CryptoLocker–really, really nasty ransomware.

By on October 30, 2013 12:35:58 PM from JoeUser Forums JoeUser Forums

DrJBHL

Join Date 04/2002
+2155

 

This is a bad one. Really bad.

Once on your computer, it will encrypt all your files and supposedly send you a key to release them only after paying $380 US in Bitcoins or $300 in cash (there are other payment arrangements as well).

The encryption is super strong – 2048 bit RSA, the key supposedly stored on a remote server accessible only after payment. If you don’t pay within 72 hrs, the key evaporates and you’re cooked…no access to your files forever.

How does it get on your system? Phishing/spear phishing, mainly…clicking on a link in an email.

If you weren’t expecting (or even if you were) such an email, call the person who supposedly sent it and ask if he or she did, in fact, send it. If not, delete it and suggest that person get IT help immediately.

Make backups online or on an external drive NOW, before you get infected (or some other mishap occurs). Having frequent backups NEVER hurt anyone.

There is also a tool (free) to change the group policies in all Windows computers. Other tools exist, but only do that in the Premium Windows editions.

Here’s the link: http://www.foolishit.com/vb6-projects/cryptoprevent/

It’s at the bottom of the page, and there are excellent explanations of the tool and how it works on the page…as well as testing the tool after installation. Before testing, bookmark the page (or use the link here) and then reboot.

Hope this helps, and hope none of you get hit.

the_Monk: Please feel free to add explanations of group policies or whatever you see fit…and thanks ahead of time.

14 Replies +1
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
October 30, 2013 1:25:15 PM from WinCustomize Forums WinCustomize Forums

I hope they find the creators and "Spear" (ph)fish them, on the end of big hook being dragged over a bed of hot coals!

Reason for Karma (Optional)
Successfully updated karma reason!
October 30, 2013 2:30:22 PM from WinCustomize Forums WinCustomize Forums

Good idea but let them be dragged by the short hairs, it'll hurt more.

Reason for Karma (Optional)
Successfully updated karma reason!
October 30, 2013 5:53:53 PM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

then drag them through a large river full of pirana in a feeding frenzy

harpo

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
October 31, 2013 4:55:55 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

Backup the data that is precious to you ... you're more likely to get a HDD crash than such a fishing attack I would think and that also destroys everything you've got.

Reason for Karma (Optional)
Successfully updated karma reason!
October 31, 2013 5:21:34 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

only if the drive sheds it's rust, usually it is somewhat possible to get data from a drive even if it smokes(yes I did have this happen to a customer, and yes we(myself AND the data recovery company) DID get ALL the drive contents BACK and on a NEW drive and built a new comp as the rest of the comp had also smoked(as in let the SMOKE out of the parts due to a power supply failing to overvoltage(rare, but possible, the usual power supply failure is undervolts/amps not letting the comp start))), (just will take data recovery specialists for the nastier fails), and if it is just getting to the point where it is locking up the computer while the drive re-tries the data it is DEFINITELY time to replace  the drive and transfer the contents from the dying drive to a new one.

personally I use the free crystaldiscinfo to check the drive state atleast weekly so that I get plenty of warning for the drives starting to lose reliability

harpo

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 31, 2013 5:26:37 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

What... crystaldiscinfo? Sounds useful. Is it reliable (I mean, no viruses, requests to install browser-add-ons and such) ?

 

 

Reason for Karma (Optional)
Successfully updated karma reason!
October 31, 2013 5:34:29 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

the exe installer does offer to instal a single browser addon but it is only if you are installing while online, if you install while offline it does NOT offer any extra shit, and even has a zip file version that you can just extract all the files from and run the discinfo.exe to get the current state for all the hdds/ssds in the computer without installing.

here is the source website that I get the latest from (http://crystalmark.info/software/CrystalDiskInfo/index-e.html).

harpo

Reason for Karma (Optional)
Successfully updated karma reason!
November 1, 2013 8:12:57 PM from Elemental Forums Elemental Forums

Now here is something actually worthy of the uber NSA's (and associates) attention. Put down the crypto servers.

Reason for Karma (Optional)
Successfully updated karma reason!
November 1, 2013 11:04:31 PM from Elemental Forums Elemental Forums

The shared drives at my work got hit by this due to an employee clicking the link in an email. The email was even designed to say something relevant to the person's job function in order to prompt the click. NASTY.

Reason for Karma (Optional)
Successfully updated karma reason!
November 2, 2013 12:26:07 AM from WinCustomize Forums WinCustomize Forums

Quoting GeomanNL,
as in let the SMOKE out

 rule #1 don't let the magic smoke out.

Reason for Karma (Optional)
Successfully updated karma reason!
November 2, 2013 3:49:52 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

that IS what I explained in my reply,

Quoting harpo99999,
(as in let the SMOKE out of the parts due to a power supply failing to overvoltage(rare, but possible, the usual power supply failure is undervolts/amps not letting the comp start)

harpo

Reason for Karma (Optional)
Successfully updated karma reason!
November 2, 2013 9:30:08 AM from WinCustomize Forums WinCustomize Forums

My very first 'puter was a home built out of spare parts destined for the dumpster. It was a hodge-podge of sorts. Cpu was an AMD clocked at 500 mHz...I made a timing circuit and with my instructor giving me the pin layout for the cpu was able to boost it up to 550 mHz. Ran it for a couple of hours and POOF! I let the smoke out. LMAO! It was unreal. A pin hole in the center of the cpu and this very thin wisp of smoke came rising up. 

Reason for Karma (Optional)
Successfully updated karma reason!
November 6, 2013 2:10:14 PM from WinCustomize Forums WinCustomize Forums

More news, information and what have you about CryptoLocker today.  

 

http://www.today.com/money/nasty-new-malware-locks-your-files-forever-unless-you-pay-8C11511655?gt1=43001

Reason for Karma (Optional)
Successfully updated karma reason!
November 7, 2013 2:43:44 PM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

It MIGHT be possible to retrieve most files unless they have been physically overwritten.

https://en.wikipedia.org/wiki/Data_recovery

 

In a third scenario, files have been "deleted" from a storage medium. Typically, the contents of deleted files are not removed immediately from the drive; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable."

 

I would GUESS that the malware does the following in this order:

 

  1. Read original file
  2. Copy file content to RAM (piece by piece)
  3. Encrypt in RAM
  4. Delete original file from the file system
  5. Write back encrypted file from RAM

 

So in THEORY, the majority of your files in still unencrypted on your disk - but deleted (meaning, removed from index and not physically overwritten. With special software or professional help (which you should seek if the data was important) you may recover the majority of the files. However in such a case, it is imperative to shut down the system ASAP. Because windows and most other OS are  permanently writing stuff to the disk.

 

And that most likely is not going to work forever.... sooner or later those criminals will make sure that the files are really overwritten.

 

*backups data*

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108431  walnut1   Server Load Time: 00:00:00.0000390   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2014 Stardock Corporation. All Rights Reserved.