View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Breaking Bad-themed ransomware is ‘the one who knocks’

Walter White's good image is exploited by online crooks.


Hackers have built a piece of ransomware themed around the American television show Breaking Bad, according to the security vendor Symantec.

The malware, which encrypts images, videos and documents before demanding payment to unlock them, is said to include a ransom demand message featuring Los Pollos Hermanos, a fast food chain from the show.

In another reference to Breaking Bad the email address given allegedly nods to protagonist Walter White’s phrase: "I am the one who knocks", and the malware also opens a YouTube video playing a song from the video game Grant Theft Auto V alleged to be a reference to the television show

Writing in a blog on their website, Symantec said: "We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims.

"The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name."

Australian victims of the virus are initially asked to pay AU$450 (£230), according to Symantec, with a threat that the amount will be more than doubled to AU$1,000 (£512) if they do not pay within a given time.

Alongside a malicious executable the zip archive includes a PDF which is intended to convince the user that the email’s intent is not malign.

Content from our partners
Unlocking the value of artificial intelligence and machine learning
Behind the priorities of tech and cybersecurity leaders
Corporate ransomware attacks: It’s only a matter of when, not if

"Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses [the automation framework] Microsoft PowerShell modules," Symantec said.

"This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware."

Hackers use a random Advanced Encryption Standard key as well as a public key from security vendor RSA to encrypt the files, meaning that the files can only be unlocked with a private key held by the attackers.

To obtain this key victims must pay the hackers using Bitcoin, a cryptocurrency that allows both parties to retain their anonymity throughout the transaction.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy