Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#406 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:09:49 PM

Posted 26 September 2013 - 10:03 AM

 

 

I would have to say the damages appear to be in the tens of thousands, if not hundreds of thousands. Perhaps the lack of news coverage is keeping it from being considered a "major threat".

 

 

 

 

 

I'm sure this is much more widespread than anyone realizes. Many organizations (especially banks, airlines, hospitals etc.) do not make intrusions like this public as it would be bad for business and destroy the illusion of safe and secure data that they present to the public.


When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


BC AdBot (Login to Remove)

 


#407 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2013 - 10:14 AM

Good idea. I think I will go to the media. Nothing they like better than over-hyping a story about a "BIG VIRUS COMING". Oh God... in this case though - it might not be possible to over-hype the necessity of offsite back up with file revision.

#408 Beyfenn

Beyfenn

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 26 September 2013 - 04:29 PM

Hit our company today. Appears to have been delivered via an infected website. Began encrypting files within 8 mins of initial infection. We were able to stop the encryption by shutting down the infected machine before it hit everything on our shares.



#409 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 September 2013 - 06:21 PM

Hit our company today. Appears to have been delivered via an infected website. Began encrypting files within 8 mins of initial infection. We were able to stop the encryption by shutting down the infected machine before it hit everything on our shares.


Any clue as to what website? What browser & version were you using?

#410 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 September 2013 - 06:22 PM

No one has any thoughts on my suggestion to fight back?

#411 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:49 PM

Posted 26 September 2013 - 06:41 PM

Have you not read the posts in this thread???

#412 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 September 2013 - 07:40 PM

Have you not read the posts in this thread???


I certainly hope that your response wasn't intended for me....

#413 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2013 - 08:37 PM

Hit our company today. Appears to have been delivered via an infected website. Began encrypting files within 8 mins of initial infection. We were able to stop the encryption by shutting down the infected machine before it hit everything on our shares.

Please - any idea on the site - or source? I'm reaching out to the media tomorrow.

 

taking down Green dot is the answer to the fight. if they cant profit they will not pursue.



#414 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:09:49 PM

Posted 26 September 2013 - 08:38 PM

No one has any thoughts on my suggestion to fight back?

 

 

The good: It could very probably back them up to the point that they cannot function. for a while.

 

The bad:

 

1. They have enough money to survive being backed up. While I have no idea of where in particular this outfit is running from. Odds are labor is cheap... he's already most likely gotten away with hundreds of thousands of dollars in cash... and most likely running out of a country like nigerea etc.... in which a full time worker could be hired for say 5,000 a year.

 

2. Greendot/money pack, clearly is run in a way that avoids prosecution. fact that it's survived fbi moneypack shows that it is a company that is very resistant to prosecution, and is set up in a way to avoid prosecution and doesn't give a darn what sort of crime uses their service.

 

3. The people who will be hurt the worse by this, are the ones who have gotten a big infection that has eaten up major parts of their life's work. The guy running this opperation isn't going to calmly go "bah I can't handle this release the keys". He's either going to not be able to handle the processing time and his victims have to wait days/weeks to be approved. or absolute best case scenerio he shuts down altogether and his victims are screwed.


Edited by EagleComputerRepair, 26 September 2013 - 08:40 PM.


#415 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 September 2013 - 08:54 PM


No one has any thoughts on my suggestion to fight back?

 
 
The good: It could very probably back them up to the point that they cannot function. for a while.
 
The bad:
 
1. They have enough money to survive being backed up. While I have no idea of where in particular this outfit is running from. Odds are labor is cheap... he's already most likely gotten away with hundreds of thousands of dollars in cash... and most likely running out of a country like nigerea etc.... in which a full time worker could be hired for say 5,000 a year.
 
2. Greendot/money pack, clearly is run in a way that avoids prosecution. fact that it's survived fbi moneypack shows that it is a company that is very resistant to prosecution, and is set up in a way to avoid prosecution and doesn't give a darn what sort of crime uses their service.
 
3. The people who will be hurt the worse by this, are the ones who have gotten a big infection that has eaten up major parts of their life's work. The guy running this opperation isn't going to calmly go "bah I can't handle this release the keys". He's either going to not be able to handle the processing time and his victims have to wait days/weeks to be approved. or absolute best case scenerio he shuts down altogether and his victims are screwed.

If the server experiences a DoS it won't be able to issue private keys.... no private key being generated and issued, no encryption.?..?


Just a thought...

#416 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 September 2013 - 09:01 PM

Also, this guy hasn't bluffed on anything thus far, I don't think there are ANY keys to be released, except maybe those generated in the past 71hours 59min and 59sec.

#417 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:49 PM

Posted 26 September 2013 - 09:13 PM

Pcrx9000, I wish someone would investigate Green Dot moneypak. I've never heard of it outside of ransomware viruses. I strongly doubt their legitimacy.

#418 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:09:49 PM

Posted 26 September 2013 - 09:50 PM

 


If the server experiences a DoS it won't be able to issue private keys.... no private key being generated and issued, no encryption.?..?


Just a thought...

 

 

DDOSing the server is going to be near impossible. The virus itself seems to be too complicated to do that with until we have far better understanding of it's workings and communications, Plus I believe the client creates the private key, sends it to the server then trashes it. I do suppose someone with a copy of the virus for testing could see what would happen if the virus were launched on a disconnected system, to determine whether it encrypts anyway, or if it requires confirmation from the server before it begins.



#419 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:49 PM

Posted 26 September 2013 - 10:22 PM

Pcrx9000, I wish someone would investigate Green Dot moneypak. I've never heard of it outside of ransomware viruses. I strongly doubt their legitimacy.

They are a publicly traded US company. Here is where we can do battle - shareholders hate NEGATIVE press. How about their product gets associated with every trojan and ransomeware infection coming out of eastern Europe and the entire continent of Africa. CNN - breaking news - hackers exploite Greendot / moneypaks no charge back policies to perpetrate extortion and fraud.

 

These cards have been around since early 2000. The real target customer was originally illegal aliens and migrant workers sending money to mexico. They marketed it as a credit card for teens, and those wishing to securely buy stuff on the internet (Sicko porn addicts). All drug stores and 7-11's have them. They have super high fees - but nearly guarantee personal anonymity, privacy, and no way anyone is ever going to reverse a charge on you.

 

But breaking news about ransome-ware kingpins exploiting this - might actually hit them where it hurts - the wallet. 



#420 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:49 PM

Posted 27 September 2013 - 06:07 AM

If the server experiences a DoS it won't be able to issue private keys.... no private key being generated and issued, no encryption.?..?

If that fails the malware will start generating seemingly random domain names using a domain generation algorithm. This is done by creating a seemingly random string of characters based on the current system time and appending it to one of the following seven possible top level domains. If you know the algorithm, you are able to predict which domain name the malware is going to contact on any given day, thus allowing the attacker to set up new domains in case old domains or the aforementioned fixed IP is taken down.

Using RSA based encryption for the communication not only allows the attacker to obfuscate the actual conversation between the malware and its server, but also makes sure the malware is talking to the attackers server and not a blackhole controlled by malware researchers.

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Trojan.Ransomcrypt.F. http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=2

Random domain = RD
Command and control = CC
Command and control server = CCS

(1) Cryptolocker victim to CCS is https, no Man-in-the-Middle attack.
(2) CCS is a proxy that reroutes to attackers true CC, possibly using TOR hidden service?
(3) RD are generated by 'time', so you need to target those domains for a Denial-of-Service attack.

Edited by Crazy Cat, 27 September 2013 - 06:09 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users