Encription Virus Help!

Geico266

Geico266

Touchdown! Greaser!
Joined
Jun 15, 2008
Messages
19,136
Location
Husker Nation, NE
Display Name
Display name:
Geico
Are you ****ing kidding me?

I have MacFee virus and firewall protection. It is updated and run several times.

This am our files are locked and "encrypted" and the bastards are asking for money so we can get our "encryption code".

Any ideas on how to defeat it?
 
I know several who have been hit and ended up paying the ransom.
 
Ignore the threats, drill holes in your hard drive and throw it in the trash. Then, start over. Change all your passwords, create new backups. And read "Future Crimes" by Marc Goodman ( or any number of other books out there on the true state of computer security).

There are so many new "zero-day" security holes being found and exploited every day that there's no way that MacAfee or anyone else can keep up. Learn how to limit your exposure.

The old maxim about believing nothing you read and only half of what you see is more true today than when it was written.
 
Last edited:
I'm a little out of that loop, but when I was still doing that sort of work, the only faint hope of recovering the files (other than paying the ransom) was to try to recover them from the shadow copy. According to the FBI:

FBI said:
Unfortunately, once the encryption of the files is complete, decryption is not feasible. To obtain the file specific Advanced Encryption Standard (AES) key to decrypt a file, you need the private RSA key (an algorithm for public key cryptography) corresponding to the RSA public key generated for the victim’s system by the command and control server. However, this key never leaves the command and control server, putting it out of reach of everyone except the attacker. The recommended solution is to scrub your hard drive and restore encrypted files from a backup.
Click to expand...

I used to know a guy who could sometimes recover some files from the shadow copies on some machines, but as every minute ticked by the number of files that could be recovered decreased. After a few hours, he didn't even bother trying.

So long story short, I suspect that your files are hosed. :(

Worse yet, if your backups were accessible to the machine when it got infected, they may be hosed as well. :(

In the future, I suggest you consider periodically creating a clone or image backup on an external drive that is disconnected or powered down between backups, in addition to whatever other backups you do.

Rich
 
We deal with this a lot, and often times end up just paying the damn money, we've never had a case yet where we haven't got the files decrypted after paying.

Backups are important.
 
To drift this thread a bit.... Any preferences on which Anti-Virus programs?
 
AggieMike88 said:
To drift this thread a bit.... Any preferences on which Anti-Virus programs?
Click to expand...

I've been using AVG for a couple of years now on my desktop Windows PC. I don't swear by it, or any other AV or "Windows cleaner" type stuff. But, its at least some kind of protection. And, it doesn't seem to bog down the OS as bad as some. I hate MacAfee products on principle.

I don't run any aftermarket AV on my Macbook. I just keep it turned off when I'm not using it. And, I'm very careful about downloading anything or clicking on "links". That way, the OS works the way it was designed to (supposedly).
 
Geico266 said:
Are you ****ing kidding me?

I have MacFee virus and firewall protection. It is updated and run several times.

This am our files are locked and "encrypted" and the bastards are asking for money so we can get our "encryption code".

Any ideas on how to defeat it?
Click to expand...
Got any ideas how this happened? Did you **** anyone off lately?

Oh wait, maybe paying the ransom will be easier than creating THAT list.

edit: By the way, I am sorry to hear that this happened to you. I know what a ***** this can be.
 
My partner's husband clicked on the wrong thing, had this happen; his boot sector was hosed, but a qualified computer dude recovered the contents, themselves, no problem. This was a week or so ago...
 
If your hard drive is already encrypted, can they still encrypt the files?

Honest question here.
 
wilkersk said:
I've been using AVG for a couple of years now on my desktop Windows PC. I don't swear by it, or any other AV or "Windows cleaner" type stuff. But, its at least some kind of protection. And, it doesn't seem to bog down the OS as bad as some. I hate MacAfee products on principle.

I don't run any aftermarket AV on my Macbook. I just keep it turned off when I'm not using it. And, I'm very careful about downloading anything or clicking on "links". That way, the OS works the way it was designed to (supposedly).
Click to expand...

I do the same, also have Malwarebytes stuff. Adobe tried to sneak on MacAfee the other day in an update, usually it gets a check box, this time I had to get rid of it.
 
benhar77 said:
This is worth a shot. http://community.spiceworks.com/how_to/70476-how-to-beat-cryptolocker
Click to expand...

Interesting. It's over a year old, which is roughly two eternities in malware terms; but I'd give it a shot if I had the occasion.

benhar77 said:
Most AVs if kept up to date should be able to protect against the crypto viruses.
Click to expand...

Meh. A lot of it is luck of the draw, in my opinion. You can come across one fresh out of the oven before your AV has updated to recognize it. If it doesn't raise the heuristics' eyebrows, you're infected.

AggieMike88 said:
To drift this thread a bit.... Any preferences on which Anti-Virus programs?
Click to expand...

I've had excellent luck with ESET NOD32. I've been using it for four or five years now, which is a record for me on any one AV. They all seem to have their golden ages, but ESET's has lasted longer than most.

I also know that it's working because it's stopped me dead in my tracks a few times when I carelessly clicked a bad link or visited a site that had been compromised. So I'm happy with it. YMMV.

I've also heard great things about the current versions of BitDefender and WebRoot, but haven't tried either one.

SkyHog said:
If your hard drive is already encrypted, can they still encrypt the files?

Honest question here.
Click to expand...

Yes.

Rich
 
Last edited:
So, for the security gurus, my approach to security relies on deleting emails and never going for unknown, and typically obviously fraudulent click bait. Between that, AVG Free, and Malwarebytes stuff that has alerted, protected, and cleaned on a half a dozen occasions if that over the years, that's all I do, and I seem to be free of attack and malware when I run scans. Am I deluding myself in thinking that this method of security is pretty damned secure?
 
Henning said:
So, for the security gurus, my approach to security relies on deleting emails and never going for unknown, and typically obviously fraudulent click bait. Between that, AVG Free, and Malwarebytes stuff that has alerted, protected, and cleaned on a half a dozen occasions if that over the years, that's all I do, and I seem to be free of attack and malware when I run scans. Am I deluding myself in thinking that this method of security is pretty damned secure?
Click to expand...

It just depends. The internet is a pretty unsafe place and there is a certain degree of luck. Adobe's Flash product has been getting hit really hard lately with zero days (it's junk)...

I've never heard of someone getting a cryptolocker style virus on a Mac. Could it happen? Sure...but it's a hell of a lot less likely.

I don't bother with anti-virus on any platform (unless required by some compliance requirement). The nature of vulnerabilities and how systems get attacked is barely covered by anti-virus which tends to just suck resources.
 
Henning said:
So, for the security gurus, my approach to security relies on deleting emails and never going for unknown, and typically obviously fraudulent click bait. Between that, AVG Free, and Malwarebytes stuff that has alerted, protected, and cleaned on a half a dozen occasions if that over the years, that's all I do, and I seem to be free of attack and malware when I run scans. Am I deluding myself in thinking that this method of security is pretty damned secure?
Click to expand...

From what I have found out that isn't good enough. A contaminated link can be found anywhere, even here. All they need is a virus that is not recognized by your anti virus software and your screwed. :rolleyes2:

I just took my external hard drive into a computer shop and it is encrypted also. :mad2:

No worries, if Hillary and the IRS can use the excuse of losing data so can I. :D
 
Last edited:
jesse said:
It just depends. The internet is a pretty unsafe place and there is a certain degree of luck. Adobe's Flash product has been getting hit really hard lately with zero days (it's junk)...

I've never heard of someone getting a cryptolocker style virus on a Mac. Could it happen? Sure...but it's a hell of a lot less likely.

I don't bother with anti-virus on any platform (unless required by some compliance requirement). The nature of vulnerabilities and how systems get attacked is barely covered by anti-virus which tends to just suck resources.
Click to expand...

Aside from my one Windows machine (a Microsoft Surface Tablet), I don't run any AV at all either. I have a 6 month policy where I blow away everything and start anew with the latest and greatest build of whatever OS I run on that machine.

Cloud storage FTW. If it has version control, you can generally be assured that these cryptoviruses won't screw you (for now).

edit: Also - my work laptop is a Windows Machine also, but I have no idea what AV we run. Something that was decided for me that I can't disable or control, so whatever.
 
Henning said:
So, for the security gurus, my approach to security relies on deleting emails and never going for unknown, and typically obviously fraudulent click bait. Between that, AVG Free, and Malwarebytes stuff that has alerted, protected, and cleaned on a half a dozen occasions if that over the years, that's all I do, and I seem to be free of attack and malware when I run scans. Am I deluding myself in thinking that this method of security is pretty damned secure?
Click to expand...

You're doing more than most. Caution and decent AV software help, but it's still the luck of the draw to some extent.

One additional thing I do is only download email headers, select the ones that are actually important enough to download, and delete the rest on the server. I use an old version of Mail Washer that's not supposed to work on 8.1, but it works fine in compatibility mode. Most email clients also have an option to only download the headers.

I really do it more for convenience than anything else, but I've also avoided downloading quite a few obviously malicious messages that way.

Rich

EDIT: Disabling automatic image download in HTML emails is also a good idea, as is disabling Flash in your browser (or selecting the "Ask Each Time" option). Flash is pretty much a viral wasteland these days.
 
Last edited:
I hit a bad link about a year or so back and got the same thing. Followed one of the online cryptolocker threads and was able to undue it, no cost other than about 2 hours of frustration working backwards.

If they haven't advanced a lot (iffy I know), try one of the fix procedures you can find online, I did it myself and it was not really hard - backups and some kind of anti-virus/anti-malware, keep 'em updated that is how mine got infected, I had missed an update and it included the ransomware/cryptolocker definitions.

Good luck.

'Gimp
 
RJM62 said:
I've also heard great things about the current versions of BitDefender and WebRoot, but haven't tried either one.
Click to expand...

I've been using BitDefender for past 10 days, currently the free trial. I saw it was getting top reviews from various sources. So far so good.
 
This is the single most troublesome virus/malware out there and it is happening every day. Three options:
1- Pay the Ransom - you may or may not be able to, but from a $$$ perspective, it might be the most cost effective way to get your stuff back.
2- Pretend you had a hard drive failure and recover from backups.
3- You may be able to use one of the publicly available "Crypto-decrypt" services. They provide decryption keys to SOME (few) of the infections. Google "decrypt crypto".

The Crypto-this-or-that Ransomware is a very well known commodity, and isn't hard to remove or recognize. In fact, they plaster your screen and every directory with text and html messages broadcasting the fact that you are infected and screwed. They aren't trying to hide.

Getting your data back is much harder, possibly impossible. The infection not only affects the computer that is infected, but it also encrypts all data (docs, spreadsheets, pics, music, pdfs, etc) on every mapped drive and network share. Depending on how you backup, it can potentially wipe out all of your backups too! We've even had lawyers discover their dictation machines were affected.

I hate it when someone gets infected, and hate it when people start talking about what antivirus they are using and what one is best. Just talking about it assumes you are somehow being protected. PEOPLE... ANTIVIRUS PROGRAMS DO NOT PROTECT YOU... from most of the things that are going around. We regularly see infections (including Crypto infections) on computers that have ESET, Microsoft Security, Webroot, Norton, McAfee, Trend... you name it. Antivirus programs mostly protect you from attack methods that haven't been used for years. Today, it's all about social engineering, and you infecting yourself. Very, very few infections happen automatically.
There are a few programs that specifically protect against Crypto-infections. CryptoPrevent is one, although they have a hard time keeping up with all the variations coming out.
Your best protection lives between your ears. And, just like flying, there is a component of Darwin's theory of natural selection for computing, too. Yesterday, a client somehow got their email hacked, and it resulted in infected emails being sent to their entire contact list (hundreds). Even though it was one of those "hey, check this out" type things, hundreds of people clicked on it. EVEN THOUGH IT HAD A LINK POINTING TO SOME WEIRD RUSSIAN WEBSITE.

'Just another form of CFIT.
 
Last edited:
AggieMike88 said:
How effective is this?
Click to expand...

It's rudimentary at best, and was a fix suggested when the Crypto-thing was just getting started. You are better off using something like CryptoPrevent, because it implements this and many other protections. Plus, changing these settings can screw with the normal operations of some programs. With CryptoPrevent, at least you can click one button to undo the protection long enough to, say, install a program that needs access to those folders.
http://www.surfright.nl/en/cryptoguard
https://www.fooli****.com/cryptoprevent-malware-prevention/
 
I have a question that I did not see answered anywhere in this thread: is this virus encrypting/locking only files or the whole partition (MBR or whatever)?
An MBR can be very easily recovered. Files hopefully have backups. Though how would the virus decide which files to encrypt for ransom? It would have to be a very smart virus.
 
Re: Encryption Virus Help!

CT4ME said:
It's rudimentary at best, and was a fix suggested when the Crypto-thing was just getting started. You are better off using something like CryptoPrevent, because it implements this and many other protections. Plus, changing these settings can screw with the normal operations of some programs. With CryptoPrevent, at least you can click one button to undo the protection long enough to, say, install a program that needs access to those folders.
http://www.surfright.nl/en/cryptoguard
https://www.fooli****.com/cryptoprevent-malware-prevention/
Click to expand...

Your second link got sabotaged by the bad words filter.
 
Last edited:
SCCutler said:
My partner's husband clicked on the wrong thing, had this happen; his boot sector was hosed, but a qualified computer dude recovered the contents, themselves, no problem. This was a week or so ago...
Click to expand...

A boot sector virus is NOT the same thing.
 
BigBadLou said:
I have a question that I did not see answered anywhere in this thread: is this virus encrypting/locking only files or the whole partition (MBR or whatever)?
An MBR can be very easily recovered. Files hopefully have backups. Though how would the virus decide which files to encrypt for ransom? It would have to be a very smart virus.
Click to expand...
It encrypts certain types of files on your hard drive, external drive, and any network share you have access to.

More often then not people don't have backups or their backups were on an external hard drive which was connected or a network share.

They've made a lot of money with their scheme.
 
I just had a great idea to make some quick money!!

Do this, but focus on porn history in browsers. Offer to wipe it for money, otherwise it goes to all of your email contacts with full details on when it happened and how long you were looking at it.

Boom - bitcoin blackmail.
 
Can you pay them with a cashiers check and ask for them to send you back the overage?

Also, how are people paying these ransoms?
 
You must log in or register to reply here.
Back
Top