Encrypto Cryptowall Encryption Ransomware

numbnutz · 04-11-2015 11:26am #1

I've been working for nearly 15 years or so coming through all sorts of viruses and scams through the years. Two years ago we came upon the encryption virus/ransomware which completely ravaged a clients server. Luckily he was anal regarding backups (one of the few) and lost nothing.
Since then about ten clients in total have been hit with this. Typical behaviour being pc gets silently infected and then server drives get encrypted then pc displays message demanding money with details attached. Somewhere during this process users will not be able to access files they were working on previously when the attack is in progress.
The main reason I'm writing about this is there is nothing of note on the Internet regarding this apart from the Greek infection two weeks ago when this all kicked off again.I know that clients in Portugal,France and Spain have been hit with this but again there is this silence about this. I've seen pretty much all articles regarding this topic but there is what I would consider a shame in admitting that it has happened to you.
Anyone willing to discuss their experience with this?

yankinlk · 09-12-2015 8:57pm

I have had two calls in two days about this. Im not sure what advice to give - as both were running their entire small business on a personal laptop. They are screwed.

Any idea what the costs are? I should know in the next few days as i really think one of these two people will have to attempt to decrypt and pay.

In both cases, they received an email after they had just bought something off the internet, saying invoice attached, please pay... thinking the email was legit, it was opened (sounds like i love u) and then they were held ransom.

They were both also attached to dropbox - and as a result all shared files i had with them (one folder only) are now accessible, but it doesnt affect me.

yankinlk · 09-12-2015 8:59pm

In terms of protection, we were thinking at work today - its a good time to invest in encryption companies... the new AV industry!

You cant encrypt a file thats already encrypted...

ED E · 13-12-2015 12:53pm

yankinlk wrote: »

You cant encrypt a file thats already encrypted...

WRONG!

Once its open to the OS/User for access its open to be re-encrypted. Re-comression doesnt work well, re-encryption works just the same.

Theres one version of this recently that uses the same key, so its decryptable. The rest, just pay. Its usually 200-500€.

gctest50 · 13-12-2015 1:04pm

yankinlk wrote: »

In terms of protection, we were thinking at work today - its a good time to invest in encryption companies... the new AV industry!

You cant encrypt a file thats already encrypted...

nope , time to invest in backup companies

The malware calls WinExec(“vssadmin.exe Delete Shadows /All /Quiet”), which deletes “shadow copies” (automatic filesystem snapshots that Windows routinely takes for you with the Volume Snapshot Service).

It calls WinExec(“bcdedit /set {default} recoveryenabled No”), which disables Startup Repair from automatically booting when there is a problem.

It calls WinExec(“bcdedit /set {default} bootstatuspolicy ignoreallfailures”), which disables windows error recovery on startup.

The malware stops the following services, and changes them so they do not begin on startup:

Wscsvc | WinDefend | Wuauserv | BITS | ERSvc | WerSvc

Deletes the registry key

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run.Windows Defender – to prevent Windows Defender from starting automatically on system boot.

Deletes the registry key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellServiceObjects/{FD6905CE-952F-41F1-9A6F-135D9C6622CC} – used to disable the security center notifications And finally, writes HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/SystemRestore.DisableSR = “1” – to disable System Restore.

numbnutz · 13-12-2015 1:25pm

yankinlk wrote: »

I have had two calls in two days about this. Im not sure what advice to give - as both were running their entire small business on a personal laptop. They are screwed.

Any idea what the costs are? I should know in the next few days as i really think one of these two people will have to attempt to decrypt and pay.

In both cases, they received an email after they had just bought something off the internet, saying invoice attached, please pay... thinking the email was legit, it was opened (sounds like i love u) and then they were held ransom.

They were both also attached to dropbox - and as a result all shared files i had with them (one folder only) are now accessible, but it doesnt affect me.

Online backup companies are most certainly the way go as they analyse the data as its being backed up and phone you next day when a backup doesnt run.No I don't work for one its just our experience from working with them.
Using group policy to stop .exe files from executing in the temp folders on your OS is also a way to go but not 100%.
As for dropbox one clients store was encrypted but Dropbox's internal backup restored everything.
Something over the last two weeks is an email quota alert from your so called administrator with links and also a bagtogo.com link that seems to catch the ladies out in offices that have a free internet access policy.
Constant checking of backups and an online backup solution seem to be the only way to beat this.The human element can never be relied on unfortunately.

numbnutz · 13-12-2015 1:31pm

ED E wrote: »

WRONG!

Once its open to the OS/User for access its open to be re-encrypted. Re-comression doesnt work well, re-encryption works just the same.

Theres one version of this recently that uses the same key, so its decryptable. The rest, just pay. Its usually 200-500€.

We had one client who got away with his life and only had to pay €300 and got everything back.A very lucky boy indeed..paid the bitcoin got the decrypter and everything was back to normal.

Dvraiz · 18-12-2015 4:05am

I hate that the only real solution to this unless you have a backup is to pay the people who do this. It's just gonna get more and more popular considering how many people will pay.

yankinlk · 18-12-2015 7:48am

ED E wrote: »

WRONG!

Once its open to the OS/User for access its open to be re-encrypted.

So dramatic. So you're saying once it's unencrypted it's unencrypted. Rolls eyes. Reread my post. Files are safe at rest. Obv need layers of protection.

Btw Dropbox restore waste of time. The infected users just resynched the infected files.

PeterTheEighth · 18-12-2015 11:49am

Just gonna throw in my two cents here. So far I've had three sites that got so form of the cryptolocker type viruses in the last six months.

Two were small businesses, so we were able to fully restore from backup. This was time consuming but it worked. Third person has just a laptop with no backups and we were not able to retrieve the information. She was asked for 500 euro initially, then it went up to 1000 euro after a few days.

Initial version of this cryptolocker used to write the encryption key to the local hard drive, so some people were able to write programs to find the key and then decrypt the files. However the most recent versions (which all of my clients got infected with) do NOT write the encryption key to the local hard drive. The key is sent across the Internet to the "mothership", and unless you manage to catch it at this stage (with a packet sniffer), then you get no second chance.

Encrypto Cryptowall Encryption Ransomware

Comments