All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Cryptolocker
PostPosted: December 14th, 2015, 5:39 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Not sure which forum this issue fits in, so I post it here. Please move the thread if it's in the wrong place.

A customer of mine just called and said she was about to open a link in a mail from Postnord (the postal service in Sweden), but apparently it was a scam-mail and now her computer (unfortunately the one she runs her business with) is locked down with Cryptolocker.

I have zero knowledge of this ransomware. The only thing I know about it is that it encrypts, obviously, all your files and requires a ransom sum to be paid.

Does anyone in here got experience with CL and can point me in some directions?


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: December 14th, 2015, 6:33 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
viewtopic.php?f=1&t=32507


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: December 14th, 2015, 6:52 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
if it is Cryptolocker 3 or 4, IMHO she is S.O.L. Most of the newer variants are not solved. At a recent conference, law enforcement, I think, FBI, said it was a valid solution to pay these lowlife rock-spiders.

have a look at the ransom files and do a search on the web to find out exactly which variant it is. This is important to know for any possible chance at decryption. Some older ones have flaws allowing them to be decrypted.

I would advise to image all affected disks asap so things are not tainted in case a solution presents itself. TeslaCrypt, Cryptolocker, Cryptowall.. all slightly different, but I think all no solution.

a bit of shut the gate after the horse has bolted... but here are some tips to protect yourself.

1. have a well thought out backup strategy of ate the VERY LEAST your important files.

2. DONT leave backup drives always connected, or accessible or drives mapped etc... if YOU can access the backups now on your PC, so can the MALWARE!

3. have a read of some sites like http://support.kaspersky.com/10953

4. If you don't know how to backup or think it is a challenge.. GET SOME HELP - it can be done and is probably not too bad once you get a few pointers.

5. spend some time thinking about your IT footprint - this means "what computer stuff have I really got?" You might be surprised. If you would be upset/hurt/devastated or business impacted if your computers or disks were to be stolen or destroyed - then you must also get moving on a backup plan against this virus. I have a portable hard disk her full of encrypted files and ransom demands. this drive is essentially useless, and the files may have well been destroyed in a fire.

6. get malware protection - this malware has gotten past many good malware security, but it does also stop some. be extremely wary opening attachments. If you have malware protection, ALWAYS save attachment to disk before opening it. Malware security should catch it at this stage.

7. RED FLAGS:
- files that end in double extensions file.zip.exe file.pdf.exe etc..
- weird "account" emails, bank, post, tax office, other services asking you for some action like overdue accounts, resumes, vague stuff like "here are the pics you asked for" and from senders you can match to the email. IF you have any doubts it is legit, and it has an attachment, then it is probably dodgy.
- vague emails asking you to click on a link.
- out of the ordinary stuff, strange looking or generic sounding names etc.

8. use virus total. https://www.virustotal.com/ this is a free site. it can scan your file / attachment and URLs test against many virus scanners and see if it has been detected as malware. obviously a brand new file that's never been detected wont show up, but this site also can analyse what a file does when run.


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: December 14th, 2015, 10:54 
Offline

Joined: February 13th, 2010, 9:44
Posts: 208
Location: san diego, ca.
Great advice, HaQue! On item 7- Microsoft ships all there products with "view known extensions" off. Turn view file name extensions on now so you are not tricked by the double extensions. I can think of no reason to ever turn them off!


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: December 15th, 2015, 3:39 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Thank you HaQue for the excellent pointers. This issue has luckily come to a good end.

Story time: the customer in question paid me a visit earlier this year (march / april) with a crashed hard drive. I was able to reconstruct all of its data, and this accident made her aware of the importance of backups. Since then, she had made weekly backups of everything, meaning she had a 3 days old fresh backup of the contents of the computer that got infected with this Cryptolocker-wannabe.

I adviced her to factory reset the infected computer (google said it can spread to other machines in her network) so what she did was wiping everything out and restored the backups. Only minor changes during 1-2 days was lost, but this was no biggie.

So this malware was a win-win: she had backups, and I am now more aware of the malware. I had only heard about it earlier, but now I have a first person experience of it.


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: December 15th, 2015, 6:09 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
Nice, great to have it in black and white about the value of good backups. Thanks for the post!!

I have just heard about a little more of these. Now targeting mobile devices, Macs and Linux servers. While encrypting a web server dir should be no issue (everyone has a backup of this right?) just think of the complexities of some websites that you might have not thought of.

Malware targeting shopping cart systems can bring your site down for a few days while you unravel the mess. I have seen many e-stores that are so hodgey-podge it is a miracle they keep running. Imagine losing 2 - 7 days over x-mas when your revenue relies on it.

The malware can target vulnerabilities in many things, forums, databases, web forms, etc. SQL injection and cross site scripting, bugs in software and OS's, mis-configurations and users falling for social engineering. There are millions of servers out there. Millions of Mobile devices and still millions of PCs and Laptops.

Don't think that this stuff just comes in an email with terrible grammar and a dodgy looking attachment. In some instances you don't even need to open anything, just be visiting the wrong page at the wrong time. And not even dodgy torrent sites or porn or whatever - legitimate sites hacked by criminal. The criminals are constantly changing their tactics to infect more, always really thinking about how they go about it. putting in as much effort as any university student doing an honours degree. now think.. are YOU putting that much effort into protecting yourself (or any at all?) ?? NO? then already the odds are never in your favour.

Sure, many criminals will be taken down by law enforcement because personal OpSec is EXTREMELY hard.. but the trail of destruction because of automated scripts and ability to do a lot with a small budget makes this type of crime more heinous than ever.

Personally, I think this kind of crime needs some high level action. Some smart people that have some ideas on how to combat this large scale need to get together


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 10th, 2016, 3:47 
Offline
User avatar

Joined: February 13th, 2014, 12:13
Posts: 166
Location: Isfahan
Good article:
The current state of ransomware: TeslaCrypt
https://blogs.sophos.com/2016/01/06/the ... eslacrypt/

_________________
Phoenix Computer Forensic Laboratory
http://www.databack.ir


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 10th, 2016, 5:48 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 3464
Location: CDRLabs @ Chandigarh [ India ]
databack wrote:
Good article:
The current state of ransomware: TeslaCrypt
https://blogs.sophos.com/2016/01/06/the ... eslacrypt/


Hi ,
Very Advanced Form Of Virus This is sir ,The article was a excellent read .Thanks for this article .

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs [India]
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 6:01 
Offline
User avatar

Joined: January 28th, 2009, 10:54
Posts: 3452
Location: Greece
Actually there is solution for TeslaCrypt. And a very good one I might say.

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 6:15 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
So, for how long do you plan to pull our legs? :)


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 9:23 
Offline

Joined: December 8th, 2010, 11:37
Posts: 738
Location: Ottawa, Canada
northwind wrote:
Actually there is solution for TeslaCrypt. And a very good one I might say.

The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.

_________________
Sabo Computer Repairs & Data Recovery


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 11:35 
Offline
User avatar

Joined: January 28th, 2009, 10:54
Posts: 3452
Location: Greece
LarrySabo wrote:
northwind wrote:
Actually there is solution for TeslaCrypt. And a very good one I might say.

The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.


Well, not THAT strong :mrgreen:

_________________
http://www.northwind.gr
SandForce SSD Recovery
Ransomware Reverse Engineering - NoMoreRansom! partners


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 11:58 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
Even FBI says it's too strong and recommends to pay.


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 14:19 
Offline

Joined: November 29th, 2006, 10:08
Posts: 7843
Location: UK
northwind wrote:
Actually there is solution for TeslaCrypt. And a very good one I might say.


It's true :-)

_________________
PC Image Data Recovery
http://www.pcimage.co.uk

New!! HDD-PCB.COM for all your PCB and donor HDD requirements!


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 17:50 
Offline
User avatar

Joined: July 12th, 2010, 4:38
Posts: 1418
Location: Portugal
No change for any hints on this? By PM for instance?

_________________
http://www.pclab.com.pt facebook.com/PCLAB.A.T
ACELab partner


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 18:12 
Offline

Joined: January 8th, 2008, 5:21
Posts: 925
Location: uk
LarrySabo wrote:
northwind wrote:
Actually there is solution for TeslaCrypt. And a very good one I might say.

The article, posted just a week ago, says "Sadly, there’s not much you can do to get your files back except to pay the ransom – the encryption is too strong to crack." so we would all be interested in a solution, I'm sure.
Regarding Teslacrypt, a new version appeared in early December 2015. So are people saying there is an available tool/method to decrypt it out there? Are we talking about the same versions?


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: January 11th, 2016, 19:12 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
Is this the Cisco solution? If so there are still quite a few caveats.


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: February 5th, 2016, 9:53 
Offline

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy
Some of you know what happened to decryptcryptolocker website?
http://www.decryptcryptolocker.com

Seem to be offline now :(

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: February 5th, 2016, 12:02 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2520
Location: Ontario, Canada
michael chiklis wrote:
Some of you know what happened to decryptcryptolocker website?
http://www.decryptcryptolocker.com

Seem to be offline now :(

Funny, I was looking for them a couple weeks ago...just for resources. Apparently they pulled the site as they felt enough time passed that it was no longer relevant.

_________________
Luke
Recovery Force Data Recovery


Top
 Profile  
 
 Post subject: Re: Cryptolocker
PostPosted: February 5th, 2016, 14:39 
Offline

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy
This means that now if someone gets infected even by old cryptolocker version then he wouldn't be able to get his data back.
This is sad!

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group