What’s at risk from nRansom? Your memories of Thomas the Tank Engine

Thanks to Dorka Palotay and Balázs Vágó of SophosLabs for the research this article is based on.

On the surface, nRansom sounds ominous – locking up your computer and demanding not just bitcoins but nude photos, in return for giving you back control of your computer. But in the end, its biggest threat is to your precious memories of Thomas the Tank Engine and his friends on the Island of Sodor.

Distracting and foul-mouthed it may be, the work of criminal masterminds it is not.

How it works

Unlike ransomware such as Locky or WannaCry, nRansom won’t encrypt your files. It’s a screen locker that tries to stop you from accessing the things on your computer by locking the screen until you do as it asks.

If you were somehow unlucky enough to actually get nRansom on your Windows machine (Sophos detects it as Troj/LockScr-U but there’s no evidence of it spreading in the wild), your screen would be filled with this bizarre message and multiple thumbnails of the lovable little engine; an expletive across the top of each frame:


A looped version of the Curb Your Enthusiasm theme song plays in the background.

The message reads:

Your computer has been locked. You can only unlock it with the special unlock code. go to protonmail.com and create an account. Send an entail to [redacted]. We will not respond immediatly. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web

Got your unlock code and sent your nudes?
Submit our unlock code here

Once the nudes are “verified” by the attacker, you’ll allegedly receive a code to unlock the hijacked screen. And the code the attacker sends? That’ll be…


How to get away without paying the ransom

You’d only have to work your way down a list of the world’s worst passwords and you’ll have successfully guessed the code before you got to #6. Don’t be fooled by the giant ‘Unlock’ button that appears when you do though. It doesn’t do anything and nor will the x in the corner.

You can at least move the window out of the way and resize it, but you don’t actually have to work even that hard. Just CTRL+ALT+DEL to open the Task Manager, select nRansom and hit ‘End task’.

Did we mention it wasn’t the work of criminal masterminds?

SophosLabs researcher Dorka Palotay describes nRansom as supremely unsophisticated and easy to kill, perhaps “a test or a joke.”

A blast from the past

Tank engines aside, nRansom also caught our eye because it’s sort of full circle for ransomware, bringing us back to 2012 and the days of the Reveton screen locker, a strain of malware that locks you out of your PC under the guise of a police warning. Of course, you can bypass the promised prosecution if you pay a “fine” (in money rather than nudes) to the cybercriminals.

We doubt the authorities will be kicking in the doors and making arrests over nRansom, though seeing a sting like the Reveton ransomware gang arrests would really be something, if only for Thomas’ sake.

Defensive measures

If you’re worried about real ransomware threats, we recommend you arm your friends and family with free Sophos Home software for Windows and Mac, and check out our article about how to stay protected against ransomware.

Otherwise, the best defense here is to go back and watch some Thomas and Friends episodes to get those innocent memories back.