Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware and Encryption.


  • Please log in to reply
6 replies to this topic

#1 Viper_Security

Viper_Security

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 28 June 2016 - 03:13 PM

Hello Bleeping, I've heard many many many versions of ransomeware stories, and it's getting frustrating, not only to computer professionals but to the victim as well.

 

I Would like to start a project that:

 

A: Removes the infection

B: Attempts to Unencrypt/Decrypt, files that may have been lost.

 

Would Anyone like to pitch in?

 

could take some man hours, and it probably won't be easy but Something needs to be done to at least attempt to counter these infections.


    IT Auditor & Security Professional

hQBT2G3.png


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:37 AM

Posted 28 June 2016 - 03:41 PM

I certainly agree something like that would be very helpful for victims, but there are some complications with trying to make a "one-size fits all" for both aspects that just makes it implausible. For one, malware removal is an in-depth process that is different for each infection; anyone from the Malware Response Team can definitely comment on that.

 

This is also the same for ransomware and encryption in general. You cannot just throw different decryption methods at a file and hope one will work. There are millions of ways to encrypt a file (different algorithms, libraries, settings, key exchanges/protections, key lengths, etc.), and each ransomware does it (or fails at it) differently. Each decrypter works differently as well - some use an exploit in the ransomware's implementation to brute-force or guess a key, some grab a registry key, hidden file, require a clean copy of a file, require being ran on the same computer that was infected, etc. If you run the wrong tool on files, it may even corrupt data and make things worse.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:37 AM

Posted 28 June 2016 - 03:47 PM

Something is already being done to counter these infections. Demonslay335 and Blooddolly here at the Bleep, Fabian Wosar and xXToffeeXx at Emsisoft, Hasherezade at Malwarebytes and many others have been analyzing and cracking some of the ransomwares for some time. The problem is the malware keeps on coming in new iterations and variations - too many to keep up with, and in several cases, seemingly impossible to solve (for now). 


Edited by cybercynic, 28 June 2016 - 03:52 PM.

We are drowning in information - and starving for wisdom.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:11:37 AM

Posted 28 June 2016 - 03:56 PM

You'll have more chance if you manage to block the ransomware, rather than trying to clean up the mess after. It would also be a lot better as not every ransomware is decryptable, nor is it possible to always revert the damage.
 
Do you already have programming experience?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Viper_Security

Viper_Security
  • Topic Starter

  • Members
  • 826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1
  • Local time:04:37 AM

Posted 28 June 2016 - 04:38 PM

You'll have more chance if you manage to block the ransomware, rather than trying to clean up the mess after. It would also be a lot better as not every ransomware is decryptable, nor is it possible to always revert the damage.
 
Do you already have programming experience?
 
xXToffeeXx~

Some yes, in Python2, Some Ruby, Some Rails, and very little HTML+CSS.

 

I'm not to interested in C/C++ but if i have to i could learn it.

 

And i know one size does not fit all but i was thinking of ADDING key or something similar (e.g. RC5 with a SHA1 Check sum or something like that. (

 

and yes of course it is better to be protected before you browse the internet but some still don't understand that even adds and run scripts and start a silent background install/ execute.

 

Like a SOMEWHAT universal Decrypter.

 

Obviously one person can not do all of that, so id like to put all the heads we can get possible together and brainstorm.

 

I understand not all malware is decryptable as the different variations as you had mentioned.

 

 

I'd just like to make it Easier for everyone. haha.


    IT Auditor & Security Professional

hQBT2G3.png


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,937 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 AM

Posted 29 June 2016 - 06:54 AM

Crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present so scans with security software like Malwarebytes Anti-Malware and Emsisoft Anti-Malware should be performed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 BaronCardinal

BaronCardinal

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 29 June 2016 - 09:08 AM

Its almost too bad one can not pull a Jedi mind trick and trick the malware into removing itself.  That would be cool.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users