10-18-2013 11:17 AM
Dan Goodin - Oct 17 2013, 1:06pm EDT Ars Technica
Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker.
It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings.
Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available.
10-18-2013 12:37 PM - edited 10-18-2013 01:44 PM
Thanks for the post TH,
This and the well known virus are becoming more and more common in our line of work. As being a part of the consumer team at Webroot I hear about this and other viruses similar to it daily.
Thankfully if you do get this or any virus like this, you can call 800-612-4227 and have our great team of tech support take care of it for you.
10-20-2013 02:11 PM
And this is the main reason for my question that I've asked about the NON DETECTED but MONITORED mode.
So what happens if this file is not detected by Webroot however its monitored since it's untrusted. THe files goes ahead and encrypts maybe not all but some data, the data it has access too while being monitored.
How can webroot undo the damage once the files has been IDed?
10-21-2013 12:10 PM
I'll add a little bit more color to this. After chatting with @MMoreno from our Threat Research team, here's some additional insight:
Assuming we monitored the actual encryption process, anything that was encrypted should be reversed during the removal process. Sometimes though, we need to apply additional tools - especially with the new variants that add pretty complex logarithms to encrypt the data files. Once we've identified the malicious file and removed it, if there are still encrypted data files left over, we use additional tools to decrypt them.
Webroot also puts a lot more emphasis on proactive protection, rather than reactive protection. So the best thing to do is have Webroot installed before you're infected!
11-06-2013 01:47 PM
Thanks Triple Helix for keeping the members informed.
The story continues...look at this article "Nasty new malware locks your files forever, unless you pay ransom"
Isn't that terrible? Mean people...so the solution is to back up the files...!!!
"CryptoLocker, a new and nasty piece of malicious software is infecting computers around the world – encrypting important files and demanding a ransom to unlock them.
According to Sophos, the worldwide digital security company, it’s been hitting pretty hard for the past six weeks or so.
“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” said Chester Wisniewski, a senior security advisor at Sophos.
“ is evolving, as the bad guys get smarter and use newer technologies,” noted Michael Kaiser, executive director of the National Cyber Security Alliance. “They’re always looking for new ways to steal your money.”
CyrptoLocker is different from other types of “ransomware” that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.
Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says” “After that, nobody and never will be able to restore files…”
The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed.
One victim described his anguish in an online post: “The virus cleverly targeted …all of our photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!”
This sophisticated malware is delivered the old-fashioned way – an executable hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.
Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.
“The author or this (malware) is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”
“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”
Victims large and small
The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.
The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:
“When we discovered the infection from a user’s workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening.”
“Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted.”
“We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren’t recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight.”
“It encourages them to continue this bad behavior,” said Howard Schmidt, former White House Advisor and a co-founder of Ridge-Schmidt Cyber. “As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection.”
How to protect yourself
Go on the Internet and there’s no way to guarantee malware won’t make it onto your computer – even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.
“Backup, back, up, back up,” said Schmidt. “That’s the only way to reduce the risk of losing your files forever.”
If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.
With these synchronized backups, stored files that have changed on the master drive are overwritten with the ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it."
11-06-2013 02:15 PM
@salutealltoday Please read here from one of Webroot's Threat Researchers on a updated thread! https://community.webroot.com/t5/Security-Industry
11-06-2013 02:24 PM
This information is very important. Thanks...I will pay more attention to e-mails and attachments!
Thank to all of you that have share information about this ugly problem!
11-06-2013 04:50 PM
There's also an informative thread on Cryptolocker over on the business side:
11-06-2013 08:35 PM
11-07-2013 04:48 PM - edited 11-07-2013 04:50 PM
There's also an informative thread on Cryptolocker over on the business side:
I am not Poo Pooing the product, I am just asking for some case study...and frankly...honestly if Webroot could devise a case study showing an infected system protected by webroot get reverted back to normal then Webroot would basically own the market!
I mean from the Marketing point of view that would be gold.
Here you have a crypto virus, that holds your data hostage, everyone knows that AV's are not 100% secure so the other guys have to play catch-up and if they miss a detection then the system is hosed. So it's up to the whole 3rd party OffLine backup scheme to hopefully revert your system back to "past". That is assuming that a user made a backup.
Lo an behold here comes Webroot, admitebly Webroot also failed to catch the detection, hell no one is perfect...but wait, unlike the other AV, webroot can revert the files back to normal, back to a version that existed before the encryption, without the need for a backup and without the requirement to make one.
Of course, then webroot paints a massive red target on their back from the Crypto Guys...but well that's life.
The only way to release this is not as an advertisement...hell no...just release it as a case study and let the internet do the rest.
I take my thank you's as a free keycode.