Jump to content

Question

Posted

Today I heard reports of a new piece of malware that is going around. This one is particularly nasty, It Encrypts all of the data on your drive and mapped network drives with a RSA 256 bit AES key. Once encrypted there is no way to decrypted. The only way to get the files back is from an off site backup (because if the backup drive is local it also gets encrypted) or to actually pay them the money in which they apparently decrypt your data.

 

crilock.png

 

A video from Remove-malware.com

https://www.youtube.com/watch?feature=player_embedded&v=Uzl_h-Nc8Ps
 

 

Over the past few days Emsisoft

1 person likes this

Share this post


Link to post
Share on other sites

68 answers to this question

  • 0

Posted

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.

Share this post


Link to post
Share on other sites
  • 0

Posted

Oh. How rude! Time to make all my network drives read-only! (technically all but 1 - RAID5 can deal with 1) I don't have any other way to practically deal with =P

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

Share this post


Link to post
Share on other sites
  • 0

Posted

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.

 

That's the problem, it's amazing they even had backups. 99% of people have no backups. The 1% that actually have backups, they are local and not offsite.

2 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

That's the problem, it's amazing they even had backups. 99% of people have no backup.

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.

Share this post


Link to post
Share on other sites
  • 0

Posted

No point in havign a backup attached to the machine that your backing up in my opinion

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.

 

What kind of offsite did you configure for them?

Share this post


Link to post
Share on other sites
  • 0

Posted

Pretty hardcore malware.. 

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

No point in havign a backup attached to the machine that your backing up in my opinion

 

No it's good to have both local and off site. If it's not connected to the machine (Not counting online) then it never gets done. It needs to be automatic. But in this case you also have to do off site as well one that is not connected.

Share this post


Link to post
Share on other sites
  • 0

Posted

What kind of offsite did you configure for them?

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call. 

Share this post


Link to post
Share on other sites
  • 0

Posted

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call.

 

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.

Share this post


Link to post
Share on other sites
  • 0

Posted

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.

This malware starts on a client machine and encrypts any data that user has access to which would include the mapped drive the user had but not the local disks on the server. There's another malware that super hides all data in the same way.

Share this post


Link to post
Share on other sites
  • 0

Posted

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

It would to an extent.  Basically anything in program files would be safe.. as long as it is not elevated though UAC.. however all documents, data, etc would be vulnerable.

Share this post


Link to post
Share on other sites
  • 0

Posted

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

Share this post


Link to post
Share on other sites
  • 0

Posted

Generally speaking, your server shouldn't be getting infected, unless you're using the server? - I would imagine this spreads by "client initiated methods" (email, websites, etc). We have windows 2008 at work, and any backup it creates unmaps any drive letter from the backup drive, so I assume this would be sufficiently well preserved (including the fact it isn't visible over the network)

 

The fact that it checks network drives is what really bothers me. I have my home windows backup set to backup to a network location...so in this case it would whack that backup too. I would guess VERY few people have disconnected/read-only backups.

 

edit: money can be "easily" hidden through some random array of shell companies...or more easily nowadays, any cryptocurrency =/

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

 

Malware no longer users credit cards, but untraced pre paid money packs.

Share this post


Link to post
Share on other sites
  • 0

Posted

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

I don't see how it's funny? Sure you could argue that everyone needs to have backups, but we live in a world where that is not the case, and people losing their data because of some criminals is not something that I would find funny in any way.

1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

 

Yesterday I went to a customers house and while I was there I opened up "Syncback" ...to check how her backups were dong that I setup up for her last time I was there. All the backups said "Scan Failure". So I asked her I said, uh where is your backup drive? Well long story short last time I was there I configured it and told now "go to walmart and buy an portable external hard drive" ... Apparently she never did.

Share this post


Link to post
Share on other sites
  • 0

Posted

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

you're a smart fella for doing that. the deposit box seems a bit excessive though, unless you're keeping digital copies of invoices and receipts.

Share this post


Link to post
Share on other sites
  • 0

Posted

you're a smart fella for doing that. always good to have backups not connected.

 

Correct,  for the really important stuff I also use Carbonite.

Share this post


Link to post
Share on other sites
  • 0

Posted

Malware no longer users credit cards, but untraced pre paid money packs.

 

so something like ukash? if so, then couldnt the people at ukash do the transaction, then watch it on their end and see where their funds end up?

Share this post


Link to post
Share on other sites
  • 0

Posted

Remember: If you use something like Windows Home Server, you can configure local backups that are not accessible to the client, which should reduce the damage by this threat.

Share this post


Link to post
Share on other sites
  • 0

Posted

Also ... a good time to remind people Sandboxie  FTW for browsing the web.

Share this post


Link to post
Share on other sites
  • 0

Posted

I simply call the NSA ... :ninja:

4 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

I don't know if this still applies, but it is encouraging ...

 

The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

 

If you only have a single hard disk, just download the tool to your Desktop and run it. It will automatically scan your hard disk and decrypt the files it found to be infected without deleting the encrypted originals. You can then check the decrypted files if they open properly. Once you verified the files were decrypted properly you can delete the encrypted HTML files.

 

If you have more than one hard disks with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks you will have to pass the additional drives as a command line parameter:

  1. Press the R key while holding down your Windows key.
  2. Type in "cmd.exe" and press Enter.
  3. The Windows Command Line prompt should show up.
  4. You first need to switch into the directory where you downloaded the decryption tool to. This can be done using the cd command:
    cd /d "<path>"

    Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:

    cd /d "C:\Users\Administrator\Downloads"

    If you did everything right you will see that the command prompt changed slightly and now references the download directory.

  5. Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:

    decrypt_mblblock.exe C:\ D:\ E:\

    Please be patient while the tool is running.

The tool also features a few additional parameters, but unless you plan to automate the entire decryption process those are most likely not very interesting for you. If for some reason the tool fails to decrypt certain files on your system, please let me know and I will see if I can update the tool. If you have further questions or run into any unexpected problems, please let me know as well smile.png.

 

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

7 people like this

Share this post


Link to post
Share on other sites
  • 0

Posted

This is some nasty stuff. Hope we don't get it.

 

Thanks for the info, Hum. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.