Jump to content



Photo

  • Please log in to reply
68 replies to this topic

#16 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:33

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

 

Malware no longer users credit cards, but untraced pre paid money packs.




#17 XerXis

XerXis

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 13-February 06
  • Location: Belgium

Posted 12 September 2013 - 14:35

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

I don't see how it's funny? Sure you could argue that everyone needs to have backups, but we live in a world where that is not the case, and people losing their data because of some criminals is not something that I would find funny in any way.



#18 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:37

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

 

Yesterday I went to a customers house and while I was there I opened up "Syncback" ...to check how her backups were dong that I setup up for her last time I was there. All the backups said "Scan Failure". So I asked her I said, uh where is your backup drive? Well long story short last time I was there I configured it and told now "go to walmart and buy an portable external hard drive" ... Apparently she never did.



#19 +timster

timster

    Neowinian Senior

  • Joined: 29-March 08
  • Location: Canada
  • OS: 7.1.2 JB
  • Phone: iPhone 4

Posted 12 September 2013 - 14:39

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

you're a smart fella for doing that. the deposit box seems a bit excessive though, unless you're keeping digital copies of invoices and receipts.



#20 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:42

you're a smart fella for doing that. always good to have backups not connected.

 

Correct,  for the really important stuff I also use Carbonite.



#21 vcfan

vcfan

    Doing the Humpty Dance

  • Tech Issues Solved: 3
  • Joined: 12-June 11

Posted 12 September 2013 - 14:46

Malware no longer users credit cards, but untraced pre paid money packs.

 

so something like ukash? if so, then couldnt the people at ukash do the transaction, then watch it on their end and see where their funds end up?



#22 Joe User

Joe User

    Lazy Joe's

  • Tech Issues Solved: 1
  • Joined: 29-May 07
  • Location: Somewhere in the US
  • OS: Windows 8.1 Update 1
  • Phone: Nexus 5

Posted 12 September 2013 - 15:03

Remember: If you use something like Windows Home Server, you can configure local backups that are not accessible to the client, which should reduce the damage by this threat.



#23 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 15:29

Also ... a good time to remind people Sandboxie  FTW for browsing the web.



#24 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 10
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 12 September 2013 - 15:33

I simply call the NSA ... :ninja:



#25 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 10
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 12 September 2013 - 16:11

I don't know if this still applies, but it is encouraging ...

 

The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

 

If you only have a single hard disk, just download the tool to your Desktop and run it. It will automatically scan your hard disk and decrypt the files it found to be infected without deleting the encrypted originals. You can then check the decrypted files if they open properly. Once you verified the files were decrypted properly you can delete the encrypted HTML files.

 

If you have more than one hard disks with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks you will have to pass the additional drives as a command line parameter:

  1. Press the R key while holding down your Windows key.
  2. Type in "cmd.exe" and press Enter.
  3. The Windows Command Line prompt should show up.
  4. You first need to switch into the directory where you downloaded the decryption tool to. This can be done using the cd command:
    cd /d "<path>"

    Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:

    cd /d "C:\Users\Administrator\Downloads"

    If you did everything right you will see that the command prompt changed slightly and now references the download directory.

  5. Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:

    decrypt_mblblock.exe C:\ D:\ E:\

    Please be patient while the tool is running.

The tool also features a few additional parameters, but unless you plan to automate the entire decryption process those are most likely not very interesting for you. If for some reason the tool fails to decrypt certain files on your system, please let me know and I will see if I can update the tool. If you have further questions or run into any unexpected problems, please let me know as well smile.png.

 

http://www.bleepingc...nsomware/page-3



#26 Growled

Growled

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 17-December 08
  • Location: USA

Posted 12 September 2013 - 16:17

This is some nasty stuff. Hope we don't get it.

 

Thanks for the info, Hum. :)



#27 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 16:17

I don't know if this still applies, but it is encouraging ...

 

The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

 

If you only have a single hard disk, just download the tool to your Desktop and run it. It will automatically scan your hard disk and decrypt the files it found to be infected without deleting the encrypted originals. You can then check the decrypted files if they open properly. Once you verified the files were decrypted properly you can delete the encrypted HTML files.

 

If you have more than one hard disks with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks you will have to pass the additional drives as a command line parameter:

  1. Press the R key while holding down your Windows key.
  2. Type in "cmd.exe" and press Enter.
  3. The Windows Command Line prompt should show up.
  4. You first need to switch into the directory where you downloaded the decryption tool to. This can be done using the cd command:
    cd /d "<path>"

    Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:

    cd /d "C:\Users\Administrator\Downloads"

    If you did everything right you will see that the command prompt changed slightly and now references the download directory.

  5. Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:

    decrypt_mblblock.exe C:\ D:\ E:\

    Please be patient while the tool is running.

The tool also features a few additional parameters, but unless you plan to automate the entire decryption process those are most likely not very interesting for you. If for some reason the tool fails to decrypt certain files on your system, please let me know and I will see if I can update the tool. If you have further questions or run into any unexpected problems, please let me know as well smile.png.

 

http://www.bleepingc...nsomware/page-3

 

Sweet. Great to know, just downloaded the tool

 

On the downside, this will save peoples asses who have no backups, I say "downside" because people have to truly loose data before they get a clue and backup. (though in this cases backups might have got hit too, but it would have taught them about good offsite backups



#28 +Chicane-UK

Chicane-UK

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 02-November 01
  • Location: The UK!
  • OS: MacOS 10.9 Mavericks
  • Phone: Google Nexus 4

Posted 12 September 2013 - 16:20

Wow - that's really devilish! Nasty piece of malware! 



#29 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 10
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 12 September 2013 - 16:43

There is a version 2 of the tool:

 

You can also use a newer version of the tool that is a lot more easier to use for most people:

 

http://tmp.emsisoft....decmblblock.exe

 

Under options you find the option to delete encrypted files after decryption. Please test whether or not files are decrypted properly first though. Easiest way is to just copy a few encrypted files into a dedicated folder and use the tool on that folder only and go through the decrypted files one by one. If the files were recovered properly, it should be save to enable the delete option and run the tool on your entire hard drive."

 

http://www.bleepingc...nsomware/page-4

 

And a version 3:

 

The new version, that handles both the new variant as well as all older variants of the malware, is available here:

http://tmp.emsisoft....ypt_harasom.exe

I verified that all sample files that people sent me are decrypted correctly. I still suggest everyone to test the decrypter on a small subset of files first to see if it works on your system as well. As always, if you come across any files that can't be decrypted properly, either post here or drop me an email (fw@emsisoft.com).

 

http://www.bleepingc...nsomware/page-6



#30 Draconian Guppy

Draconian Guppy

    LippyZillaD Council

  • Tech Issues Solved: 3
  • Joined: 22-August 04
  • Location: Neowin

Posted 12 September 2013 - 16:50

wonder what happens after you pay? they can easily ask for more and more.