Cryptowall virus/malware

jimjamuk · 20 Jun 2014 at 09:02

You can try to decrypt the file using brute force but these days that isnt going to happen quickly or easily - I doubt the person clever enough to write this is going to chuck in a weak encrytption algorhythm so chances are this isnt possible.

So bascially its one of two choices

1. Pay up - how much do they want??
2. Give them the 2 finger salute and write off the files and start again

At The Gates · 20 Jun 2014 at 09:08

How does it get access to infect cloud backups? Do people just sit there with cloud services permanently logged in and running 24/7?

Haggisman · 20 Jun 2014 at 09:09

jimjamuk said:
You can try to decrypt the file using brute force but these days that isnt going to happen quickly or easily - I doubt the person clever enough to write this is going to chuck in a weak encrytption algorhythm so chances are this isnt possible.

So bascially its one of two choices

1. Pay up - how much do they want??
2. Give them the 2 finger salute and write off the files and start again

It's always possible

It may take several decades using today's technology however

Duke · 20 Jun 2014 at 09:09

At The Gates said:
How does it get access to infect cloud backups? Do people just sit there with cloud services permanently logged in and running 24/7?

That is the idea of cloud services such as OneDrive and Dropbox. I expect you know this.

Myshra · 20 Jun 2014 at 09:12

Both Gdrive and Dropbox have file version control so nothing major should be lost, everything else is just a write off.

Haggisman · 20 Jun 2014 at 09:13

At The Gates said:
How does it get access to infect cloud backups? Do people just sit there with cloud services permanently logged in and running 24/7?

Cloud backup solutions with versioning should be safe, the latest versions of the files would obviously be lost, but previous versions should be fine.

Edit: beaten by a minute

The Funktopus · 20 Jun 2014 at 09:19

When we find out who creates these viruses, perhaps there should be a crowd sourcing website to fund having a hit put out on them.

Haggisman · 20 Jun 2014 at 09:20

The Funktopus said:
When we find out who creates these viruses, perhaps there should be a crowd sourcing website to fund having a hit put out on them.

I'm in. I reckon they'd get enough within minutes!

Herman Gelmet · 20 Jun 2014 at 09:28

Haggisman said:
I'm in. I reckon they'd get enough within minutes!

I think you might both be guilty of conspiring to murder :eek:

bitslice · 20 Jun 2014 at 09:43

What are people's suggestions for protecting their data?

I was thinking about having everything under a different login account and removing everything but read access for the main (Internet) account. There are very few files that I need write access to.

So if there was a new infection vector in the future, it's not going to be able to rewrite encrypted versions of any of my files.

As for stopping the virus in the first place, there is a program which purports to detect cryptowall.

Spursingham · 20 Jun 2014 at 09:49

Lightnix said:
Your only hope is to download the virus, use wireshark and make a visual basic gui to track the IP address and blackmail the people with the private key.

I'll get a screenshot...sfguilgvaslfgklasgklaflalkuglty *Enter*

Got it.

Haggisman · 20 Jun 2014 at 10:02

Herman Gelmet said:
I think you might both be guilty of conspiring to murder

Totally worth it. In fact, if we find who these guys are, I'll happily take donations to do the hit myself.

anything I don't mind · 20 Jun 2014 at 10:58

The virus is easy enough to remove but you won't be able to decrypt the files, no chance. If you don't have backups and you refuse to pay the ransom the files are gone forever.

If you remove the virus then you also will not be able to pay the ransom. If you pay the ransom there is no guarantee they will decrypt the files as well.

Sophos have a removal tools

http://www.sophos.com/en-us/product...tm_medium=Cross-link&utm_campaign=CL-CorpBlog

You can also use combofix to remove it.

One client we have lost 200k documents to the virus (not my site) and no backups due to rubbish IT.

The one site i support got infected through someones gmail account and bypass the nod32 and mimecast. encrypted all the mapped drives. Had to restore all from backup.

more info http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

The best protection is to set up software restrictions on the app data folders.

Zethor · 20 Jun 2014 at 11:13

Haggisman said:
I really don't get the mindset of these people, they're clearly quite talented programmers - surely they don't get that many "bites" that it wouldn't be more worthwhile for them to put their skills to constructive use, rather than making 90% of the developed world want a few hours alone with them in a room with several sharp implements, car batteries and bottles of acid...

The programmers, the "brains" behind these viruses are not the ones spreading them and taking the money from the victims. They just create the virus along with a "tutorial for dummies" and they sell the package to criminals (which often have only basic IT skills, if any). Most of the programmers probably have normal jobs and no criminal record whatsoever.

Energize · 20 Jun 2014 at 13:31

Herman Gelmet said:
I think it depends on whether the USB sticks were 'read only'. I have no idea if they still would be a little vulnerable even then, but it would be a sensible step. Problem is the devices lose their usefulness like this.

DVD backup with no rewriteability, is my choice here.

Dvd's are perhaps the least reliable backup medium in terms of failure rate. They are also a pain in the ****.

All you have to do is not put in your USB backup when your system has been infected and you can't access any of your desktop files... or use a write protector.

Quartz · 20 Jun 2014 at 13:58

bitslice said:
What are people's suggestions for protecting their data?

I recommend a layered defence. I have a real-time AV and periodically run Malware Bytes as a backup. I have nightly backups to my WSE box. I have occasional backups to external USB drives which are kept disconnected unless in use.

ETA: oh yes, I've read that Cryptolocker operates on all mapped drives but not by UNC, so the area with my backups on the WSE box isn't mapped by letter.

Gangster · 20 Jun 2014 at 15:22

How did she get the virus, software installed? email attachment?

Lighters · 20 Jun 2014 at 17:06

She has no idea, she did have a few dodgy toolbars installed / running but the rest seemed fairly normal tbh.

#Chri5# · 20 Jun 2014 at 18:42

It's quite possible her PC was already infected with a root kit and that delivered it. It's certainly how some instances of CryptoLocker "arrive"

LOAM · 20 Jun 2014 at 19:05

Our backup system is incremental and not accessible from terminal machines or mapable, its also running on a non Windows environment. Still worries me though even though I know its safe.