Ramblings of an old Doc

 

This is a bad one. Really bad.

Once on your computer, it will encrypt all your files and supposedly send you a key to release them only after paying $380 US in Bitcoins or $300 in cash (there are other payment arrangements as well).

The encryption is super strong – 2048 bit RSA, the key supposedly stored on a remote server accessible only after payment. If you don’t pay within 72 hrs, the key evaporates and you’re cooked…no access to your files forever.

How does it get on your system? Phishing/spear phishing, mainly…clicking on a link in an email.

If you weren’t expecting (or even if you were) such an email, call the person who supposedly sent it and ask if he or she did, in fact, send it. If not, delete it and suggest that person get IT help immediately.

Make backups online or on an external drive NOW, before you get infected (or some other mishap occurs). Having frequent backups NEVER hurt anyone.

There is also a tool (free) to change the group policies in all Windows computers. Other tools exist, but only do that in the Premium Windows editions.

Here’s the link: http://www.foolishit.com/vb6-projects/cryptoprevent/

It’s at the bottom of the page, and there are excellent explanations of the tool and how it works on the page…as well as testing the tool after installation. Before testing, bookmark the page (or use the link here) and then reboot.

Hope this helps, and hope none of you get hit.

the_Monk: Please feel free to add explanations of group policies or whatever you see fit…and thanks ahead of time.


Comments
on Oct 30, 2013

I hope they find the creators and "Spear" (ph)fish them, on the end of big hook being dragged over a bed of hot coals!

on Oct 30, 2013

Good idea but let them be dragged by the short hairs, it'll hurt more.

on Oct 30, 2013

then drag them through a large river full of pirana in a feeding frenzy

harpo

on Oct 31, 2013

Backup the data that is precious to you ... you're more likely to get a HDD crash than such a fishing attack I would think and that also destroys everything you've got.

on Oct 31, 2013

only if the drive sheds it's rust, usually it is somewhat possible to get data from a drive even if it smokes(yes I did have this happen to a customer, and yes we(myself AND the data recovery company) DID get ALL the drive contents BACK and on a NEW drive and built a new comp as the rest of the comp had also smoked(as in let the SMOKE out of the parts due to a power supply failing to overvoltage(rare, but possible, the usual power supply failure is undervolts/amps not letting the comp start))), (just will take data recovery specialists for the nastier fails), and if it is just getting to the point where it is locking up the computer while the drive re-tries the data it is DEFINITELY time to replace  the drive and transfer the contents from the dying drive to a new one.

personally I use the free crystaldiscinfo to check the drive state atleast weekly so that I get plenty of warning for the drives starting to lose reliability

harpo

 

on Oct 31, 2013

What... crystaldiscinfo? Sounds useful. Is it reliable (I mean, no viruses, requests to install browser-add-ons and such) ?

 

 

on Oct 31, 2013

the exe installer does offer to instal a single browser addon but it is only if you are installing while online, if you install while offline it does NOT offer any extra shit, and even has a zip file version that you can just extract all the files from and run the discinfo.exe to get the current state for all the hdds/ssds in the computer without installing.

here is the source website that I get the latest from (http://crystalmark.info/software/CrystalDiskInfo/index-e.html).

harpo

on Nov 01, 2013

Now here is something actually worthy of the uber NSA's (and associates) attention. Put down the crypto servers.

on Nov 01, 2013

The shared drives at my work got hit by this due to an employee clicking the link in an email. The email was even designed to say something relevant to the person's job function in order to prompt the click. NASTY.

on Nov 02, 2013

GeomanNL
as in let the SMOKE out

 rule #1 don't let the magic smoke out.

on Nov 02, 2013

that IS what I explained in my reply,

harpo99999
(as in let the SMOKE out of the parts due to a power supply failing to overvoltage(rare, but possible, the usual power supply failure is undervolts/amps not letting the comp start)

harpo

on Nov 02, 2013

My very first 'puter was a home built out of spare parts destined for the dumpster. It was a hodge-podge of sorts. Cpu was an AMD clocked at 500 mHz...I made a timing circuit and with my instructor giving me the pin layout for the cpu was able to boost it up to 550 mHz. Ran it for a couple of hours and POOF! I let the smoke out. LMAO! It was unreal. A pin hole in the center of the cpu and this very thin wisp of smoke came rising up. 

on Nov 06, 2013

More news, information and what have you about CryptoLocker today.  

 

http://www.today.com/money/nasty-new-malware-locks-your-files-forever-unless-you-pay-8C11511655?gt1=43001

on Nov 07, 2013

It MIGHT be possible to retrieve most files unless they have been physically overwritten.

https://en.wikipedia.org/wiki/Data_recovery

 

In a third scenario, files have been "deleted" from a storage medium. Typically, the contents of deleted files are not removed immediately from the drive; instead, references to them in the directory structure are removed, and the space they occupy is made available for later overwriting. In the meantime, the original file contents remain, often in a number of disconnected fragments, and may be recoverable."

 

I would GUESS that the malware does the following in this order:

 

  1. Read original file
  2. Copy file content to RAM (piece by piece)
  3. Encrypt in RAM
  4. Delete original file from the file system
  5. Write back encrypted file from RAM

 

So in THEORY, the majority of your files in still unencrypted on your disk - but deleted (meaning, removed from index and not physically overwritten. With special software or professional help (which you should seek if the data was important) you may recover the majority of the files. However in such a case, it is imperative to shut down the system ASAP. Because windows and most other OS are  permanently writing stuff to the disk.

 

And that most likely is not going to work forever.... sooner or later those criminals will make sure that the files are really overwritten.

 

*backups data*