Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CryptoLocker developers charge 10 bitcoins to use new Decryption Service


  • Please log in to reply
64 replies to this topic

#46 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:56 PM

Posted 07 November 2013 - 11:58 PM

 

 

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

I was wondering if this bugger can encrypt an encrypted and/or a password protected back-up drive/partition etc.?

I'll have to try when I get it all set up....lol

 

not if encrypted with TrueCrypt, as the archive has no extension or visible format, just appears as a random string of characters.



BC AdBot (Login to Remove)

 


#47 bludgard

bludgard

  • Members
  • 934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:09:56 PM

Posted 08 November 2013 - 12:09 AM

 

 

 

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

I was wondering if this bugger can encrypt an encrypted and/or a password protected back-up drive/partition etc.?

I'll have to try when I get it all set up....lol

 

not if encrypted with TrueCrypt, as the archive has no extension or visible format, just appears as a random string of characters.

 

 

I was just picking through some testing options and TrueCrypt is one of them. :thumbup2:


Edited by bludgard, 08 November 2013 - 12:10 AM.


#48 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:56 PM

Posted 08 November 2013 - 12:39 AM

We have implemented a group policy suggested on here... files can only execute from c:\program files (and program files x86 of course). Our company malware infection rate has dropped to 0 overnight. Has been a bit of a pain with some applications(AutoDesk products, and not the first time), but generally a smooth transition. This is solid defense against Crypto-Locker. This is in addition to archived backups and a mirror rack in another building... :warrior:



#49 The_Major

The_Major

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:56 PM

Posted 08 November 2013 - 04:36 AM

 

 

 

If anyone know of backup software that stores files on external drives without copying and making the original file, including their regular extension, available?

 

I run my CrashPlan on my home "server" (a passively cooled Atom PC running Windows 7).  The free version will backup to a USB HD : CrashPlan FAQ

 

I was wondering if this bugger can encrypt an encrypted and/or a password protected back-up drive/partition etc.?

I'll have to try when I get it all set up....lol

 

not if encrypted with TrueCrypt, as the archive has no extension or visible format, just appears as a random string of characters.

 

 

Good point.  This could be a good reason for selecting "encrypt drive" in TrueCrypt over creating an "encrypted container".  The container is just a file and can be re-encrypted by malware.  The drive can still be re-encrypted by malware if it had this functionality built-in.  AFAIK, neither the TrueCrypt container nor the TrueCrypt drive are currently being targetted by this malware.  IIRC, in this case the malware is targetting specific files.  So, in this case at least, both TrueCrypt options are relatively safe, but the "encrypted drive" is probably safer than an "encrypted container".  It would be dead easy for the malware to expand its selections to other sorts of files, like TrueCrypt containers.  It would be more difficult for it to encrypt an entire drive / partition.  e.g. because TrueCrypt formatted drives appear to be random data, the malware wouldn't know whether the drive has been formatted or whether it contains any real data - no point in the malware targetting stuff like this, much more efficient and effective for it to attack files it can actually identify.  e.g. Word docs, Excel files, etc.

 

Of course, once you have mounted the TrueCrypt file or container, if the malware is on your machine, then it will start attacking whatever targets it can find inside it.  So the "relative safety" point I mentioned earlier may be moot.



#50 itbwcki

itbwcki

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:56 PM

Posted 09 November 2013 - 10:02 AM

My questions is, has this new "service website" been proven to work and get the files back? How many people have dished out the 10 bitcoin and got what they needed back?

 

I'm sitting on 2 network drives that were infected randomly over a 404GB volume. 

 

OK. So the company that I work for was hit with this virus about a month ago. Total fiasco as the client refused to pull a backup and roll 4 days back to when we were infected. Now we are outside of our backup retention and we finally realized the damage done. It only infected older data. Modified this year, but pushed back into historical patient files. Our backup image that was finally put in place was 10 months old.

 

We have 8,293 historical scanned documents, medical, that have been encrypted. Docs that were scanned into older patient files manually over the last 10 months and then shredded afterwards. Not good. They are still on the e-mail server as they were scanned to e-mail, but we are talking thousands in labor costs to get these back into our system. 

 

So, we are willing to put the $2,100 in to get these files back. I'm not pulling the trigger unless I see this as a viable and tested option. 

To these people and others who feel either damaged or FUBR, I saw this quote in the sophos youtube video on Crilock, it's worth a shot

 

http://www.youtube.com/all_comments?v=Gz2kmmsMpMI

 
"Do you know if it's just RSA that encrypts the files or is it RSA+padding? If it were plain RSA, and you had an identical copy of just one file that was encrypted, say on a USB stick, another computer, cloud storage, etc - Then you could determine the private key simply by encrypting that one file. Then use that key to decrypt the rest of the files."

Edited by itbwcki, 09 November 2013 - 10:03 AM.


#51 bludgard

bludgard

  • Members
  • 934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No Clue Whatsoever, Western Hemishere
  • Local time:09:56 PM

Posted 12 November 2013 - 07:09 PM

I am also wondering if disabling write access to external (back-up) devices in GPE (certain OSs) might be an option to prevent contamination...? Although one would have to go through GPE to create new or enhance existing back-ups.

 

BLEEP, why can I only post images sometimes? Grrrrrrrrrrrrrrrrrrrrr...............


Edited by bludgard, 12 November 2013 - 07:21 PM.


#52 neumannu47

neumannu47

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:56 PM

Posted 13 November 2013 - 10:15 AM

If I were to install a Linux server for my home network shares, would those files be vulnerable to this virus since the shares would be accessible through Windows? 



#53 TriggerJinxed

TriggerJinxed

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Longk Islandt, Noo Yawk
  • Local time:09:56 PM

Posted 13 November 2013 - 10:37 AM

If I were to install a Linux server for my home network shares, would those files be vulnerable to this virus since the shares would be accessible through Windows? 

 

Yes.  The encryption occurs from the Windows Workstation.  I know this because we have Linux servers here at work and some of our workstations got hit.  All the visible files via drive letters were encrypted, leaving those files the user did not have access to alone.  The virus stopped there though, like a fish out of water, it did not spread through the network through the linux drives.  We use TSM tape backups here so our files were easily restored.  The local ones were gone though. 


I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. ~Stephen Hawking

#54 cpichler

cpichler

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 20 November 2013 - 09:39 AM

I just don't understand.  If they now have a website to use to get the decryption key - why can't anyone catch these crooks and put them in jail? 



#55 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:56 PM

Posted 20 November 2013 - 05:17 PM

Perhaps because they are doing it from a country where the authorities don't care or even support those activities?


Derfram
~~~~~~

#56 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:12:56 PM

Posted 20 November 2013 - 05:30 PM

more likely they are paying for the server with bitcoins or stolen credit card details....



#57 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:56 AM

Posted 22 November 2013 - 05:45 AM

It seems that cryptolocker is also aware of the dramatic increase in bitcoin prices and has reacted:
http://www.f-secure.com/weblog/archives/00002642.html

The rate for payment within 48hours is now 0.5 bitcoins instead of the 2. They make no comment if the decryption-service they offer has decresased in price as well.

@ why is nobody taking down the page

It is not as easy as that, the page is only available via TOR, which is an anonimyser, it may not be so obvious how and where the server is standing that does offer this decryption service. They might very well be operating the server themselves and not rent it from anyone.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#58 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,054 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:56 AM

Posted 22 November 2013 - 12:24 PM

It seems that cryptolocker is also aware of the dramatic increase in bitcoin prices and has reacted:
http://www.f-secure.com/weblog/archives/00002642.html

The rate for payment within 48hours is now 0.5 bitcoins instead of the 2. They make no comment if the decryption-service they offer has decresased in price as well.

myrti,

 

The price for the decryption service has also decreased, see Grinler's post here. Perhaps an update to the title or first post would be appropriate?

 

Also, I believe you can connect to the C&C servers using an ordinary browser to access the decryption service as well, as I see Grinler using Chrome in the snapshots and the address is not a tor one I believe. Still doesn't change the rest of the statement.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#59 diaz209

diaz209

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jamaica
  • Local time:10:56 PM

Posted 24 November 2013 - 01:07 AM

Hopefully all this money goes into their lawyer fee when the feds catch up with them

this is the only ransomware i fear (just the loss of data)



#60 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:09:56 PM

Posted 24 November 2013 - 11:14 AM



A cautionary tale; Many many years ago we faithfully backed up a server using Backup Exec, used many tapes over months, then one day we needed to restore.  Unfortunately no one had ever tested the backups,  Backup Exec had been misconfigured and there was no way to restore, all the tapes were useless.

 

So in addition to implementing a good Backup plan, be sure to test your Backup plan, if you can't restore it's not much of a Backup plan.

 

2h5twdw.jpg point.  I test my backup cloned HDD after I complete the cloning process by installing it in my Desktop PC (via SATA hot-swap racks) to insure that it's a complete spare bootable HDD.

 

After reading about this ransomware stuff, I stepped up my backup plan by imaging (full-disk mode) and testing the images with the recovery process from bootable "Rescue" CD's.

 

I've been using Acronis 2011 for a couple of years, cloning every 4 weeks with the cloned HDD on the shelf, always disconnected from my PC. 

 

I also use the overnight incremental scheduler with Acronis to back up those handful of frequently-edited/changed items, such at my Outlook *.PST data file, Quicken data file, and a few excel files.  Those items are also copied to a Flash Stick and another external HDD that's disconnected from the PC except when I run my "copy file" script.

 

I recently began using "Marcium Reflect" Free to image (full-disk) occasionally and test the images with the Recovery CD.

 

I have 2 spare HDD's on the shelf with one as my 4-week cloned HDD and the other for testing recovered images.

 

I'm running Norton AV alongside MBAM Pro (MalwareBytes) on both PC's, Desktop & Laptop.

 

I'm probably overdoing the backup scene but I'm lazy :), having once, years ago, had to do a disk wipe and re-install the OS and recover.  I did have my must-have items backed up though.

 

However, I don't like spending time reloading a HDD, OS. 

 



Hopefully all this money goes into their lawyer fee when the feds catch up with them

this is the only ransomware i fear (just the loss of data)

 

wapld5.jpg    If I could, I'd throw away the key 11uwaxy.jpg






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users