The Ransomware Nightmare.

PeterTheNinth

Hi everybody,

Just wondering what experiences other people have had with Ransomware of late. I had one last week on a site where all files were encrypted, had to restore both of their servers to get rid.

Have a home user PC now, encrypted everything on the hard drive AND on the USB backup. The page that they bring you to, with your own personal ID, doesnt work so there is no way of even paying them and decrypting the files. How exactly do you tell someone "I think all of your kids photos for ten years are gone."

Anybody else have any experiences with this?

FSL

I haven't had experience of this and I know it's a bit like bolting the stable door but when taking regular backups it's good practice to restore to a different database name periodically to check that the backup is readable.

Edit Just re-read I see that their backup drive was encrypted so must have been attached. Even if you are running a mirror raid system you should keep off-line copies preferably in a separate location.

degsie

Help may be at hand.

https://www.nomoreransom.org

lawred2

what leads you to this situation in the first place?

what were you doing?

Halfbaker

What is the specific type of ransomware? Some that uses weak encryption has been cracked, you might get lucky.

PeterTheNinth

degsie wrote: »

Help may be at hand.

https://www.nomoreransom.org

I put the files in and HTML file, and got an upload error.

PeterTheNinth

lawred2 wrote: »

what leads you to this situation in the first place?

what were you doing?

Neither of them are my PC. I worked in the area, and they end up on my desk. In one case we're pretty certain that the Remote Desktop Services was hacked. In the home case, it may have been an email, but rarely are people prepared to admit it. They usually say "I'm always careful, I never clicked on anything".

lawred2

PeterTheNinth wrote: »

degsie wrote: »

Help may be at hand.

https://www.nomoreransom.org

I put the files in and HTML file, and got an upload error.

it says one or the other - not to upload both

maybe it was a simple form upload error

lawred2

PeterTheNinth wrote: »

lawred2 wrote: »

what leads you to this situation in the first place?

what were you doing?

Neither of them are my PC. I worked in the area, and they end up on my desk. In one case we're pretty certain that the Remote Desktop Services was hacked. In the home case, it may have been an email, but rarely are people prepared to admit it. They usually say "I'm always careful, I never clicked on anything".

In general though - what are the things to watch out for?

PeterTheNinth

This is the one that I am dealing with at the moment. But we've had quite a few over the last few months, so this is just the latest one.

http://www.broadanalysis.com/2016/07/26/neutrino-exploit-kit-via-pseudodarkleech-delivers-cryptxxx-ransomware-new-c2/

There are free decryption keys available for some of the ones that were out earlier in the year, but not yet for this current one.

ItHurtsWhenIP

PeterTheNinth wrote: »

Neither of them are my PC. I worked in the area, and they end up on my desk. In one case we're pretty certain that the Remote Desktop Services was hacked. In the home case, it may have been an email, but rarely are people prepared to admit it. They usually say "I'm always careful, I never clicked on anything".

It doesn't have to come from an e-mail attachment/link.

Clicking on a poisoned advert could have the same outcome.

PeterTheNinth

lawred2 wrote: »

In general though - what are the things to watch out for?

The only one that has admitted to it, in fairness to her, was one woman with a work PC in a small office. She said that she got an email that said "Invoice", and when she opened it, it was a word document. At the top there was a message saying "Enable Plugin", like you would sometimes get with file converters and the like. She clicked on that plugin and it was game over. They were just blessed that it was their second PC and not their main PC, cos they would have had to shut the doors. Similar to this:



Now that I think about it, we had one other guy that admitted to clicking another email as well, but I'm not sure what the actual email was. But it was certainly an email.

lawred2

PeterTheNinth wrote: »

lawred2 wrote: »

In general though - what are the things to watch out for?

The only one that has admitted to it, in fairness to her, was one woman with a work PC in a small office. She said that she got an email that said "Invoice", and when she opened it, it was a word document. At the top there was a message saying "Enable Plugin", like you would sometimes get with file converters and the like. She clicked on that plugin and it was game over. They were just blessed that it was their second PC and not their main PC, cos they would have had to shut the doors. Similar to this:



Now that I think about it, we had one other guy that admitted to clicking another email as well, but I'm not sure what the actual email was. But it was certainly an email.

and these emails don't fall victim to spam filters?

PeterTheNinth

lawred2 wrote: »

and these emails don't fall victim to spam filters?

It depends on your filtering. This latest victim was on an Eircom account which lets everything in. But some of our Office 365 users get a LOT less and as such are much less susceptible.

lawred2

PeterTheNinth wrote: »

lawred2 wrote: »

and these emails don't fall victim to spam filters?

It depends on your filtering. This latest victim was on an Eircom account which lets everything in. But some of our Office 365 users get a LOT less and as such are much less susceptible.

eircom - pffft

quelle surprise

Some commercial anti-spam services have implemented a blanket ban on Office documents containing macros as this is the most common entry point for ransomware.

PeterTheNinth

The one thing that I still dont understand is how the operating system allows all of your files to be edited at a rate of thousands every minute. I mean Windows normally prompts you every time you want to take a p1ss.

You would think that Microsoft would be more involved in helping sort out some countermeasure to ransomware rather than forcing Windows 10 down the throats of people who dont want it.

PeterTheNinth

PeterTheNinth wrote: »

The one thing that I still dont understand is how the operating system allows all of your files to be edited at a rate of thousands every minute. I mean Windows normally prompts you every time you want to take a p1ss.

You would think that Microsoft would be more involved in helping sort out some countermeasure to ransomware rather than forcing Windows 10 down the throats of people who dont want it.

I don't think that other operating systems would block such an attempt either.

one man clappin

I had the same situation a couple of weeks ago with a client. They opened an attachement on an email which encrypted all documents on their pc and also the external hard drive which was plugged into the pc.
The ransomware was looking for 2 bit coins for the decrypt key.
They had McAfee Internet Security on their pc which did not pick up the ransomware, but both ESET and Microsoft Security Essentials both picked it up and deleted it.

davo2001

one man clappin wrote: »

I had the same situation a couple of weeks ago with a client. They opened an attachement on an email which encrypted all documents on their pc and also the external hard drive which was plugged into the pc.
The ransomware was looking for 2 bit coins for the decrypt key.
They had McAfee Internet Security on their pc which did not pick up the ransomware, but both ESET and Microsoft Security Essentials both picked it up and deleted it.

So the client was running 3 anti virus applications on the same PC?

one man clappin

davo2001 wrote: »

So the client was running 3 anti virus applications on the same PC?

No sorry davo2001, the client only had McAfee, here in my office I have a couple of pc's, one with ESET and one with MSE (very rarely used).

PeterTheNinth

one man clappin wrote: »

They opened an attachement on an email which encrypted all documents on their pc and also the external hard drive which was plugged into the pc.

Just wondering, did the person admit to clicking on the attachment or are you assuming that is what happened?

one man clappin

They told me originally that they did not do anything but after asking a couple of questions they admitted that yes i did click on the link.

davo2001

"OK, so what did you do before you did nothing" :pac:

flyingsnail

I had to deal with this for somebody recently, fortunately because they had good backups they only lost about one days worth of work. It came as an email attachment that Avast initially blocked, but because they were expecting something from the source email address they disabled Avast to allow the download.
The virus itself was called Locky.

beauf

They may have the photos send to others, facebook or on CD's when they got any printed.

vibe666

good news on the ransomware 'vaccination' front.

http://betanews.com/2016/03/29/bitdefender-anti-ransomware/

I only found it after a customer gave me their cryptolocker encrypted laptop asking for help.

I was really lucky, it was my first one, but after a bit of research and getting disheartened the more i was reading, i had a look at the drive with Shadow Explorer and through what I imagine was blind luck, ALL her unencrypted files were still present in VSS (apparently the ransomware is designed specifically to delete them and disable VSS to prevent exactly this), so I just did an export from Shadow Explorer to USB and installed BitDefender and the additional anti-ransomware component above for good measure, and did the usual raft ofcleanups with mbam, spybot, adaware, adwcleaner, hijackthis!, hitman pro, webroot etc. and then deleted all the encrypted files and she was good to go.

I actually ended up doing an in-place upgrade to Win10 too, as she was hating Windows 8 anyway and it was free, so all good and i figured a lot of system files would be replaced during the upgrade process too, for a bit of added belt/braces action.

Then I got another one in the door with the obligatory "i think i might have *a* virus on my laptop" statement as it had gotten 'slow'.

I removed the chocolate teapot that is Norton 360 and installed BitDefender (which I'm really starting to like from a "set and forget" perspective for users) and the first scan reveals 1306 infected virus components. I was half tempted to throw another 31 on there just so I could tell her she had 1337 viruses!

ItHurtsWhenIP

vibe666 wrote: »

good news on the ransomware 'vaccination' front.

http://betanews.com/2016/03/29/bitdefender-anti-ransomware/

I only found it after a customer gave me their cryptolocker encrypted laptop asking for help.
...

As far as I remember within days of Bitdefender coming out with that, the evil doers were already circumventing it. It is useful, but it is not a panacea.