goretsky Supervisor Posted September 25, 2013 Supervisor Share Posted September 25, 2013 Hello, This is actually a loose family of malware that is grouped by behavior, so the exact encryption mechanisms and actions of each one can vary quite a bit. In some cases, the malware is created from a kit, which allows for further customization by whomever has purchased a copy. ESET has published a blog post, Filecoder: Holding your data to ransom, which goes over these in detail, include a screenshot of the builder application, with translation from the native Russian. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
Alwaysonacoffebreak Posted September 25, 2013 Share Posted September 25, 2013 How the heck do people even come across these kind of malware? Are they looking for an encryption software or something? :/ Link to comment Share on other sites More sharing options...
AStaUK Posted September 25, 2013 Share Posted September 25, 2013 How the heck do people even come across these kind of malware? Are they looking for an encryption software or something? :/ A lot of malware can be picked from legitimate sites through ad banners hosted on poorly protected servers, although there any many other vectors for this type of thing. One reason why at my company we use a web filtering service in addition to a good anti-virus as one level of defence. Link to comment Share on other sites More sharing options...
Alwaysonacoffebreak Posted September 25, 2013 Share Posted September 25, 2013 People still click on ads they don't know about? o.O And also it's not that much of an legit site if they offer their ads trough services that are not trusted to offer secure ads in the first place. Link to comment Share on other sites More sharing options...
AStaUK Posted September 25, 2013 Share Posted September 25, 2013 People still click on ads they don't know about? o.O And also it's not that much of an legit site if they offer their ads trough services that are not trusted to offer secure ads in the first place. You don't necessarily have to click on the ad if an attacker is using a known exploit that hasn't been patched on the clients PC, the article linked by +goretsky gives a good description how these types of things work. I've had to work on more than a few colleagues PCs where they are missing critical updates and don't have an up to date anti-virus. Education goes a long way to stopping this type of thing, but a large number of people will still click something simply because it says to. Or have young kids that don't know better. And there is still good old "social engineering", one security company I work with has a 100% hit rate using targeted attacks to gain access to large companies. Once you've gained legitimate access to a corporate network you have access to everything that user had access to and more if you have the skill. Google HBGary, Arstechnica did a great article on how social engineering was used against them. http://arstechnica.com/tech-policy/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price/ +Warwagon 1 Share Link to comment Share on other sites More sharing options...
Ci7 Posted September 25, 2013 Share Posted September 25, 2013 the unfortunate result it that would justify 'walled graden' systems more..... goretsky 1 Share Link to comment Share on other sites More sharing options...
HughJorgan Posted October 5, 2013 Share Posted October 5, 2013 This ransomware infected our network a couple weeks ago. It even locked the backup files as the IT person had mapped those drives as well. Hes gone now BTW. Luckly it didnt lock up the quickbooks files as that would have essentially shut the whole show down. Guess they want to make sure you can pay them. Moral of the story here, beyond educated use of the internet, is OFFSITE BACKUP. I can also confirm that they followed through on sending up the dycryption once we paid the $300. For us it was like meeting a goof in the alley with a gun demanding money. We just wanted to go home...so we paid. I look forward to the day I hear about the arrests. Link to comment Share on other sites More sharing options...
Anibal P Posted October 6, 2013 Share Posted October 6, 2013 See I don't need to jump through many hoops, I rarely keep anything important on my computers, and the few I do have are backed up automatically to Dropbox, Copy, and G Drive, I can just reformat and get the files off the cloud, and it's all done automatically Link to comment Share on other sites More sharing options...
T9RKELL Posted October 7, 2013 Share Posted October 7, 2013 Who processes their funds? - usualy something like Ukash As to backups, even offsite sometimes does not work - my friend does backups everyday. One day he got robbed - laptop is gone and several near standing external hard drives too. Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted October 8, 2013 Supervisor Share Posted October 8, 2013 Hello, For anyone who has paid for the encryption key to this ransomware, would you mind sending me a private message? I have some questions for you. Thank you. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
T9RKELL Posted October 28, 2013 Share Posted October 28, 2013 Hey guys, So my dads office was hit with this last week, it was actually transferred but an adjacent companies network. They share a space with my dads office. None of the malware programs that they have installed picked this up. We were able to remove the malware after several attempts, but now his entire server is encrypted. Does any one know if there has been a successful method to decrypt the files yet? He has backups but unfortunately the IT guy that had set up his server some how turned off back ups last November! Hum has created a decryption tool, and posted about it at previous pages of this thread, maybe it will help Link to comment Share on other sites More sharing options...
T9RKELL Posted October 28, 2013 Share Posted October 28, 2013 As to ways of infections, there were several reports of receiving phishing emails with rogue attachments. Next, a lot of people got them at shady sites like porn and torrent. My brother in law runs an infosec blog, he has several interviews with infosec guys, section ofr deaf people with written transcriptions of interesting Black Hat and DEF CON talks. He latest articles are dedicated to ransomware: http://privacy-pc.com/how-to/remove-cryptolocker-virus.html Link to comment Share on other sites More sharing options...
techbeck Posted October 28, 2013 Share Posted October 28, 2013 PITA. Had this on someone's computer recently. Told him to turn off his computer, slaved his HD, and copied files off his system. Then redid the software. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted November 11, 2013 Author MVC Share Posted November 11, 2013 The problem with cryptoLocker is this. 90% of people have no daily backup. 9% Have a daily backup that backing up to an always connected External drive. 1% also have a have a cold (off site backup) Link to comment Share on other sites More sharing options...
#Michael Posted November 15, 2013 Share Posted November 15, 2013 This is just how bad this malware is getting: Now here?s a first ? crooks who realize the importance of customer service. It?s the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim?s personal files ? and in some cases, backup files, too ? with state-of-the-art encryption. The bad guys have the only decryption key and they demand $300 or two Bitcoins to get it. ?It?s been a disaster for many of the people hit with it,? said Lawrence Abrams who has been tracking the spread of this infection on BleepingComputer.com Within the past few days, the criminal gang behind CryptoLocker created a site for victims who need help making their required extortion payments. ?These guys have some big cojones,? said security expert Brian Krebs, who writes the blog KrebsOnSecurity. The CryptoLocker Decryption Service allows victims to check the status of their ?order? (the ransom payment) and complete the transaction. I am not making this up! Those who paid the ransom (with either Green Dot cards or Bitcoins), but did not get the decryption key ? or got one that didn?t work ? can download it again. Those who missed the 72-hour deadline can also get their key, but the price jumps from two Bitcoins to 10. At today?s market value, that?s nearly $4,000. And Green Dot is not accepted with this extended-deadline service. Full article over at today: http://www.today.com/money/cryptolocker-crooks-launch-new-customer-service-website-victims-2D11586019 Link to comment Share on other sites More sharing options...
AStaUK Posted November 16, 2013 Share Posted November 16, 2013 I couldn't help but smile after reading the above, crooks with a sense of customer service. Link to comment Share on other sites More sharing options...
Dark-Heart Posted November 16, 2013 Share Posted November 16, 2013 The people that make virus's and Malware have now realised that there's serious money, to be made by infecting computers with this sort of stuff. So I think that were going to see a lot more of this type of crapware popping up, in the next few years. Link to comment Share on other sites More sharing options...
riahc3 Posted November 16, 2013 Share Posted November 16, 2013 Hello, Someone created a tool to decrypt right? That should be on the first page of the thread. Also, I think this is front page news worthy. Osiris 1 Share Link to comment Share on other sites More sharing options...
AStaUK Posted November 16, 2013 Share Posted November 16, 2013 Hello, Someone created a tool to decrypt right? That should be on the first page of the thread. Also, I think this is front page news worthy. I don't think that tool works with the latest versions of Cryptlocker which use much stronger encryption. Link to comment Share on other sites More sharing options...
Recommended Posts