Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware just pay them is the FBI's current advice


  • Please log in to reply
28 replies to this topic

#1 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:02:38 AM

Posted 26 October 2015 - 07:00 PM

I just read a news article about that is basically what the FBI is saying In that news article.

They admit they have no current quarenteed solution. Just pay up.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


BC AdBot (Login to Remove)

 


#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:04:38 AM

Posted 27 October 2015 - 01:45 AM

I just read a news article about that is basically what the FBI is saying In that news article.

They admit they have no current quarenteed solution. Just pay up.

 

Of course there's no guaranteed solution.  The threat landscape grows in sophistication at an exponential rate; it is virtually impossible for us "good guys" to keep up with the enemies.  Attackers, specifically those that author and distribute crypto-ransomware, utilize very secure crypto algorithms when developing their ransomware to minimize the chance of an "easy way out" being discovered; thus, increasing the likelihood that their victims will be inclined to pay their ransom.

 

The issue is that most organizations are not addressing the underlying issues in their environments; simply saying "pay the ransom" is basically throwing a white flag out and telling the attackers that they win.  InfoSec is a huge lacking point in several (dare I say most) large orgs, hence why many do simply choose to go the easy route and pay the ransom...  What needs to be done, to effectively thwart the efforts of these attackers, is addressing each area of information security, rather than placing all of the weight on technical security controls.

 

Yes -- technical security controls are wonderful; fine-tuned IPS', for example, are wonderful.  But we need  to start looking at the operational/administrative side of things.  We need to start implementing policies and procedures that will greatly increase our orgs' security posture.  More importantly, rather than simply implementing a policy and/or procedure, where most orgs fail, we must ENFORCE these policies and procedures.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 AM

Posted 27 October 2015 - 01:20 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. The more people pay the ransom, the more the attackers are encouraged to keep creating ransomware for financial gain.

As White Hat Mike notes...there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

With that said...We understand some folks may feel they have no other alternative but to take a chance and pay the ransom in hopes of recovering irreplaceable photos and other personal or important data. That is a choice and a decision each affected victim will have to make for themselves. We will not make any judgments for doing so.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:02:38 AM

Posted 27 October 2015 - 05:11 PM

Oh I mostly agree but I am waiting for the other shoe to drop.

Namely those who will take advantage of this growing fear. Pretending in some way to have encrypted or simply moved and hid the files without having to spend the time and effort to actually encrypte already encrypted files to a different encryption key.

 

That's the next scenario I see on the horizon.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#5 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 27 October 2015 - 05:45 PM

That is why i'm dissecting Cryptowall 3.0



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 AM

Posted 27 October 2015 - 06:16 PM

...I am waiting for the other shoe to drop.
Namely those who will take advantage of this growing fear. Pretending in some way to have encrypted or simply moved and hid the files without having to spend the time and effort to actually encrypte already encrypted files to a different encryption key.
 
That's the next scenario I see on the horizon.

We have already seen something like that a few years ago. A side effect of the HDDDefragmenter family of rogue software was to hide all the files on a fixed disk by adding (attrib +H) to the files. This made the files appear invisible so the user thougt that all of their files had been deleted. Grinler, the site owner of BC, created Unhide.exe to restore the hidden files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:02:38 AM

Posted 27 October 2015 - 08:40 PM

Unhide.exe was his puppy??  I had heard of it but did not realize he made it.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:38 AM

Posted 27 October 2015 - 08:46 PM

Complete set of tools written/published by Bleeping Computer (Grinler)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:38 PM

Posted 27 October 2015 - 08:48 PM

A very nice gentleman he his.



#10 JIMMYNEMESIS

JIMMYNEMESIS

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pincourt,Montreal,QC,CANADA
  • Local time:04:38 AM

Posted 29 October 2015 - 11:12 AM

ok so I pay up the ransomware ! got the public key and the private key and the decrypter , but once I started the decrypt program this come up ! anyone have any clue ?please help

whatisthatmean.png

 

also if I have to turn all antivirus and all defender , how can we be sure that this app does not infect , cause all virus/malware program detect that has a threat...

is anyone know if this decrypt.exe once work with and finish decrypting ..leave any seed behind ??

 

> OK , so now basically I had to browse manually each HDD that was encrypted > >> working now decrypting ' verified ' indeed files is decrypt
I'm currently decrypting over 17TB of files , over 500 000 data > will give back an update if successfully 100% all decrypted​

....​ it is sad to say but ​if you got no backup, no shadow, no restore, no nothing ... and that your data is worth to pay ,

then pay asap and get your file back ...make backup, wipe clean your HDD ...

"legit pirate​ taking your files hostage but they kept word on negotiation to release once you pay"


Edited by JIMMYNEMESIS, 29 October 2015 - 11:31 AM.


#11 Minette

Minette

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 29 October 2015 - 11:31 AM

Hi all, I hope someone can help me.

My situation is as follows: A few days ago, I noticed that I couldn't open most of my jpeg files. I also started to notice that my emails were all "gobbledigook". I use windows mail, so all emails are stored on my computer. 

I started investigating, and found the 4 cryptowall files in 1206 folders on my computer. Searching the internet, I found that this was caused by ransomware called cryptowall. 

I do not have money to pay the ransom, but I desperately need my files back. The first thing I did, was to run a scan using AVG and the virus was found and apparently secured. I also installed spyhunter as advised on some forums. 

Then, I installed and ran listcwall, but it found no encrypted files. I know they are there, as I can see my jpeg, word and email files are encrypted. I haven't been able to check other file types. So I don't know how many files or which ones are affected - but I know it's in 1206 folders, as that's how many folders contain the 4 cryptowall files. 

Looking at all the forums, I cannot figure out if anyone has yet managed to find a way of decrypting cryptowall files. 

So, if possible, I have 2 questions. One, how can I find out how many and which files are affected? Two, does anyone know if there's any way of decrypting and recovering these files? 

 


#12 JIMMYNEMESIS

JIMMYNEMESIS

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pincourt,Montreal,QC,CANADA
  • Local time:04:38 AM

Posted 29 October 2015 - 12:05 PM

 

Hi all, I hope someone can help me.

My situation is as follows: A few days ago, I noticed that I couldn't open most of my jpeg files. I also started to notice that my emails were all "gobbledigook". I use windows mail, so all emails are stored on my computer. 

I started investigating, and found the 4 cryptowall files in 1206 folders on my computer. Searching the internet, I found that this was caused by ransomware called cryptowall. 

I do not have money to pay the ransom, but I desperately need my files back. The first thing I did, was to run a scan using AVG and the virus was found and apparently secured. I also installed spyhunter as advised on some forums. 

Then, I installed and ran listcwall, but it found no encrypted files. I know they are there, as I can see my jpeg, word and email files are encrypted. I haven't been able to check other file types. So I don't know how many files or which ones are affected - but I know it's in 1206 folders, as that's how many folders contain the 4 cryptowall files. 

Looking at all the forums, I cannot figure out if anyone has yet managed to find a way of decrypting cryptowall files. 

So, if possible, I have 2 questions. One, how can I find out how many and which files are affected? Two, does anyone know if there's any way of decrypting and recovering these files? 

 

 

 

sorry to hear ... you can find encrypted files manually by opening folder and check inside if file can be open...

 

1. Impossible to decrypt without private key or public key (don't waste your time on it , trust me I went through all)
2. try to delete all virus threat and wide clean drive and replace with backup (if you have) or do a system restore ​on date before infection for all drive
( important keep your personal link code page from the infection on how to decrypt by paying , the timer doesn't start if you didn't go onto your code page )

3. none of recovering program recover what was encrypted ( you can give a try )
4. READ THIS POST to learn more on Cryptwall3 and how to recover http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
5. it is sad to say but ​if you got no backup, no shadow, no restore, no nothing can be done, and that your data is worth everything,

then pay asap and get your file back ... find a way to get the money and buy bitcoin asap !



#13 RolandJS

RolandJS

  • Members
  • 4,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:38 AM

Posted 29 October 2015 - 12:05 PM

Minette, it's better and faster if you start a separate thread in the Am I infected? forum.  And, I hope you find the solutions!


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:09:38 AM

Posted 29 October 2015 - 12:19 PM

Just to add, Grinler created an utility called ListCWall that can list the files encrypted by CryptoWall 3.0 by extracting information from its registry key. Be noted that it will fail if you did a System Restore to before the infection occurred, or your AV/AM removed the key.


There are no ways to recover the files without paying the ransom unfortunately. You can try looking for shadow copies or use data recovery tools, but these are not 100% guarantee.

#15 Minette

Minette

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 29 October 2015 - 12:40 PM

Sorry, will start a new topic now, although I know that I am definitely infected. Thanks 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users