|
I've been reading everything I can about this genius piece of ransomeware since I heard about it in the other thread. If you don't pay the ransom, or have COLD backups, you are hosed. You're not getting your files back. I've read this software goes out and will encrypt anything it can get its hands on including anything that is presented as a drive to the computer. Network Shares/Mapped Drives, Dropbox, Carbonite, whatever. A Versioning backup system, or cold disconnected backups are the only way back from this thing. abominable fricke posted:So I am wondering if I set the clock on the computer to a time shortly after the machine as brought in, can the ransom be paid and the machine restored to backup up the data and then flatten it? I don't think so. The ransomware reaches out to a Command and Control server where the private key is, and once the timer runs out, some folks online are postulating the private key is deleted from the C&C system forever. Although I did read a post where a guy removed the software (which is easy to do) and then purposely reinfected himself and the software realized the files were already encrypted and let him pay the ransom to decrypt. Really though, this thing is genius. There's no way around it for most folks other than to pay the ransom, they're not asking for much (100 to 300 dollars) which is a pittance compared to losing all your data/pictures/files, and they actually decrypt your files and stick to their word when they're done encouraging folks in the future to just pay the ransom. It's 21st century data kidnapping and with how well this is working I expect to see a lot of organized crime cyber groups get in on this deal. I'm pretty careful online, but I'm making offline copies of all my important stuff just in case.
|
#
?
Sep 18, 2013 15:30
|
|
|
|
| # ? Jun 7, 2024 23:14 |
|
|
skipdogg posted:I don't think so. The ransomware reaches out to a Command and Control server where the private key is, and once the timer runs out, some folks online are postulating the private key is deleted from the C&C system forever. Although I did read a post where a guy removed the software (which is easy to do) and then purposely reinfected himself and the software realized the files were already encrypted and let him pay the ransom to decrypt.
|
|
#
?
Sep 18, 2013 16:21
|
|
|
I work for a small MSP supporting around 160 companies. No instances of it so far but it sounds loving brutal.
|
|
#
?
Sep 18, 2013 17:06
|
|
|
Had a client get it (only 10ish users at the location). Came in through an attachment. It infected the local files, which are unrecoverable. It also infected users share folders, which I was able to restore from a backup. The virus itself is easy to remove. I saved a copy of the encrypted files just in case they could be decrypted at some point in the future, but I am not holding out hope.
|
|
#
?
Sep 19, 2013 20:48
|
|
|
Gweenz posted:Had a client get it (only 10ish users at the location). Came in through an attachment. It infected the local files, which are unrecoverable. It also infected users share folders, which I was able to restore from a backup. The virus itself is easy to remove. I saved a copy of the encrypted files just in case they could be decrypted at some point in the future, but I am not holding out hope. If you didn't save the public key too, you're probably SOL. Also, a client of mine got it yesterday and fired me this morning after I told them "You didn't back up like I showed you, you didn't listen to the spam notification, and you ran it on three different computers because you fell for the "IMPORTANT AUDIT NOTIFICATION!!!" subject line? You're screwed, buddy." Of course, I put it in slightly nicer language, but what I got back was "If you are unable to repair a virus infection, then we will be seeking other IT services."
|
|
#
?
Sep 19, 2013 21:33
|
|
|
sfwarlock posted:If you didn't save the public key too, you're probably SOL. Congrats on no longer having a lovely client!
|
|
#
?
Sep 19, 2013 22:05
|
|
|
I'm curious how it'll turn out on their end. Will they realize how stupid their request is and come crawling back? Will they find someone new and start fresh? Or will they find some fly-by-night company full of promises and waste a ton of money on them?
|
|
#
?
Sep 19, 2013 22:29
|
|
|
Orcs and Ostriches posted:I'm curious how it'll turn out on their end. Will they realize how stupid their request is and come crawling back? Will they find someone new and start fresh? Or will they find some fly-by-night company full of promises and waste a ton of money on them? All of the above, and couldn't happen to a nicer guy from the sound of it. sfwarlock posted:If you didn't save the public key too, you're probably SOL. *shrug* He's the guy who opened the attachment, wasn't saving his files to his share which was backup up, and they're his own files, which he also wasn't backing up. I won't lose any sleep over it. 
|
|
#
?
Sep 19, 2013 23:05
|
|
|
What kind of attachment is this coming through?
|
|
#
?
Sep 19, 2013 23:22
|
|
|
sfwarlock posted:you fell for the "IMPORTANT AUDIT NOTIFICATION!!!" subject line? It's 20goddam13, why are people still falling for this poo poo?
|
|
#
?
Sep 19, 2013 23:35
|
|
|
Zogo posted:What kind of attachment is this coming through? Standard phishing email, attached .zip file with trojan dropper/exe. I just outright banned small .zip files on my server for the meantime. I might even leave the rule if no one complains.
|
|
#
?
Sep 19, 2013 23:43
|
|
|
Does that virus work without local admin?
|
|
#
?
Sep 20, 2013 00:13
|
|
|
Dexo posted:Does that virus work without local admin? Yes. It just uses the user's privileges to encrypt what it has access to.
|
|
#
?
Sep 20, 2013 00:19
|
|
|
Orcs and Ostriches posted:Or will they find some fly-by-night company full of promises and waste a ton of money on them? The small business IT consulting world are full of those, so by probability alone I'm expecting this.
|
|
#
?
Sep 20, 2013 01:49
|
|
|
tjl posted:.zip seems to be the most common from what I've been reading. I have not seen one in the wild yet (and hope I never do, tbh) Dropbox/box.com/proper FTP should replace making email attachments commonplace, if at all possible.
|
|
#
?
Sep 25, 2013 14:57
|
|
|
Would it be feasible to use a credit card to pay off the ransom, and then call the bank to demand a chargeback?
|
|
#
?
Oct 4, 2013 19:16
|
|
|
Farmer Crack-rear end posted:Would it be feasible to use a credit card to pay off the ransom, and then call the bank to demand a chargeback? You would give your CC info to someone who put a virus on your computer and demanded money?
|
|
#
?
Oct 4, 2013 19:35
|
|
|
Farmer Crack-rear end posted:Would it be feasible to use a credit card to pay off the ransom, and then call the bank to demand a chargeback? Ransom is kind of illegal, and no legitimate card network is going to give them money. If you mean chargeback PayPal or whoever, they probably aren't going to appreciate you doing that, seeing as how it's illegal to do that as well.
|
|
#
?
Oct 4, 2013 19:36
|
|
|
Farmer Crack-rear end posted:Would it be feasible to use a credit card to pay off the ransom, and then call the bank to demand a chargeback? This kind of situation isn't really covered by chargebacks, but a company might work with you to help secure your data.
|
|
#
?
Oct 4, 2013 19:51
|
|
|
http://www.pcpro.co.uk/news/security/384394/microsoft-security-essentials-is-designed-to-be-bottom-of-the-antivirus-rankings What should we use now?
|
|
#
?
Oct 4, 2013 20:55
|
|
|
quote:Now, Microsoft has said it sees Security Essentials as merely the first layer of protection, advising customers to use additional, third-party antivirus - although the company stressed that wasn't because the product wasn't good enough to stand on its own. Keep using MSE?
|
|
#
?
Oct 4, 2013 21:06
|
|
|
Orcs and Ostriches posted:Keep using MSE? Pretty much what I got from that was MS didn't try too hard with MSE its just the best because no one else tries too hard. If something is better use it because Microsoft doesn't care about being the best AV.
|
|
#
?
Oct 4, 2013 21:13
|
|
|
AV software is only half of the effort of staying virus-free. Your first line of defense should be avoiding risk-prone behavior (link possibly NWS).
|
|
#
?
Oct 4, 2013 22:51
|
|
|
hackedaccount posted:http://www.pcpro.co.uk/news/security/384394/microsoft-security-essentials-is-designed-to-be-bottom-of-the-antivirus-rankings MSE is (and always has been) most appropriate as "install for mom to use" than necessarily being the best at it's job. In terms of detection rates, configurability and performance, all options perform better nearly all the time, including free products. A lot of those will confuse the user, however, especially when false positives crop up. If you know that homecompiledexethatdoesweirdthingstoDLLfiles.exe is legit then you're not going to be phased when A/Vs throw it up as an issue, whereas your mom doesn't need a screen full of scary alerts every time something tries to install the ask toolbar. On the other hand, pretty much every rootkit drives right through MSE, and given the prevalence of drive-by sites, I'd rather get a call asking what an "ask bar" is than know she's a Google-search for "clipart" away from malware MSE won't block. YMMV. Dice Dice Baby posted:AV software is only half of the effort of staying virus-free. The notion of "well I don't torrent / look at porn so I am safe" is sadly a fallacy.
|
|
#
?
Oct 4, 2013 23:24
|
|
|
I just had a quick look at some AV comparisons and prices and as a not-rich person, for the amount you pay vs how much protection they offer, depending on income you could be better off just using MSE and spending $50 worth of time backing your stuff up properly.
|
|
|
#
?
Oct 8, 2013 16:49
|
|
|
Sulla-Marius 88 posted:I just had a quick look at some AV comparisons and prices and as a not-rich person, for the amount you pay vs how much protection they offer, depending on income you could be better off just using MSE and spending $50 worth of time backing your stuff up properly. All of them are markedly better than MSE, which has now very much slipped to a baseline (as in, the bottom) position. Also, whereas MSE will detect many threats sitting in your filesystem or blocks viruses running from your inbox just fine, it's often far too late by that point so any A/V that can block threats before they're downloaded offers many, many times more 'real world' protection. MSE literally has no method of stopping a threat that comes in via browser/java exploit, which is ever more the majority of threats. Other than edge cases where you would see some compatibility issues, I struggle to see why you would not replace one free solution with another free solution that is better. Detection rate != protection rate and most A/V reviews are now fully aware of this and try to reflect that. If you want to play around, go grab the EICAR test files and see in what scenarios you can get it to open. In the better A/V programs you need to disable several parts to even start the HTTP download, let alone file creation and execution. The poorer ones throw their first red flag when you try to run it.
|
|
#
?
Oct 8, 2013 23:13
|
|
Khablam posted:... Ah. I guess this is what happens when you don't have proper internet at home or at the office. I went to a couple sites and the only graphs that loaded showed Trend Micro etc up top and the rest of them I remembered as being either paid or bloatware. What is the best free AV out there, then? I have noscript and other things installed on my browser, and I don't run java, so I don't need the best of the best, but if I can upgrade from MSE easily then I'll do it.
|
|
|
#
?
Oct 9, 2013 12:21
|
|
|
Sulla-Marius 88 posted:Ah. I guess this is what happens when you don't have proper internet at home or at the office. I went to a couple sites and the only graphs that loaded showed Trend Micro etc up top and the rest of them I remembered as being either paid or bloatware. What is the best free AV out there, then? I have noscript and other things installed on my browser, and I don't run java, so I don't need the best of the best, but if I can upgrade from MSE easily then I'll do it. It's usually between Avast and AVG, with both having their own fanbase. - For raw detection rates, Avast/AVG swap for 1st position pretty often, Avast wins most frequently, but you'd honestly see it as a tie. Bitdefender free is worth mentioning here as it does very well at this, but is otherwise incredibly stripped-down and not as functional. - For system impact, Avast is lighter on your system. In particular, AVG has awful performance for copying files. - Avast has fewer false positives. - If your target is to scan a very infected machine, AVG has slightly better removal capabilities. - Avast will scan network traffic / web traffic before it hits the file system / browser process, meaning it is much harder for malware to take advantage of unpatched vulnerabilities. In fact, other than ESET/Bitdefender/Kaspersky, none of the paid solutions do this as well. Information on how each A/V works is a guarded secret, and despite AVG having a webshield it doesn't seem to offer the same level of protection. If you want to test a general drive-by download there's a test site for it: http://www.amtso.org/feature-settings-check-drive-by-download.html If you don't get warnings, it's not being blocked. Misc: AVG only lets you update daily for free, meaning Avast will a) respond quicker to threats and b) remove any problem definitions more quickly. AVG loses points by (near daily) yapping at you to buy the paid version. Avast is very intuitive and easy to use. For a lot of uses they're pretty similar, and as an upgrade to MSE you can't go wrong in most areas, but if you pick it apart a little Avast is more comprehensive, especially so with 'prevention is better than the cure' in mind - I would rather flatten a very infected system than rely on anything to fully clean it, so my personal way of seeing it is to only view A/V based on prevention. If you want to nerd out a bit and read some indepth reviews - http://www.av-comparatives.org
|
|
#
?
Oct 9, 2013 19:59
|
|
|
It's not primarily intended as A/V but I do find the Web of Trust plugin helpful sometimes as well. It's more about domain-linked problems and browser behaviour, but it still often gives you an idea of shadiness if the content/site is out of your normal wheelhouse.
|
|
#
?
Oct 9, 2013 20:57
|
|
|
I set up the naïve with Adblock Plus, and sometimes I'll mention NoScript to them, but it's just too much hassle to use NoScript for the majority of people.
|
|
#
?
Oct 9, 2013 21:52
|
|
|
I run my browser sandboxed and never use anti virus/malware crap.
|
|
#
?
Oct 10, 2013 02:35
|
|
z06ck posted:I run my browser sandboxed and never use anti virus/malware crap. What sandboxer do you use? I tried sandboxie for about an hour just then and it ran like poo poo and eventually crashed my browser so I uninstalled it. I've switched to Avast but I think the sandboxing capabilities have been moved to the premium version because I can't find them in the free.
|
|
|
#
?
Oct 10, 2013 09:55
|
|
|
z06ck posted:I run my browser sandboxed and never use anti virus/malware crap. Blocking just one (albeit one of the largest) avenue of attack, then huffing and proclaiming you're done, is apt to end rather poorly. What's the 'harm' of resident A/V that's more intrusive than - Never letting anyone near your machine with a USB key. For that matter, best just not use removable media. - Never using a network you're not the sole machine on. - Running every program you might want to actually use in a sandbox and analysing the traces for any undesirable effects. - er ... like needing to be paranoid about everything, ever. Sure this is possible, but you either need to a) be super paranoid or b) be blasé and run the (quite real) risk of being infected and not knowing about it, like my ex-roomate who has "never had a virus" but it eventually turned out his computer was part of not one, but three botnets.
|
|
#
?
Oct 10, 2013 22:04
|
|
|
Holy gently caress Cryptolocker! I had one system at work infected with that. Luckily it was a random receptionist with no shared folders so it only broke her files. She had been shutting the system down at night so the last backup I have is from 2012. Meh. However the fact that these things are getting so nasty and spreading faster and faster convinced my boss that adding common archive extensions to our attachment block list was the lesser of two evils. I told him "Look, Cryptolocker will encrypt every file the user has access too, even network shares. If the wrong computer got infected we could be in a world of hurt restoring everything from backup. Hell I'll explain to people what is going on." Looking at the capabilities of the virus it seems like a bit of a step up in terms of nastiness and resistance to being taken down. I wonder what the middle future holds. The near future will likely be more and more cryptolocker style BS, but I wonder what comes after that.
|
|
#
?
Oct 11, 2013 01:33
|
|
|
Yay, a day after reading about this Cryptolocker thing, a client gets it. Payroll machine with the user in charge of manual backups (take a guess at how often this occurs), and machine has write access to a whole bunch of network shares 
|
|
#
?
Oct 11, 2013 02:08
|
|
|
Cryptolocker is the bat I used to beat ~$100k worth of long overdue upgrades out of a client
|
|
#
?
Oct 11, 2013 03:07
|
|
|
Laserface posted:Yay, a day after reading about this Cryptolocker thing, a client gets it. So you told him to pay up?
|
|
#
?
Oct 11, 2013 08:10
|
|
|
Restored all the data from shadow copies thank Christ. Looks like it attempted to encrypt some files while they were open and royally hosed those up, but we got it all back. I wonder though, if it encrypts the data and it's then committed to shadow, are you super boned?
|
|
#
?
Oct 11, 2013 08:27
|
|
|
Ouroborus posted:Holy gently caress Cryptolocker! I had one system at work infected with that. Luckily it was a random receptionist with no shared folders so it only broke her files. She had been shutting the system down at night so the last backup I have is from 2012. Meh. However the fact that these things are getting so nasty and spreading faster and faster convinced my boss that adding common archive extensions to our attachment block list was the lesser of two evils. I told him "Look, Cryptolocker will encrypt every file the user has access too, even network shares. If the wrong computer got infected we could be in a world of hurt restoring everything from backup. Hell I'll explain to people what is going on." So how did she get it? Was it the fake fax/Xerox-attachment?
|
|
#
?
Oct 11, 2013 09:21
|
|
|
|
| # ? Jun 7, 2024 23:14 |
|
|
Crptolocker has taught me the sheer amount of corporate mail servers that can't/don't scan attachments is simply amazing. You're literally safer using free webmail than a managed solution you'd pay 5-figures a year for.
|
|
#
?
Oct 11, 2013 14:05
|
|