the second time and all was well and good. Anyhow, not long after I left, she was on her way to work at a coffee shop/cafe type of deal and was walking there when she was attacked and suffered some real damage from a magpie.

I do not really have a point, I se

Re:

[Billly Gates]

That is a very misinformed post

Re:

[ttucker]

That is a very misinformed post

Is that full disclosure or something?

Re:

[Anonymous Coward]

Not necessarily. Synology NAS users fell victim of this. Synology took way too long to alert their users, instead, pretending nothing was happening, or silently ignoring the issue of their failure to update their software (which is OSS and already fixed). Eventually they addressed it, but the time they took was disgraceful, and even then, they failed to alert their registered users what was affecting their products.

So how about you not blaming the victims until you have facts to hand? Email is merely one v

Re:Silly bogans...

[dbIII]

Do you actually check server longs?

In Australia we call them waiters, and no, I like the girls too much to be interested.

Re:

[alex67500]

Not necessarily. Stupid Synology NAS users fell victim of this.

FTFY. You don't leave it open for Internet access.

Re:

[Curunir_wolf]

Not necessarily. Stupid Synology NAS users fell victim of this.

FTFY. You don't leave it open for Internet access.

This. File system sharing protocols are inherently insecure. Doesn't matter if it's Samba, CIFS, NFS, and whatever Microsoft is calling the Windows version of SMB these days - they all have serious vulnerabilities that can be exploited from a public interface. Don't expose them to the world.

If you want to share files on the public Internet, there are better ways. Lots of ways to do it on a web-based platform. And share copies of stuff, and keep your system isolated. If you are using these Internet-b

Re:

[viperidaenz]

The ones who took stuff and held it to ransom?
I'm assuming not the ones to sell a product to make a profit.
$5000 per user per year, That's $2.50 per hour for a full time employee.
If your clients paid those people $2.50 more per hour (or hired someone else), would they be as productive with a free CAD tool?

Re:

[cheater512]

Or would the employees be more productive with a $2.50 pay rise?

Re:

[Rei]

And how exactly do you plan to convince Russia to hand over its citizens?

Re:

[U2xhc2hkb3QgU3Vja3M]

Because America, Fuck Yeah!, that's how.

Re:

[Rei]

The ringleader of the cryptolocker gang is Evgeniy Bogachev, aka "lucky12345" and "slavik". He's praised as a hero back home [telegraph.co.uk].

The simple facts are that most of these programs trace back to organized crime in Russia, which takes advantage of the fact that Russia shelters them from extradition.

Now, do I even need to go into any of the absurdity that you posted? Meh, let's do it for fun.

1. Malware != advertising spam

2. Advertizing spam is spread by botnets with service purchased from the operators of the botne

Re:

[Viol8]

I think I've found the flaw in your idea:

"Restore from backup "

What backup? The sort of people that get stung by this are the sort too stupid to make backups. Assuming they even know how.