Got hit by Ransomware :-(

[Daffy D]

Came down to the computer yesterday morning and found this on the screen:-

Normally I turn off the computer each night but as I was downloading a file left it on overnight. The night before the computer was fine so don't know how the "Ransomware" got on there, maybe a driveby infection overnight.

As I understand it you have to click on something, like an e-mail attachment to activate a virus, I am careful about clicking on anything I don't recognize so don't know how it could have happened. I don't know how long a virus takes to show it's self so maybe it was something I did many days ago.

I have M$ Security Essentials but that did not stop it from infecting my computer, Super Anti Spyware nor Malwarebytes could remove it. In the end ESET Smart Security got rid of it. http://www.eset.com/int/. They give a 30 day free trial.

This virus does not affect normal use of the computer what it does is encrypt certain files, like all picture files and Word Doc. files amongst others. Fortunately it does not encrypt video files or PDF docs.

To most of us our photos and documents are the most important so they do know where to target. A search through the internet will bring up lots of cases where this nasty virus has ruined peoples lives because of the loss of irreplaceable family photos and documents.

This virus affects ALL the drives connected to your computer. I have 4 drives and on all of them all my photos and Word docs are encrypted, I have not yet had time to check if any other files are affected.

Some good news. I have my weekly back-up on one of the drives and though files on that disk are affected seems the files within the back-up folder are alright.

Seems some people have paid the "Ransom" and received the code to get their files back, but who knows if this is true, after all once they have the money why should they bother.

This Ransomware type of virus is VERY nasty and there is NO WAY of getting your locked files back. Unless you take a chance and pay the ransom. I tried a couple of Data Recovery programs that obviously did not work. These files are not deleted or corrupt or fragmented they are encrypted and if they were recoverable with a Data Recover program all Encryption programs, like Trucrypt would be useless.

Fortunately I have 4Tb external removable drive where I keep monthly back-ups of all my drives so I can replace the locked ones, though I'll wait a few days before doing that just to reassure myself that my computer is clean now.

So a heads-up to all keep copies of your precious photos and documents on an external drive that is not connected to the computer - DO IT NOW.

Got to give some grudging admiration to these scumbags. Once their virus is launched out into the world all they have to do is sit back and count the money coming in.

[NeverSure]

I have read that doing a system restore to before that date will get it but I haven't had it.

If not I have heard that editing the registry will get it. If you don't know how, post back with which version of Windows you have and we'll start with a registry backup and then edit it from Safe Mode. It's possible that your registry is being automatically backed up but we need to know what version you have and have a look.

I have heard that this is the process for getting it out of the registry and therefore disabling it. Again, I'd want a registry backup first.

https://www.system-tips.net/remove-ransomware-that-modifies-shell-registry-entry/

[IMHO]

This ransomware is normally spread using email attachments - so have a thorough review of all emails you've received within the last couple months for suspicious attachments, or else you might just find yourself infected all over again...

For Windows users there are a few things you can od to help mitigate the damage:

Perform regular backups as the OP did, but instead of placing them on removable drives, place them onto password secured network shares.

Backup your important docs and photos to the cloud (!) Between MS Azure, Amazon AWS's S3 and Google Drive, there's plenty of free cloud storage at your disposal, and there's also plenty of free & low cost apps you can install to automate the process. Some of them, like this http://www.cloudberrylab.com/cloudberry-box.aspx even have the ability for you to sync files between geographically separate machines via the cloud.

Of course, I also have to add that you can avoid all of this by using a Mac and Time Machine/iCloud

[Chicog]

https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview

And the reddit comments here have a few useful links:

http://www.reddit.com/r/netsec/comments/36n0zi/ransomware_response_kit/

[Chicog]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

[IMHO]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

OK, good to know. You do lose track a little after you ditch Windows on the desktop

[jpinx]

Boot your hardware with some version of linux on a usb and take a look at your windows files. I don't know it the actual files are encrypted, or just the folders/dirs that they are in. Once you get the data off the machine you'll probably need a deep clean of the hard drive before trying to install an OS that doesn't give you these headaches

[ThaidDown]

Does not help in getting any files decrypted but some info on this version of ransom-ware here

http://www.bleepingcomputer.com/forums/t/577313/locker-ransomware-hides-until-midnight-on-may-25th-and-then-encrypts-your-data/

[DLang]

Bit late now, I keep an external HDD and have all my stuff backed up on it. Every month I update it with new photos, documents etc etc. Worst case scenario. I lose the last month of stuff.

[Minnehaha]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

OK, good to know. You do lose track a little after you ditch Windows on the desktop

I ran Linux Ubuntu for a couple years. Loved it. But need Office for work. Still run Linux on boxes at home.

The only problems I ever experience are with Windows OS machines - malware, virus, slow updates, difficult programs to deal with, not to mention licensing fees for the headaches....

Never have any problems with any of that on Ubuntu.

[dddave]

Thanks D.D.! Your experience got me off my butt and backing-up stuff I should have backed-up long ago.

[jpinx]

Just an aside -- I run linux and a vm with windows for those things that insist on running in windows. As time goes by I use the windows vm less and less, but things like the recent 90day reporting online facility being only available on IE make it handy to have.

Like everything about personal computing -- people choose what their comfortable with, but the basics of prevention of malware and similar problems is where we all come together. Unfortunately there are as many solutions as there are people talking

[RichCor]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

It would be interesting to know what the infection vector was.

Just 'downloading' a file won't do it. Though, as Chicog pointed out, it's possible you unintentionally invited it in via your web browser.

Most likely the infection has been sitting on the OP's system waiting for a May 25 launch:

Locker ransomware hides until midnight on May 25th and then encrypts your data

Bleeping Computer - Started by Grinler , Yesterday, 01:42 PM

Quoted from the post:

A new ransomware called Locker has been discovered that once installed lay dormant until midnight local time on May 25th when it would activate and encrypt your data files.

Locker appears to be installed via a dropper that creates a daisy-chain installation of various Windows services that ultimately launches the Locker screen. The main dropper will be installed in C:\Windows\Syswow64 as a random name such as twitslabiasends.exe. This file will then create the Steg service that uses the C:\ProgramData\Steg\steg.exe executable. This executable will then install Tor into C:\ProgramData\Tor and create another called service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and will ultimately launch the rkcl.exe program which displays the Locker interface. Finally the installation will also delete all Shadow Volume Copies so that you are unable to use them to restore your files. The command used to delete the shadow volume copies is:

vssadmin.exe delete shadows /for=C: /all /quiet

The main screen for the Locker ransomware will include a version number. This version number appears to be random with titles such as Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. The Locker screen is broken up into 4 different sections labeled Information, Payment, Files, and Status. The Information screen will display the ransom note and information on what has happened to the victim's data. The Payment screen will display the victims unique bitcoin address and information on how to make payment. The Files screen will load the list of files that have been encrypted and the Status screen will display payment status information

[EnglishJohn]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

Are you 100% sure about this ?. Seems like a huge weakness in a web browser which would be patched very quickly.

The only way I have heard of (without running a malicious file) is the remote-desktop bug which is basically trying every word in the dictionary with common account names to see if they can get in.

[RichCor]

Bleeping Computer also has a support topic going for people hit by this time bomb:

Locker Ransomware Support Topic

Bleeping Computer -- Started by Grinler , May 24 2015 06:32 PM

" This is the support topic for the Locker Ransomware. As new information is discovered, this post will be updated."

" The Locker ransomware is a computer infection that silently runs on a victim's computer until May 25 Midnight local time at which point it became active. Once active, it will begin to encrypt the data files on the computer with what appears to be AES encryption. When encrypting the data files it will not change the extension of the file. Therefore, the only way to determine if the file is encrypted is by trying to open it and being told that the file is corrupt or not usable."

[hawker9000]

Don't see how using a restore point or tinkering with the registry will be of any help as actual cryptolocker attacks encrypt your stuff at the file level. ... with the encyption key simply not being stored anywhere on your machine. Some months back there was a botnet takedown in which a bunch of these ransomware keys were recovered; Kaspersky has made them available via a tool available at their website (and the talk was that more of these keys were to be made available as well).

A good backup routine is an important preventative measure, but the backup device must not be accessible to the attack, and it can't be so "automated" that you end up overwriting good files with the encrypted versions before you realize what's happened.

[bazza40]

So if you actually paid money to the scumbags, they would also be potentially getting information on the account that paid it.

A lot of the infected websites are porn, not that I'm saying you've been naughty.

[Eaglekott]

Unfortunate a backup to direct attached Hard drive might be encrypted as well. There is cases where people has backup to an external drive and the backup archive has been encrypted by Ransomware.

And there is a even worse threat called Rombertik that Cisco recently found That malware has several ways to detect if you are looking for it, and if it thinks you try to search for it, it encrypts your files, also on attached drives, throws away the encryption keys. Over writes your Master boot record and restart your computer into a un-recoverable state.

If its a server with VM:s none of the VM:s start with out a MBR.

And your files is encrypted in a un-recoverable state.

You need a proper none-direct attached backup like CrashPlan to make sure your files are recoverable.

Some say that they uses DropBox or G-Drive for Backup but that is NOT a backup, its a Sync Service,

[RichCor]

One "possible" infection vector for this logic-bomb may be installing a dodgy version of "Teamextreme minecraft 1.8.1"

Though, more likely, it's being delivered in dribs and drabs via a .pdf exploit.

[northernphil]

This happened to me about 2 years ago. One morning there was an e mail telling me what had happened and I was to send so many dollars to get back what had been stolen from my pc. Mainly photos from my Kodak file. But someone ( the perp, ) had chosen the pics. that were not of me nor my wife but other certain ladies that she would be better off not seeing. Lots of the locally taken pics were still in the file ,so someone had picked and chosen carefully. Did I pay up ! No I bloody did not. If I knew who the perp. or perps. were I would pay someone to go and have a word with them with an iron bar. As far as i am concerned they broke into my house and took things that were mine and mine only + if I did pay up next week they might of done the same thing . My anti virus I have now seems to keep the bastards out of my domain.

[BuaBS]

When I was in Europe , I got the ransomware screen too . I immediately pushed down the power button , hard stop. Disconnected the internet connection , restart and scan with all my virus/malware scanners. No problem.

This new ransomware could be more dangerous.

My question Daffy :

Does it encrypt big TrueCrypt volumes ? I mean , it's gonna take a long while to re-encrypt 200 to 300 GB TC -volumes.

It doesn't encrypt movie files ....because they are big too?

It affects all drives , so it scans all partitions too , just not limits itself too the typical windows My Document - files on C ?

[Chicog]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

Are you 100% sure about this ?. Seems like a huge weakness in a web browser which would be patched very quickly.

The only way I have heard of (without running a malicious file) is the remote-desktop bug which is basically trying every word in the dictionary with common account names to see if they can get in.

Yes, I'm sure. I saw an Alphacrypt infection a couple of weeks ago and traced it back to the owner opening an innocuous website which had had links replaced and redirected to Eastern Europe.

The hackers use an exploit in Flash to execute their code quietly. So yes, had he patched he would not have been vulnerable.

I suspect it opened an encrypted tunnel to the PC and injected malware, which then attempted (unsuccessfully) to contact a C&C server for more malware; this didn't work because his firewall blocked it.

That's one big flaw with a lot of people, they do their Windows updates and think that's it. I recommend using something like Secunia PSI to keep tabs on everything else.

Apps need to be patched too!

Added: One option is to disable this kind of content running by default; In Chrome you use Settings, Advanced Settings, Content Settings and select "Let me choose when to run plugin content" - which I rarely do.

Edited May 26, 2015 by Chicog

[Eaglekott]

When I was in Europe , I got the ransomware screen too . I immediately pushed down the power button , hard stop. Disconnected the internet connection , restart and scan with all my virus/malware scanners. No problem.

This new ransomware could be more dangerous.

My question Daffy :

Does it encrypt big TrueCrypt volumes ? I mean , it's gonna take a long while to re-encrypt 200 to 300 GB TC -volumes.

It doesn't encrypt movie files ....because they are big too?

It affects all drives , so it scans all partitions too , just not limits itself too the typical windows My Document - files on C ?

There are several types of Ransomware, one "only" lock your screen or only your current web browser, some encrypts your files with a 2048 bit encryption key. Some is destructive, some is not. New versions is developed all the time.

Some is on your computer for weeks, encrypts only a few files at a time on all your connected drives, in your Dropbox, a picture in your photo library, and when you discover something is wrong it hurry up with the encryption. Some only encrypts office documents, some targets .pdf Some only affect your C: some only the home directory and some every single attached drive.

It mostly effect Windows bit Linux and Macs can be affected, I've seen one mac about 3 years ago, and since then I have tried to have a virtual Mac OS infected, but I have failed, I have tried probably 100:eds of marware, but they simply don't work.

[Chicog]

There are several types of Ransomware

Very true, the one I found was lucky for the user as it encrypted every document, picture, etc., and also DLLs on his C: Drive.

But fortunately it didn't hit his D: Drive, where he stored all his documents. So it was simple to wipe and repurpose without him losing anything.

But he now does backups religiously!

[kennw]

I have a computer infected with encrpt0l0cker the o's are 0 zeros, Tried restore but denied, sent encrypted files to Foxit and FireEye also treid http://www.zdnet.com/free-service-gives-decryption-keys-to cryptolocker

But no success. Any help or advice greatly appreciated

[IAMHERE]

This happened to me about 2 years ago. One morning there was an e mail telling me what had happened and I was to send so many dollars to get back what had been stolen from my pc. Mainly photos from my Kodak file. But someone ( the perp, ) had chosen the pics. that were not of me nor my wife but other certain ladies that she would be better off not seeing. Lots of the locally taken pics were still in the file ,so someone had picked and chosen carefully. Did I pay up ! No I bloody did not. If I knew who the perp. or perps. were I would pay someone to go and have a word with them with an iron bar. As far as i am concerned they broke into my house and took things that were mine and mine only + if I did pay up next week they might of done the same thing . My anti virus I have now seems to keep the bastards out of my domain.

and that anti-virus is ?

[connda]

This ransomware is normally spread using email attachments

Not any more... it can be installed just by opening an infected website.

OK, good to know. You do lose track a little after you ditch Windows on the desktop

I ran Linux Ubuntu for a couple years. Loved it. But need Office for work. Still run Linux on boxes at home.

The only problems I ever experience are with Windows OS machines - malware, virus, slow updates, difficult programs to deal with, not to mention licensing fees for the headaches....

Never have any problems with any of that on Ubuntu.

Dual boot Windows and Linux. Keep your legacy apps on Windows (if you must), but do your surfing from Linux. Personally, there isn't a lot keeping my on Windows. Once MS stops support for Win7, my Windows OS will never again see the Internet. Hello Ubuntu (or any other flavor). Goodbye Billionaire Bill.

[connda]

This ransomware is normally spread using email attachments - so have a thorough review of all emails you've received within the last couple months for suspicious attachments, or else you might just find yourself infected all over again...

For Windows users there are a few things you can od to help mitigate the damage:

Perform regular backups as the OP did, but instead of placing them on removable drives, place them onto password secured network shares.

Backup your important docs and photos to the cloud (!) Between MS Azure, Amazon AWS's S3 and Google Drive, there's plenty of free cloud storage at your disposal, and there's also plenty of free & low cost apps you can install to automate the process. Some of them, like this http://www.cloudberrylab.com/cloudberry-box.aspx even have the ability for you to sync files between geographically separate machines via the cloud.

Of course, I also have to add that you can avoid all of this by using a Mac and Time Machine/iCloud

Great idea until your cloud providers is hacked.

[RigPig]

It appears it was spread from Teamextreme minecraft 1.8.1 (hacked version). It appears to install on the same time and date 25th or something, not when you installed the game.F

or those who are desperate paying does seem to release the encryption key.

You may get rid of the malware but unencrypting your files is looking doubtfull

[Daffy D]

Thanks every one for your links and comments.

Looks like this "Locker" is the latest in a long line of Ransomware flooding the Internet. Seems every version acts differently and not all affect their target the same way.

Some, after a long complicated effort seem to have had limited success in restoring a few files but in the main there seems no way to get back your files.

No one seems to know how a computer gets infected with this and as this one was set to lie dormant till midnight a couple of days ago it could have been lurking in the background for days or even weeks.

Getting rid of this "Locker" does not seem to difficult by using ESET Smart Security but I wonder if it is really gone or still lurking ready to have another go once I restore my files.

The big worry is how can it be stopped from infecting my computer again? No body knows how it arrived and as each version is slightly different how can any anti virus program stop it.?

"BuaBS" Don't know TrueCrypt files. I did notice that files inside a BackUp folder that was connected were not affected so it does seem the virus doesn't look too deeply.

I don't think size of movie files has anything to do with the encryption because even small DashCam clips were not affected. It just seems to affect certain file types, but this seems to change in different situations. My PDF files were not encrypted but seems others were.

Yes all drives, as I said I have 4 physical drives connected in the computer tower and they were all hit. Any connected drives including external drives seem to be vulnerable.

Keep your important stuff on drives not connected to the computer.