Got hit by Ransomware :-(

[hawker9000]

Several posters on the Bleeping Computer forum report paying the ransom and getting their files decrypted.

........which is the whole idea.

[Chicog]

Several posters on the Bleeping Computer forum report paying the ransom and getting their files decrypted.

........which is the whole idea.

And unfortunately encourages the criminals to try harder.

[DLang]

So ESAT is better at finding it and cleaning it, but is it better at stopping it from getting onto a machine in the first place?

Better to switch to that instead of the other wellknown freebees? Avast! AVG etc.

[Banzai99]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

[DLang]

Cheers for the recommendation.

[Banzai99]

https://www.foolishit.com/cryptoprevent-malware-prevention/

Here's another tool worth looking into.

Bleeping Computer have an in depth look at the program.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Edited May 28, 2015 by Banzai99

[katana]

Several posters on the Bleeping Computer forum report paying the ransom and getting their files decrypted.

........which is the whole idea.

er...yes I know it is. Not quite sure what your point is.

You wrote:

Most ransomware removes itself from the PC once the encryption process is complete, leaving behind mainly just the encrypted data files and the ransom information, but most notably NOT the encryption key that's going to be needed to decrypt your data files. This is why the only way to get your files back is going to be either by somehow obtaining the key, or by recovering them from copies that whichever which way managed to avoid the attack. Most AV and anti-malware tools aren't going to be able to do this. ... which is why this is so nasty.

...with no mention of actually paying the ransom to get the key.

I've seen people warn not to pay the ransom, that it's a bluff and you won't get the key once you've transferred the funds. But for this particular cryptolocker variant, it does seem that if you pay up the $40, the malware, which is still running on your computer, contacts the server, downloads the key and does decrypt the files within a few hours.

Of course whether you pay the ransom and therefore encourage further malware like this is a personal choice and depends on how much the encrypted files are worth to you.

Edited May 28, 2015 by katana

[Chicog]

https://www.foolishit.com/cryptoprevent-malware-prevention/

Here's another tool worth looking into.

Bleeping Computer have an in depth look at the program.

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

See post #49.

[Chicog]

So ESAT is better at finding it and cleaning it, but is it better at stopping it from getting onto a machine in the first place?

Better to switch to that instead of the other wellknown freebees? Avast! AVG etc.

Because variants are produced at an alarming rate, antivirus is next to useless against this.

Better to block the holes that they're using:

(1) Never download emails with executables, or click on email (or Web for that matter) links unless you are absolutely sure they are what they say they are.

(2) Patch EVERYTHING - the OS and Applications.

That's not to say that a decent AV can't help, but don't rely on it.

[hawker9000]

Several posters on the Bleeping Computer forum report paying the ransom and getting their files decrypted.

........which is the whole idea.

er...yes I know it is. Not quite sure what your point is.

You wrote:

Most ransomware removes itself from the PC once the encryption process is complete, leaving behind mainly just the encrypted data files and the ransom information, but most notably NOT the encryption key that's going to be needed to decrypt your data files. This is why the only way to get your files back is going to be either by somehow obtaining the key, or by recovering them from copies that whichever which way managed to avoid the attack. Most AV and anti-malware tools aren't going to be able to do this. ... which is why this is so nasty.

...with no mention of actually paying the ransom to get the key.

I've seen people warn not to pay the ransom, that it's a bluff and you won't get the key once you've transferred the funds. But for this particular cryptolocker variant, it does seem that if you pay up the $40, the malware, which is still running on your computer, contacts the server, downloads the key and does decrypt the files within a few hours.

Of course whether you pay the ransom and therefore encourage further malware like this is a personal choice and depends on how much the encrypted files are worth to you.

'Was not trying to be tricky or snarky, so sorry if it seemed that way. 'Guess I was just trying to say that paying the ransom is just essentially paying for access to the encryption key. In the past, there's sometimes been a time limit, and even a countdown clock, associated with having been successfully attacked, after which the ransom might go up or just expire, leaving the victim pretty much up the creek. Also, I wouldn't really put my faith in AV, even one that's updated frequently, to protect me from this particular threat - my opinion. This is a relatively agile threat, and one with many variants, and its authors have demonstrated an ability to evade most of the traditional defenses.

[Banzai99]

Web of Trust and Adblock extensions I use on Chrome, Qihoo 360 also go on Chrome and will check websites and has warned me about certain websites that are malware sites so I've been able to avoid them before opening, I use Qihoo 360 on the Security option as opposed to the performance or balanced options, that configuration gives 9 layers of protection.

As an extra I'm following Chicog with CryptoPrevent free version.

[hawker9000]

Web of Trust and Adblock extensions I use on Chrome, Qihoo 360 also go on Chrome and will check websites and has warned me about certain websites that are malware sites so I've been able to avoid them before opening, I use Qihoo 360 on the Security option as opposed to the performance or balanced options, that configuration gives 9 layers of protection.

As an extra I'm following Chicog with CryptoPrevent free version.

I'm also a CryptoPrevent believer, and also use the free version (but check back regularly for updates).

[Banzai99]

Web of Trust and Adblock extensions I use on Chrome, Qihoo 360 also go on Chrome and will check websites and has warned me about certain websites that are malware sites so I've been able to avoid them before opening, I use Qihoo 360 on the Security option as opposed to the performance or balanced options, that configuration gives 9 layers of protection.

As an extra I'm following Chicog with CryptoPrevent free version.

I'm also a CryptoPrevent believer, and also use the free version (but check back regularly for updates).

Just downloaded, I'm using it in the default setting.

Oh one more thing I have an iPhone and iPad, 99.9% of my emails are checked on one of those devices so I just trash anything from anyone I don't know before even opening it, so it never gets onto my PC in the first place.

I think i'm reasonably well protected with my set up.

Says he, hopefully.....

Edited May 28, 2015 by Banzai99

[JetsetBkk]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

That's what I've been using for just over a year.

[Banzai99]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

That's what I've been using for just over a year.

Excellent for a free program.

[slerickson]

So ESAT is better at finding it and cleaning it, but is it better at stopping it from getting onto a machine in the first place?

Better to switch to that instead of the other wellknown freebees? Avast! AVG etc.

Once you got it, you can't "clean" it because it has your files encrypted. Destroy the package with Eset or anything else and there's no way to then get the decryption key and files unlocked. Ransom ware I dealt with gave you something like 2 days to comply or you are out of luck.

You are dealing with hard core criminal software thought to have originated in Russia.

[blueyeshk]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

360 just got disqualified and stripped of all previous awarded certificates by a leading consumer testing company AV-test because they obviously provided to them tuned software in order to reach better test results. Well it's china I changed to panda today

[JetsetBkk]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

360 just got disqualified and stripped of all previous awarded certificates by a leading consumer testing company AV-test because they obviously provided to them tuned software in order to reach better test results. Well it's china I changed to panda today

Interesting. My 360 version still updates the database for the Bitdefender engine. Seems odd if it doesn't actually use it as well as the other two engines.

http://www.pcmag.com/article2/0,2817,2422024,00.asp

Maybe I'll have a look at Panda...

[blueyeshk]

http://mobile.itnews.com.au/News/403418,chinese-security-vendor-caught-cheating-in-av-test.aspx

[JetsetBkk]

<snip>

It makes a few changes to Windows security policy, so backup your registry first.

A couple of changes noticed by Scotty :

[Banzai99]

DLang, I'm using Qihoo 360 total Security, as well as its own engines, it uses Avira's and Bitdefenders engines if you select security mode, best thing about it is, it's free.

I can't see Eset being any better at detection than 360 using so many virus databases and cloud based protection, in fact I was using Eset Smart Security but I accidently uninstalled it from my Desktop pc, and of course I'd thrown away the disk and code that I got when I bought it.

So after a bit of research I downloaded Qihoo 360 and am more than pleased with it.

http://www.360totalsecurity.com/en/

360 just got disqualified and stripped of all previous awarded certificates by a leading consumer testing company AV-test because they obviously provided to them tuned software in order to reach better test results. Well it's china I changed to panda today

Interesting. My 360 version still updates the database for the Bitdefender engine. Seems odd if it doesn't actually use it as well as the other two engines.

http://www.pcmag.com/article2/0,2817,2422024,00.asp

Maybe I'll have a look at Panda...

It does use the Bit Defender and Avira engines, they are just not turned on by default, you have to configure to a higher setting, the default setting is for Balanced and Bitdefender and Avira are not enabled, simply configure to Security, and they are.

Edited May 28, 2015 by Banzai99

[Banzai99]

I think a lot of Pay for Anti Virus companies are involved in this default settings saga , Qihoo get great results, simply configure to Security, its 2 clicks of a mouse.

[Chicog]

<snip>

It makes a few changes to Windows security policy, so backup your registry first.

A couple of changes noticed by Scotty :

crypto 1.jpg

crypto 2.jpg

It's intercepting file associations for two legacy filetypes that are essentially executable. Nothing unusual about that.

Edited May 29, 2015 by Chicog

[ThaidDown]

An update that may help anyone still suffering from this.....

BleepingComputer posted the following yesterday...

Yesterday the supposed developer of the Locker ransomware released a database dump of all the private decryption keys.

Along with this database is a post on Pastebin where he describes the encryption format and then apologizes for releasing the ransomware.

The keys have been confirmed to be legitimate and a decrypter has been created by Nathan Scott, the developer of CryptoMonitor

and one of our resident ransomware gurus. Information about the decrypter can be found below along with the message from pastebin....

Full article http://www.bleepingcomputer.com/forums/t/577953/locker-developer-releases-private-key-database-and-3rd-party-decrypter-released/

[Daffy D]

"ThaiDown" Thanks for the info and link, sure many people will be grateful.

Unfortunately I have deleted the virus and the BItcoin code that is needed to use the release program.

I was lucky that I did not lose very much because of regular BackUps.

As for the scumbag being sorry for accidently releasing the Locker Virus, Yea! Right

[hawker9000]

I can't speak from firsthand experience trying to do this (perhaps someone else can), but if you've deleted all elements of the actual ransomware, leaving you with your encrypted data files, you might try digging on the internet for some decyptor tool or utility (provided you have what you think are the keys). You're only basically wanting to convert "cyphertext" back into "cleartext" with the keys. Best if you can find a tool specific to the ransomware you were hit with of course, and it will have to be specific to the actual type (& keylength, etc.) of encryption used. 'Sounds unlikely I know, but probably just a bit of busywork for a knowledgeable programmer.

Be careful. Don't expose yourself to further infection by poking & prodding (& downloading from) unsafe sites.

[Chicog]

What's worse is that they are now offering this as a service, so someone with limited knowledge can create and circulate their own variant, then rely on the host to collect the money and pay them.

'Tox' Offers Ransomware As A Service

The ransomware is free to use but site retains 20 percent of any ransom that is collected, McAfee researcher says.

The ready availability of packaged easy-to-use malware kits in underground markets has significantly lowered the barrier to entry for aspiring cybercriminals, and now they have one more tool option.

A researcher at Intel's McAfee Labs has unearthed what amounts to a ransomware-as-a-service kit for building and deploying ransomware. Dubbed "Tox," the kit requires very little technical skills to use and appears designed to let almost anyone deploy ransomware in three easy steps.

http://www.darkreading.com/cloud/tox-offers-ransomware-as-a-service/d/d-id/1320616

[Daffy D]

Hi "dharsh" welcome to the forum

Seems ransomware is alive and well.

This reinforces the need for regular backups on a drive only connected to your computer at the time of making a backup.

All the drives in my computer were affected not just the System drive "C".

Your link http://sureshotsoftw...teslacrypt-mp3/ seem useful but they only talk about MP3 files. All my picture and document files were encrypted so that would not have been much help to me, and from what I read the unlock key changes constantly so there is no one answer to a ransomware attack.

Backup regularly on an external drive

Edited April 3, 2016 by Daffy D

[Chicog]

Antivirus is getting almost useless against 0-day malware.

Pay particular attention to links in emails, be careful of the sites you visit, and be watchful for unexpected Office docs or PDF files; I've noticed a recent upsurge in those, embedded with script malware.

[hawker9000]

I read somewhere that Bitdefender has posted some ransomware recovery tools on their website. They also have a free anti-ransomware download (which sounds like it works along the same lines as FoolishIT's Cryptoprevent which has already been mentioned here in this thread).

Short article containing some discussion and anti-ransomware comparisons here.

The basic guidance hasn't changed. With ransomware, it's much more about prevention and safe backup (that is, a backup that's secure from any actual ransomware encounter) than it is successful recovery from an actual infection.