Ransomware victims pay cybercriminals to save family photos

A couple in Winnipeg paid $800 to cybercriminals to get precious photos of their children back after they were attacked by malicious software called ransomware. They hope others can avoid the same fate by learning from their story.

Theresa and Billy Niedermayer felt they had no choice but to cave in to the demand

A photo of the Niedermayers' three boys, Ethan, 13, Memphis, 6, and Braxton, 4, was among the precious family photos held for ransom by cybercriminals. (Theresa Niedermayer)

Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals.

Their home computer had been seized by one of the more malicious malware programs spreading fast around the world.

Billy Niedermayer says he felt 'violated' after cybercriminals locked his computer files and demanded a ransom to get them back. (CBC)

Ransomware takes computer files hostageCybercriminals target photos, videos, spreadsheets, documents, slide presentations — anything that someone will pay to recover. The initial infection takes seconds.

In some cases, the malicious software encrypts the files so their owners can no longer read them. The data isn't compromised or removed, just locked down and inaccessible.

Try to access them and a ransom demand appears. Typically, cybercriminals demand upward of $500 US, paid in the untraceable cybercurrency bitcoins.

Billy and Theresa Niedermayer run a home business programming and selling Android TV boxes, but their tech background didn't stop them from falling victim.

They had backed up their data on an external hard drive, but kept it plugged in to the computer, allowing it to become infected along with the rest of the computer.

'I felt violated'

Faced with the potential loss of their boys' childhood photos and their wedding and honeymoon photos, along with their business records, they paid the ransom and got the code to unlock their files.

"I felt violated," Billy Niedermayer said from his Winnipeg home. "It felt frustrating that they’re taking our hard-earned money and they’re pocketing it and funding who knows what."

Billy and Theresa Niedermayer snapped this photo on their honeymoon in Mexico in 2012. Faced with the thought of losing photos of their wedding, their honeymoon, and their boys' childhoods, they paid the $800 ransom to get them back. (Theresa Niedermayer)

It`s not clear how the Niedemayers got infected, but typically that involves opening an attachment or downloading software or an app, one which may appear legitimate. One ransomware source making the rounds appears as an email from Canada Post. It directs recipients to open an attachment to see the delivery information. But open it and the malware takes over. Virus protection programs, if outdated, even by just a couple of days, are no match.

Once a ransom is paid, a code is provided to begin the laborious decryption process — one that can take several days or weeks.

Infections with ransomware appear to be soaring. Last month, internet security firm McAfee Labs, now a subsidiary of Intel Security, announced that it had detected a 155 per cent increase in the final three months of 2014. Michelle Dennedy, chief privacy officer for Intel Security, estimates that cybercriminals are now taking in $10 million to $50 million a month using ransomware.

Just last month, the FBI issued a warning of a fairly new ransomware variant making the rounds called CryptoWall 2.0, which encrypts files on a computer’s hard drive and any external or shared drives to which the computer has access. Canadian authorities have echoed the warning.

Firms are sent this encryption notice after hackers use CryptoWall ransomware to take files hostage and demand a ransom payment. (

Those who peddle the criminal malware are clearly oriented to business, skilfully using the tools of e-commerce.

"Even though we got had," Billy Niedermayer admitted, "they’re brilliant.”

Targets include Android phones

In 2013, poorly protected personal computers were the primary victims, but criminals have expanded their targets to include business records, governments and Android phones. In the U.S. alone, Android phones are estimated to have been affected four million times. Apple computers and phones haven’t been hit much yet, but that’s not to say they won’t be. And when they are targeted, expect the ransoms to be even higher, several tech security experts told CBC News.

The City of Detroit got hit and refused to pay the $800,000 ransom to get its database decrypted.

Chester Wisniewski, senior security adviser at the internet security firm Sophos Canada, says if your files are backed up on an external hard drive, there's no need to pay the ransom. Just take your computer to a computer shop to remove the malware and restore the backup. (CBC)

In British Columbia, three unidentified law firms were hit — two of them refused to pay the ransom, but one did.

"The software provided a notice with links that they need to pay a ransom within 12 hours," explained Ryan-Sang Lee, the communications officer for the Law Society of British Columbia, "and if that wasn’t paid within 12 hours, that ransom would effectively double."

The two firms that refused to pay had all their data backed up on detached, external drives. But then began a lengthy and annoying process of wiping their entire system, rebuilding it and returning the data from the backup.

Chester Wisniewski, senior security adviser at the internet security firm Sophos Canada, has become an internationally recognized expert at combating ransomware.

He sympathizes with those who get infected with ransomware and feel forced to pay.

"Clearly if someone's holding the photos of your toddler's first steps hostage for $500, that's a judgment call you need to make as to whether it's worth spending that $500 to get that content back."

Lesson learned

Wisniewski said if you get infected with ransomware and have backups of all your files, there's no need to pay the ransom.

"We recommend simply going to the computer shop and having the malware removed from your computer. And then you can just copy your files from your backup."

Theresa Niedermayer learned that lesson the hard way.

"We tell everyone you need to back up your computer on an external hard drive and unplug it — disconnect it from your computer," she said.

She and her husband are quite aware that their failure to do that forced them to make a payment — one that will only prompt the profitable cycle of cybercrime to continue.

With files from Emily Chung


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversationCreate account

Already have an account?