Cryptolocker
December 14th, 2015, 5:39
Not sure which forum this issue fits in, so I post it here. Please move the thread if it's in the wrong place.
A customer of mine just called and said she was about to open a link in a mail from Postnord (the postal service in Sweden), but apparently it was a scam-mail and now her computer (unfortunately the one she runs her business with) is locked down with Cryptolocker.
I have zero knowledge of this ransomware. The only thing I know about it is that it encrypts, obviously, all your files and requires a ransom sum to be paid.
Does anyone in here got experience with CL and can point me in some directions?
A customer of mine just called and said she was about to open a link in a mail from Postnord (the postal service in Sweden), but apparently it was a scam-mail and now her computer (unfortunately the one she runs her business with) is locked down with Cryptolocker.
I have zero knowledge of this ransomware. The only thing I know about it is that it encrypts, obviously, all your files and requires a ransom sum to be paid.
Does anyone in here got experience with CL and can point me in some directions?
Re: Cryptolocker
December 14th, 2015, 6:52
if it is Cryptolocker 3 or 4, IMHO she is S.O.L. Most of the newer variants are not solved. At a recent conference, law enforcement, I think, FBI, said it was a valid solution to pay these lowlife rock-spiders.
have a look at the ransom files and do a search on the web to find out exactly which variant it is. This is important to know for any possible chance at decryption. Some older ones have flaws allowing them to be decrypted.
I would advise to image all affected disks asap so things are not tainted in case a solution presents itself. TeslaCrypt, Cryptolocker, Cryptowall.. all slightly different, but I think all no solution.
a bit of shut the gate after the horse has bolted... but here are some tips to protect yourself.
1. have a well thought out backup strategy of ate the VERY LEAST your important files.
2. DONT leave backup drives always connected, or accessible or drives mapped etc... if YOU can access the backups now on your PC, so can the MALWARE!
3. have a read of some sites like http://support.kaspersky.com/10953
4. If you don't know how to backup or think it is a challenge.. GET SOME HELP - it can be done and is probably not too bad once you get a few pointers.
5. spend some time thinking about your IT footprint - this means "what computer stuff have I really got?" You might be surprised. If you would be upset/hurt/devastated or business impacted if your computers or disks were to be stolen or destroyed - then you must also get moving on a backup plan against this virus. I have a portable hard disk her full of encrypted files and ransom demands. this drive is essentially useless, and the files may have well been destroyed in a fire.
6. get malware protection - this malware has gotten past many good malware security, but it does also stop some. be extremely wary opening attachments. If you have malware protection, ALWAYS save attachment to disk before opening it. Malware security should catch it at this stage.
7. RED FLAGS:
- files that end in double extensions file.zip.exe file.pdf.exe etc..
- weird "account" emails, bank, post, tax office, other services asking you for some action like overdue accounts, resumes, vague stuff like "here are the pics you asked for" and from senders you can match to the email. IF you have any doubts it is legit, and it has an attachment, then it is probably dodgy.
- vague emails asking you to click on a link.
- out of the ordinary stuff, strange looking or generic sounding names etc.
8. use virus total. https://www.virustotal.com/ this is a free site. it can scan your file / attachment and URLs test against many virus scanners and see if it has been detected as malware. obviously a brand new file that's never been detected wont show up, but this site also can analyse what a file does when run.
have a look at the ransom files and do a search on the web to find out exactly which variant it is. This is important to know for any possible chance at decryption. Some older ones have flaws allowing them to be decrypted.
I would advise to image all affected disks asap so things are not tainted in case a solution presents itself. TeslaCrypt, Cryptolocker, Cryptowall.. all slightly different, but I think all no solution.
a bit of shut the gate after the horse has bolted... but here are some tips to protect yourself.
1. have a well thought out backup strategy of ate the VERY LEAST your important files.
2. DONT leave backup drives always connected, or accessible or drives mapped etc... if YOU can access the backups now on your PC, so can the MALWARE!
3. have a read of some sites like http://support.kaspersky.com/10953
4. If you don't know how to backup or think it is a challenge.. GET SOME HELP - it can be done and is probably not too bad once you get a few pointers.
5. spend some time thinking about your IT footprint - this means "what computer stuff have I really got?" You might be surprised. If you would be upset/hurt/devastated or business impacted if your computers or disks were to be stolen or destroyed - then you must also get moving on a backup plan against this virus. I have a portable hard disk her full of encrypted files and ransom demands. this drive is essentially useless, and the files may have well been destroyed in a fire.
6. get malware protection - this malware has gotten past many good malware security, but it does also stop some. be extremely wary opening attachments. If you have malware protection, ALWAYS save attachment to disk before opening it. Malware security should catch it at this stage.
7. RED FLAGS:
- files that end in double extensions file.zip.exe file.pdf.exe etc..
- weird "account" emails, bank, post, tax office, other services asking you for some action like overdue accounts, resumes, vague stuff like "here are the pics you asked for" and from senders you can match to the email. IF you have any doubts it is legit, and it has an attachment, then it is probably dodgy.
- vague emails asking you to click on a link.
- out of the ordinary stuff, strange looking or generic sounding names etc.
8. use virus total. https://www.virustotal.com/ this is a free site. it can scan your file / attachment and URLs test against many virus scanners and see if it has been detected as malware. obviously a brand new file that's never been detected wont show up, but this site also can analyse what a file does when run.
Re: Cryptolocker
December 14th, 2015, 10:54
Great advice, HaQue! On item 7- Microsoft ships all there products with "view known extensions" off. Turn view file name extensions on now so you are not tricked by the double extensions. I can think of no reason to ever turn them off!
Re: Cryptolocker
December 15th, 2015, 3:39
Thank you HaQue for the excellent pointers. This issue has luckily come to a good end.
Story time: the customer in question paid me a visit earlier this year (march / april) with a crashed hard drive. I was able to reconstruct all of its data, and this accident made her aware of the importance of backups. Since then, she had made weekly backups of everything, meaning she had a 3 days old fresh backup of the contents of the computer that got infected with this Cryptolocker-wannabe.
I adviced her to factory reset the infected computer (google said it can spread to other machines in her network) so what she did was wiping everything out and restored the backups. Only minor changes during 1-2 days was lost, but this was no biggie.
So this malware was a win-win: she had backups, and I am now more aware of the malware. I had only heard about it earlier, but now I have a first person experience of it.
Story time: the customer in question paid me a visit earlier this year (march / april) with a crashed hard drive. I was able to reconstruct all of its data, and this accident made her aware of the importance of backups. Since then, she had made weekly backups of everything, meaning she had a 3 days old fresh backup of the contents of the computer that got infected with this Cryptolocker-wannabe.
I adviced her to factory reset the infected computer (google said it can spread to other machines in her network) so what she did was wiping everything out and restored the backups. Only minor changes during 1-2 days was lost, but this was no biggie.
So this malware was a win-win: she had backups, and I am now more aware of the malware. I had only heard about it earlier, but now I have a first person experience of it.
Re: Cryptolocker
December 15th, 2015, 6:09
Nice, great to have it in black and white about the value of good backups. Thanks for the post!!
I have just heard about a little more of these. Now targeting mobile devices, Macs and Linux servers. While encrypting a web server dir should be no issue (everyone has a backup of this right?) just think of the complexities of some websites that you might have not thought of.
Malware targeting shopping cart systems can bring your site down for a few days while you unravel the mess. I have seen many e-stores that are so hodgey-podge it is a miracle they keep running. Imagine losing 2 - 7 days over x-mas when your revenue relies on it.
The malware can target vulnerabilities in many things, forums, databases, web forms, etc. SQL injection and cross site scripting, bugs in software and OS's, mis-configurations and users falling for social engineering. There are millions of servers out there. Millions of Mobile devices and still millions of PCs and Laptops.
Don't think that this stuff just comes in an email with terrible grammar and a dodgy looking attachment. In some instances you don't even need to open anything, just be visiting the wrong page at the wrong time. And not even dodgy torrent sites or porn or whatever - legitimate sites hacked by criminal. The criminals are constantly changing their tactics to infect more, always really thinking about how they go about it. putting in as much effort as any university student doing an honours degree. now think.. are YOU putting that much effort into protecting yourself (or any at all?) ?? NO? then already the odds are never in your favour.
Sure, many criminals will be taken down by law enforcement because personal OpSec is EXTREMELY hard.. but the trail of destruction because of automated scripts and ability to do a lot with a small budget makes this type of crime more heinous than ever.
Personally, I think this kind of crime needs some high level action. Some smart people that have some ideas on how to combat this large scale need to get together
I have just heard about a little more of these. Now targeting mobile devices, Macs and Linux servers. While encrypting a web server dir should be no issue (everyone has a backup of this right?) just think of the complexities of some websites that you might have not thought of.
Malware targeting shopping cart systems can bring your site down for a few days while you unravel the mess. I have seen many e-stores that are so hodgey-podge it is a miracle they keep running. Imagine losing 2 - 7 days over x-mas when your revenue relies on it.
The malware can target vulnerabilities in many things, forums, databases, web forms, etc. SQL injection and cross site scripting, bugs in software and OS's, mis-configurations and users falling for social engineering. There are millions of servers out there. Millions of Mobile devices and still millions of PCs and Laptops.
Don't think that this stuff just comes in an email with terrible grammar and a dodgy looking attachment. In some instances you don't even need to open anything, just be visiting the wrong page at the wrong time. And not even dodgy torrent sites or porn or whatever - legitimate sites hacked by criminal. The criminals are constantly changing their tactics to infect more, always really thinking about how they go about it. putting in as much effort as any university student doing an honours degree. now think.. are YOU putting that much effort into protecting yourself (or any at all?) ?? NO? then already the odds are never in your favour.
Sure, many criminals will be taken down by law enforcement because personal OpSec is EXTREMELY hard.. but the trail of destruction because of automated scripts and ability to do a lot with a small budget makes this type of crime more heinous than ever.
Personally, I think this kind of crime needs some high level action. Some smart people that have some ideas on how to combat this large scale need to get together
Re: Cryptolocker
January 10th, 2016, 3:47
Good article:
The current state of ransomware: TeslaCrypt
https://blogs.sophos.com/2016/01/06/the ... eslacrypt/
The current state of ransomware: TeslaCrypt
https://blogs.sophos.com/2016/01/06/the ... eslacrypt/
Re: Cryptolocker
January 10th, 2016, 5:48
databack wrote:Good article:
The current state of ransomware: TeslaCrypt
https://blogs.sophos.com/2016/01/06/the ... eslacrypt/
Hi ,
Very Advanced Form Of Virus This is sir ,The article was a excellent read .Thanks for this article .
Re: Cryptolocker
January 11th, 2016, 6:01
Actually there is solution for TeslaCrypt. And a very good one I might say.
Re: Cryptolocker
January 11th, 2016, 6:15
So, for how long do you plan to pull our legs? 
Re: Cryptolocker
January 11th, 2016, 9:23
northwind wrote:Actually there is solution for TeslaCrypt. And a very good one I might say.
The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.
Re: Cryptolocker
January 11th, 2016, 11:35
LarrySabo wrote:northwind wrote:Actually there is solution for TeslaCrypt. And a very good one I might say.
The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.
Well, not THAT strong
Re: Cryptolocker
January 11th, 2016, 11:58
Even FBI says it's too strong and recommends to pay.
Re: Cryptolocker
January 11th, 2016, 14:19
northwind wrote:Actually there is solution for TeslaCrypt. And a very good one I might say.
It's true
Re: Cryptolocker
January 11th, 2016, 17:50
No change for any hints on this? By PM for instance?
Re: Cryptolocker
January 11th, 2016, 18:12
Regarding Teslacrypt, a new version appeared in early December 2015. So are people saying there is an available tool/method to decrypt it out there? Are we talking about the same versions?LarrySabo wrote:northwind wrote:Actually there is solution for TeslaCrypt. And a very good one I might say.
The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.
Re: Cryptolocker
January 11th, 2016, 19:12
Is this the Cisco solution? If so there are still quite a few caveats.
Re: Cryptolocker
February 5th, 2016, 9:53
Some of you know what happened to decryptcryptolocker website?
http://www.decryptcryptolocker.com
Seem to be offline now
http://www.decryptcryptolocker.com
Seem to be offline now
Re: Cryptolocker
February 5th, 2016, 12:02
michael chiklis wrote:Some of you know what happened to decryptcryptolocker website?
http://www.decryptcryptolocker.com
Seem to be offline now
Funny, I was looking for them a couple weeks ago...just for resources. Apparently they pulled the site as they felt enough time passed that it was no longer relevant.
Re: Cryptolocker
February 5th, 2016, 14:39
This means that now if someone gets infected even by old cryptolocker version then he wouldn't be able to get his data back.
This is sad!
This is sad!
Powered by phpBB © phpBB Group.