Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Encrypto Cryptowall Encryption Ransomware

  • 04-11-2015 10:26am
    #1
    Registered Users, Registered Users 2 Posts: 368 ✭✭


    I've been working for nearly 15 years or so coming through all sorts of viruses and scams through the years. Two years ago we came upon the encryption virus/ransomware which completely ravaged a clients server. Luckily he was anal regarding backups (one of the few) and lost nothing.
    Since then about ten clients in total have been hit with this. Typical behaviour being pc gets silently infected and then server drives get encrypted then pc displays message demanding money with details attached. Somewhere during this process users will not be able to access files they were working on previously when the attack is in progress.
    The main reason I'm writing about this is there is nothing of note on the Internet regarding this apart from the Greek infection two weeks ago when this all kicked off again.I know that clients in Portugal,France and Spain have been hit with this but again there is this silence about this. I've seen pretty much all articles regarding this topic but there is what I would consider a shame in admitting that it has happened to you.
    Anyone willing to discuss their experience with this?


Comments

  • Registered Users, Registered Users 2 Posts: 2,752 ✭✭✭yankinlk


    I have had two calls in two days about this. Im not sure what advice to give - as both were running their entire small business on a personal laptop. They are screwed.

    Any idea what the costs are? I should know in the next few days as i really think one of these two people will have to attempt to decrypt and pay.

    In both cases, they received an email after they had just bought something off the internet, saying invoice attached, please pay... thinking the email was legit, it was opened (sounds like i love u) and then they were held ransom.

    They were both also attached to dropbox - and as a result all shared files i had with them (one folder only) are now accessible, but it doesnt affect me.


  • Registered Users, Registered Users 2 Posts: 2,752 ✭✭✭yankinlk


    In terms of protection, we were thinking at work today - its a good time to invest in encryption companies... the new AV industry!

    You cant encrypt a file thats already encrypted...


  • Registered Users, Registered Users 2 Posts: 36,170 ✭✭✭✭ED E


    yankinlk wrote: »
    You cant encrypt a file thats already encrypted...

    WRONG!

    Once its open to the OS/User for access its open to be re-encrypted. Re-comression doesnt work well, re-encryption works just the same.

    Theres one version of this recently that uses the same key, so its decryptable. The rest, just pay. Its usually 200-500€.


  • Registered Users, Registered Users 2 Posts: 9,605 ✭✭✭gctest50


    yankinlk wrote: »
    In terms of protection, we were thinking at work today - its a good time to invest in encryption companies... the new AV industry!

    You cant encrypt a file thats already encrypted...

    nope , time to invest in backup companies
    The malware calls WinExec(“vssadmin.exe Delete Shadows /All /Quiet”), which deletes “shadow copies” (automatic filesystem snapshots that Windows routinely takes for you with the Volume Snapshot Service).

    It calls WinExec(“bcdedit /set {default} recoveryenabled No”), which disables Startup Repair from automatically booting when there is a problem.

    It calls WinExec(“bcdedit /set {default} bootstatuspolicy ignoreallfailures”), which disables windows error recovery on startup.

    The malware stops the following services, and changes them so they do not begin on startup:

    Wscsvc | WinDefend | Wuauserv | BITS | ERSvc | WerSvc

    Deletes the registry key

    HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.Windows Defender – to prevent Windows Defender from starting automatically on system boot.

    Deletes the registry key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellServiceObjects/{FD6905CE-952F-41F1-9A6F-135D9C6622CC} – used to disable the security center notifications And finally, writes HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRestore.DisableSR = “1” – to disable System Restore.


  • Registered Users, Registered Users 2 Posts: 368 ✭✭numbnutz


    yankinlk wrote: »
    I have had two calls in two days about this. Im not sure what advice to give - as both were running their entire small business on a personal laptop. They are screwed.

    Any idea what the costs are? I should know in the next few days as i really think one of these two people will have to attempt to decrypt and pay.

    In both cases, they received an email after they had just bought something off the internet, saying invoice attached, please pay... thinking the email was legit, it was opened (sounds like i love u) and then they were held ransom.

    They were both also attached to dropbox - and as a result all shared files i had with them (one folder only) are now accessible, but it doesnt affect me.
    Online backup companies are most certainly the way go as they analyse the data as its being backed up and phone you next day when a backup doesnt run.No I don't work for one its just our experience from working with them.
    Using group policy to stop .exe files from executing in the temp folders on your OS is also a way to go but not 100%.
    As for dropbox one clients store was encrypted but Dropbox's internal backup restored everything.
    Something over the last two weeks is an email quota alert from your so called administrator with links and also a bagtogo.com link that seems to catch the ladies out in offices that have a free internet access policy.
    Constant checking of backups and an online backup solution seem to be the only way to beat this.The human element can never be relied on unfortunately.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 368 ✭✭numbnutz


    ED E wrote: »
    WRONG!

    Once its open to the OS/User for access its open to be re-encrypted. Re-comression doesnt work well, re-encryption works just the same.

    Theres one version of this recently that uses the same key, so its decryptable. The rest, just pay. Its usually 200-500€.
    We had one client who got away with his life and only had to pay €300 and got everything back.A very lucky boy indeed..paid the bitcoin got the decrypter and everything was back to normal.


  • Registered Users, Registered Users 2 Posts: 42 Dvraiz


    I hate that the only real solution to this unless you have a backup is to pay the people who do this. It's just gonna get more and more popular considering how many people will pay.


  • Registered Users, Registered Users 2 Posts: 2,752 ✭✭✭yankinlk


    ED E wrote: »
    WRONG!

    Once its open to the OS/User for access its open to be re-encrypted.

    So dramatic. So you're saying once it's unencrypted it's unencrypted. Rolls eyes. Reread my post. Files are safe at rest. Obv need layers of protection.

    Btw Dropbox restore waste of time. The infected users just resynched the infected files.


  • Registered Users, Registered Users 2 Posts: 3,930 ✭✭✭PeterTheEighth


    Just gonna throw in my two cents here. So far I've had three sites that got so form of the cryptolocker type viruses in the last six months.

    Two were small businesses, so we were able to fully restore from backup. This was time consuming but it worked. Third person has just a laptop with no backups and we were not able to retrieve the information. She was asked for 500 euro initially, then it went up to 1000 euro after a few days.

    Initial version of this cryptolocker used to write the encryption key to the local hard drive, so some people were able to write programs to find the key and then decrypt the files. However the most recent versions (which all of my clients got infected with) do NOT write the encryption key to the local hard drive. The key is sent across the Internet to the "mothership", and unless you manage to catch it at this stage (with a packet sniffer), then you get no second chance.


Advertisement