Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3449 replies to this topic

#151 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:09:05 PM

Posted 12 September 2013 - 08:53 AM

And if enough people pay the ransom, it makes it very much worth their time to invest in improving this malware. We've seen it with ACCDFISA, started with 200 or 300 dollar and ended at 4000 or 5000.

 

 

 

100% agreed on the system as a whole. Unfortunately the world doesn't run on ideals. Most businesses that are surviving, do so by making the choice of what is best for them, and occasionally what is best for their customers. A company is most likely not able to survive by basing their decisions on what is best for the internet as a whole,  Expecting people to think like this, is roughly like trying to sell to a business to buy their parts from company X, which sells the exact same product as company Y, for twice the price, but is american based and doesn't use a sweat shop. Yes if everyone took the ideals route, all companies would have the same price, more money would be in the country and thus more people able to buy the end product and everyone wins. But businesses are pretty much under the assumption that at least one if not all competitors will do it the cheap way and undercut everyone else, making them pre-emptively match.

 

In order to get people to stop funding criminal groups like this, you need a reason of why it is worse, for them personally. Why is accepting what is quite possibly $1,000-10,000 (under the assumption of only 1 days worth of data would the numbers be this low) worth of loss a better idea for them personally than losing $100-$300. The possibility that maybe they will be hit again?, if so is the possibility that they will be hit again eliminated if they don't pay?

 

I agree that if we could stop everyone from paying, the developers would be forced to stop... but can we plausibly get everyone at the same time to agree not to?



BC AdBot (Login to Remove)

 


m

#152 compman25

compman25

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 12 September 2013 - 10:39 AM

 

It is random. So far the created run value name is not random though, so if your AV has an option to create a block rule, you could do that. 

I want to add that this is really not foolproof, malware is often updated, I would never rely on this method only to avoid getting infected.

 

So what is that name so we can at least start to try and block it?


Edited by compman25, 12 September 2013 - 10:40 AM.


#153 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 12 September 2013 - 10:41 AM

And if enough people pay the ransom, it makes it very much worth their time to invest in improving this malware. We've seen it with ACCDFISA, started with 200 or 300 dollar and ended at 4000 or 5000.

 

Wow, I was not aware of that malware.  Hadnt seen it or heard of it.

 

Another good reason to change your admin accounts away from the defaults and change the default port numbers for your services where you can.

 

I have found that to avoid A LOT of even attempts to hack.  I hope everyone doesnt start doing it though, as then the bad guys would begin to get smarter and target non-standard stuff.



#154 Chuck Sp

Chuck Sp

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 12 September 2013 - 10:49 AM

 

 

It is random. So far the created run value name is not random though, so if your AV has an option to create a block rule, you could do that. 

I want to add that this is really not foolproof, malware is often updated, I would never rely on this method only to avoid getting infected.

 

So what is that name so we can at least start to try and block it?

 

you would need to use some sort of regex filtering rule... it looks generally like this with the things between curly brackets being random.:

 

{34285B07-372F-121D-311F-030FAAD0CEF3}.exe



#155 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:05 PM

Posted 12 September 2013 - 10:50 AM

Hi all, I have been following this thread and this new virus and i have been trying to think of possible ways of preventing it running until AV apps can detect it.


Unfortunately, you can lock down your system with the latest and greatest AV software and stuff will slip in if the person behind the keyboard does not use best security practices. I usually recommend this guide I wrote to my family and friends: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

One type of software that can really help with all threats, known or unknown, are HIPS (Host Intrusion Protection Software). These programs are typically lightweight, run in the background, and block programs from running unless they are on a whitelist. Programs are not added to a whitelist unless you add it. So essentially any executable would be blocked regardless of whether an av knows about it or not.

The only issue with these types of software are the learning process as you will need to create your whitelist by allowing the programs to run once. This can take up to a week.

Something like this used in conjunction with an AV software is very tight security.

#156 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:05 PM

Posted 12 September 2013 - 10:54 AM

Here is some info on ACCDFISA:

http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program
http://www.bleepingcomputer.com/forums/t/446111/new-accdfisa-protection-center-ransomware-called-malware-protection/

With ACCDFISA the developer would hack terminal servers and start the encryption process from there. Little bugger used to come to the site and post in the above topic.

#157 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,306 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:05 AM

Posted 12 September 2013 - 10:59 AM

It is random. So far the created run value name is not random though, so if your AV has an option to create a block rule, you could do that. 
I want to add that this is really not foolproof, malware is often updated, I would never rely on this method only to avoid getting infected.

So what is that name so we can at least start to try and block it?

In the windows registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ->> Value name: CryptoLocker

I am not sure whether or not it is worth a shot to deny access to HKEY_LOCAL_MACHINE\Software\CryptoLocker. It depends on whether the malware writes data to that key before it encrypts a file or the other way around.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#158 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:05 PM

Posted 12 September 2013 - 11:13 AM

You can also use Software Restriction policies to block executables from running when they are located in the %AppData% folder, which this thing launches from. See these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

This can also be setup in group policy :)

File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is :

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData.

You can see an alert and event log showing the executable being blocked:

133-software-restriction-log.jpg

software-restriction-alert.jpg

If you need help configuring this, let me know.

#159 matt138

matt138

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 12 September 2013 - 11:18 AM

Do we know how this thing is spread?

we just had a second client infected with this



#160 secc123

secc123

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 12 September 2013 - 11:23 AM

Hi Grinler, Thanks so much for this, it was exactly my thinking when i posted the question. Admittedly short-term but if it prevents the encryption happening then that at least is something.

 We all know users who we sit down with time after time after time and say 'don't do this' and 'do this' but a lot of the time it is in one ear and out the other, as the old saying goes 'the problem often is between the chair and the keyboard'!

 

 Secc



#161 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:05 PM

Posted 12 September 2013 - 11:24 AM

Do we know how this thing is spread?
we just had a second client infected with this


Appears to be social engineering via emails with attachments.

#162 Arlothia

Arlothia

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:05 PM

Posted 12 September 2013 - 02:09 PM

Hello, I got this thing on my computer last night and at the time I didn't know it ecrypted my files. I learned that this morning only after I thought I had removed the virus from my computer. I did a Microsoft Security Essentials sweep as well as one on Malwarebytes. I am in the process of running a full scan on Malwarebytes and so far it has detected 2 things.

Now, I haven't looked though this entire thread but it looks like some people have decrypted their files, am I correct?

I've tried following what is being said but I really don't speak this language and could really use some help. Is there any way that anyone knows how to decrypt the files? Will going back to a system restore point work? I keep hearing things about Site Keys and what not and from what I understand it's a sort of password that the creator of the virus has that will unlock decrypted files and getting that is really, really hard, if not impossible. Am I correct in thinking that?

Would bringing my computer to a computer shop work? Would they have the technology to decrypt my files? I'm planning on buying a new computer anyway so all I need are my files back so I can back them up (which I stupidly have not been doing) and put them on my nice, new, clean, safe computer.

So in short: can someone put this all in layman's terms for me please? 

Thank you very much!



#163 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,306 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:05 AM

Posted 12 September 2013 - 02:19 PM

Now, I haven't looked though this entire thread but it looks like some people have decrypted their files, am I correct?

No unfortunately this is not true. You can try to right click the files affected and select "Restore previous version", that might help, but decryption is not possible.

 

A repair shop can do nothing more either, there is no way to break RSA/AES encryption without decryption keys.

 

EDIT and I deleted your duplicate. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#164 secc123

secc123

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:05 AM

Posted 12 September 2013 - 02:21 PM

Hi Arlothia, Sorry to hear you have been hit by this virus. To answer your question about your files, the only way to decrypt them is to pay the ransom to the virus writer ($100-$300 by all accounts). From what i have read you have a couple of problems, firstly you have cleaned the virus, you need the virus active to pay them but secondly, even if you re-infect your machine it seems the payment server is down so you won't be able to pay them anyway.

 

 As for your question about getting a computer shop to decrypt the files, simple answer is NO WAY. Sorry to be the bearer of bad news, maybe the virus writer will get a new server so you can at least get your files back, failing that your out of luck.

 

 Secc



#165 adrian26

adrian26

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 12 September 2013 - 02:21 PM

even paying the ransom doesn't look like it is working for people any more.  if you have not backed up, you are in trouble.  for personal computers, I highly recommend using an online backup service like carbonite or mozy.  I use carbonite, for $60/year they backup over 350GB of my personal files including thousands of pictures.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users