You’re infected—if you want to see your data again, pay us $300 in Bitcoins

  • 18 October 2013
  • 10 replies
  • 18 views

Userlevel 7
Badge +56

Ransomware comes of age with unbreakable crypto, anonymous payments.

 
Dan Goodin - Oct 17 2013, 1:06pm EDT Ars Technica

 



 
Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker.
It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings.
Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available.
 
Full Story
 
TH

10 replies

Userlevel 2
Thanks for the post TH,
 
This and the well known virus are becoming more and more common in our line of work. As being a part of the consumer team at Webroot I hear about this and other viruses similar to it daily.

Thankfully if you do get this or any virus like this, you can call 800-612-4227 and have our great team of tech support take care of it for you.
And this is the main reason for my question that I've asked about the NON DETECTED but MONITORED mode.
So what happens if this file is not detected by Webroot however its monitored since it's untrusted.  THe files goes ahead and encrypts maybe not all but some data, the data it has access too while being monitored.  
How can webroot undo the damage once the files has been IDed?
Userlevel 7
Badge +4
Hey tempnexus,
 
I'll add a little bit more color to this. 🙂 After chatting with @ from our Threat Research team, here's some additional insight:
 
Assuming we monitored the actual encryption process, anything that was encrypted should be reversed during the removal process. Sometimes though, we need to apply additional tools  - especially with the new variants that add pretty complex logarithms to encrypt the data files. Once we've identified the malicious file and removed it, if there are still encrypted data files left over, we use additional tools to decrypt them. 
 
Webroot also puts a lot more emphasis on proactive protection, rather than reactive protection. So the best thing to do is have Webroot installed before you're infected!
Thanks Triple Helix for keeping the members informed.
The story continues...look at this article "Nasty new malware locks your files forever, unless you pay ransom"
Isn't that terrible? :(Mean people...so the solution is to back up the files...!!!
 
"CryptoLocker, a new and nasty piece of malicious software is infecting computers around the world – encrypting important files and demanding a ransom to unlock them.
According to Sophos, the worldwide digital security company, it’s been hitting pretty hard for the past six weeks or so.
“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” said Chester Wisniewski, a senior security advisor at Sophos.
Even though it’s infected, your https://# keeps working normally; you just can’t access any of your personal files. It’s scary, especially if you haven’t backed-up your data.
“https://# is evolving, as the bad guys get smarter and use newer technologies,” noted Michael Kaiser, executive director of the National Cyber Security Alliance. “They’re always looking for new ways to steal your money.”
CyrptoLocker is different from other types of “ransomware” that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.
Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says” “After that, nobody and never will be able to restore files…”
The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed. 
http://media3.s-nbcnews.com/j/streams/2013/November/131101/8C9557242-ransome-demand.blocks_desktop_small.pngSophosThe criminals behind CryptoLocker deliver their digital ransom note on the victim's computer screen. The typical demand is for $300 or two Bitcoins. Note the yellow countdown clock at the bottom left. It gives the time remaining until the unique decryption key is destroyed and the encrypted files are inaccessible forever.One victim described his anguish in an online post: “The virus cleverly targeted …all of our https://# photos, including all photos of my children growing up over the last 8 years. I have a distraught wife who blames me!”
This sophisticated malware is delivered the old-fashioned way – an executable https://# hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.
Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.
“The author or this (malware) is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”
Good anti-virus https://# can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.
“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”
Victims large and small
The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.
                                    The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample: 
“When we discovered the infection from a user’s workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening.”
“Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted.”
“We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren’t recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight.”
Of course, there’s no guarantee there will be a happy ending if you pay the ransom. And then there’s the bigger issue – by doing this, you’re helping https://# a criminal operation.
“It encourages them to continue this bad behavior,” said Howard Schmidt, former White House https://# Advisor and a co-founder of Ridge-Schmidt Cyber. “As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection.”
How to protect yourself
Go on the Internet and there’s no way to guarantee malware won’t make it onto your computer – even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.
“Backup, back, up, back up,” said Schmidt. “That’s the only way to reduce the risk of losing your files forever.”
If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.
With these synchronized backups, stored files that have changed on the master drive are overwritten with the https://# ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it."
Userlevel 7
Badge +56
@ Please read here from one of Webroot's Threat Researchers on a updated thread! https://community.webroot.com/t5/Security-Industry-News/How-To-Avoid-CryptoLocker-Ransomware/m-p/65059#M2423
 
Cheers,
 
Daniel 😉
This information is very important. Thanks...I will pay more attention to e-mails and attachments!
Thank to all of you that have share information about this ugly problem!
Userlevel 7
Badge +35
There's also an informative thread on Cryptolocker over on the business side:
 
https://community.webroot.com/t5/Ask-the-Experts/Cryptolocker-infection/td-p/57881#.UnrSY5JJOt8
 
 
-Dan
 
 
Userlevel 7
Badge +56
Thanks Dan!
 
Daniel 😉
@ wrote:
There's also an informative thread on Cryptolocker over on the business side:
 
https://community.webroot.com/t5/Ask-the-Experts/Cryptolocker-infection/td-p/57881#.UnrSY5JJOt8
 
 
-Dan
 
 
Thank you!
I am not Poo Pooing the product, I am just asking for some case study...and frankly...honestly if Webroot could devise a case study showing an infected system protected by webroot get reverted back to normal then Webroot would basically own the market!
 
I mean from the Marketing point of view that would be gold.
Here you have a crypto virus, that holds your data hostage, everyone knows that AV's are not 100% secure so the other guys have to play catch-up and if they miss a detection then the system is hosed.  So it's up to the whole 3rd party OffLine backup scheme to hopefully revert your system back to "past".  That is assuming that a user made a backup.
 
Lo an behold here comes Webroot, admitebly Webroot also failed to catch the detection, hell no one is perfect...but wait, unlike the other AV, webroot can revert the files back to normal, back to a version that existed before the encryption, without the need for a backup and without the requirement to make one.
 
Of course, then webroot paints a massive red target on their back from the Crypto Guys...but well that's life.
 
The only way to release this is not as an advertisement...hell no...just release it as a case study and let the internet do the rest.
 
 
P.S.
I take my thank you's as a free keycode. :D
The last well- known and popular virus affecting millions of computers, destroyed my 4 months old system. Its name is Windows 8.1. After installation, the virus disabled all USB ports, making computer unusable. I had to srart over. Geting used to it. Will probably have to pay Microsoft for the next update to fix it.

Reply