Nope.
Cryptowall virus/malware
- Thread starter Lighters
- Start date
Nope.
Man of Honour
- Joined
- 29 Mar 2003
- Posts
- 57,638
- Location
- Stoke on Trent
There's a good reason no one else has thought of it, it doesn't work.
And that's why I was being sarcastic
I noticed that it doesn't encrypt everything, some files were left unchanged.
Presumably an infection has a finite lifespan so it makes sense for it to encrypt all the .doc and .xls before it encrypts your porn research material.
If it were me I would also put a priority on cloud drive and network drives because it you are connecting to those it means you need them.
I'd also prioritise everything with a recent modify date.
Some viruses have tried common admin passwords to spread themselves, and if possible you could use this to gain access to protected files.
It really is a fascinating area as you both have to hide your code and extract the most gain from your infiltration.
People have to assume they don't have the false protection of AV and to manage their data with that in mind.
/
Last edited:
so how do you stop your back ups being infected?
how long a time is there from infection to it actually locking your files does it wait a set amount of time to hopefully catch as much as possible/as many devices connected to get back ups or does it just do it sthe second it arrives?
like say you use an external hdd to bak up once a week every monday, if you ge infected sunday and it lays about for a day or two before encrypting stuff when you plug your drive in on monday all your back ups are ****ed too?
how long a time is there from infection to it actually locking your files does it wait a set amount of time to hopefully catch as much as possible/as many devices connected to get back ups or does it just do it sthe second it arrives?
like say you use an external hdd to bak up once a week every monday, if you ge infected sunday and it lays about for a day or two before encrypting stuff when you plug your drive in on monday all your back ups are ****ed too?
This guys works for OMG, not GHHQ.
Great line
It starts right away, all the infections I saw had similar date stamps and it took an hour or so to encrypt everything.
A cleverer version would wait a while until it saw an external drive connected
It's just not safe to use an external drive, if you are not 100% sure of system integrity then assume you are infected.
You either have to transfer the files via some intermediary, make versions of files or have something change the permissions.
If I'm right you can move a folder onto a different volume and set it so the parent folder of that volume is 'Read Only' and 'Inherit Folders Permissions', this assumes you don't have admin rights to that parent. Folders copied there are then automatically set to Read Only by the Parent.
I'd be interested in corrections to this statement from current IT peeps.
Last edited:
You need to run incremental backups via a drive that is not accessible to a terminal that could be infected. Ours is a nas running time backup twice daily that non one has access to, even if everything gets encrypted we can just choose to restore from the previous backup.
I'm worried my parents will pick this up one day, losing their data is unthinkable, they have decades worth of publication work and personal documents.
I have installed crypto prevent on their PCs and have robocopy backups going to a NAS, made out of spare parts, which snaps the backup volume once a day and is kept for a month.
Then (and this is where it gets over the top) it rsyncs with a NAS in my house and uploads to crashplan.
I have installed crypto prevent on their PCs and have robocopy backups going to a NAS, made out of spare parts, which snaps the backup volume once a day and is kept for a month.
Then (and this is where it gets over the top) it rsyncs with a NAS in my house and uploads to crashplan.
Last edited:
noob question but say pc gets infected your nas then does back up wont it just now encrypt your nas? nas you've "backed up" the virus?
Is there a simple safe idiot proof system that can be set up to continualy keep a pretty upto date backup thats not at risk of getting infected?>
this is why my pc only has games and porn on it lol
Seen a variant of it where the first machine it was dormant(ish) while it tried to spread to other systems on the local network and it was the other infected systems where it started encrypting files first. Not sure on the exact behaviour.
Its a nasty one I'm still a little worried that someone else on the LAN here who are less aware of stuff like that will get it and it spreading like that, I've tried to minimise the exposure through shared folders and network broadcast services, etc. :S
If you have it setup correctly it would need to be very advanced and capture your NAS login details and have carnal knowledge of managment for mainstream NAS system to then infect files there that weren't simply exposed via logged in network shares with write permissions - I've folders on my NAS that only have read/copy permissions set and the files are only ever writeable via the built in file manager on the NAS.
Last edited:
Mapping the drive letter of your backup drive is a big no no, as long as you do n't do that you should be safe. Otherwise it can encrypt data it finds on the mapped drives.
Yes your NAS could backup the encrypted data but most models these days have the ability to take snapshots which it will have no way to wipe, unlike shadow copies. In the event the encrypted data is copied, you just roll-back to a point in time before it happened.
Last edited:
cool.
when i have my house i shall be comming here for the "omg im an adult now please help me set u pa fail safe back up" thread lol
No, but your NAS will back up the encrypted files.
yeah what i was wodnering is when it backs u pthe fiels does it not copy an active version fo the virus which could then encrypt the whole drive.
I believe the simplest option is offline backups only. However the tricky part is connecting this and trusting your system hasn't become infected putting this offline backup at risk. I've no idea how good the preventative tools people have listed earlier will be, but locking down the machine with limited accounts and not allowing executables to run is a good start.
As for those suggesting a brute-force method, aren't these files encrypted with a 2048 bit RSA key? That will take multiple millions of years, even with today's super computers.
Also looking at some of the monies people have paid, these look to be in the region of $300-500.
As for those suggesting a brute-force method, aren't these files encrypted with a 2048 bit RSA key? That will take multiple millions of years, even with today's super computers.
Also looking at some of the monies people have paid, these look to be in the region of $300-500.
I guess there are a couple of things you could realistically do if you wanted to specifically fend of this kind of attack:
Don't give your computer write access to the NAS. Have the NAS read from directories you give it permission to and back up in rotation (make sure you have enough space to have more than one complete backup) If you want to do more specific backups, have some scripts on the NAS to do that.
Have your network backup solution check the files - if they appear 'random' (as a suitably encrypted piece of data should) or unreadable, they might have been encrypted. Warn the user before overwriting their backups with that kind of data.
Don't give your computer write access to the NAS. Have the NAS read from directories you give it permission to and back up in rotation (make sure you have enough space to have more than one complete backup) If you want to do more specific backups, have some scripts on the NAS to do that.
Have your network backup solution check the files - if they appear 'random' (as a suitably encrypted piece of data should) or unreadable, they might have been encrypted. Warn the user before overwriting their backups with that kind of data.
It could well back up an inactive copy of the virus if the inactive virus is in one of the folders that gets backed up.