CryptoLocker's crimewave: A trail of millions in laundered Bitcoin

  • 22 December 2013
  • 16 replies
  • 79 views

Userlevel 7
Badge +54
Summary: CryptoLocker has infected an estimated 250,000 victims, demands an average $300 payout, and is trailing millions in laundered Bitcoin. Dell SecureWorks' new paper sheds light on the unstoppable ransomware.

Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each, and millions in laundered Bitcoin have been tracked and traced to the ransomware's money runners.

Spreading like wildfire from offices to homes, it arrives in email attachments (or over infected networks) to aggressively encrypt all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) - while an ominous onscreen timer demands payment within 72 hours.

Mess with the files or decline to pay and forget about ever opening your files again.

To date, no one has successfully defeated CryptoLocker. The Windows-only ransomware has held rapt the attention of malware fetishists since its formal appearance in September.

The Swansea, Massachusetts police department was hit in November.
The officers paid CryptoLocker's ransom. Police Lt. Gregory Ryan told press that his department shelled out around $750 for two Bitcoin on November 10 - even then admitting his department had no idea what Bitcoin is, or how the malware functioned.
 
Full Topic
 
A lengthy but very interesting article.

16 replies

Userlevel 7
Hi Jasper
 
I find it interesting that the author makes the statement that "To date, no one has successfully defeated CryptoLocker."  Obviously not heard of WSA? :S
 
Thanks for posting...an interesting article (even if slightly in accurate). ;)
 
Regards
 
 
Baldrick
Userlevel 2
People that fall for these types of scams are really foolish. Or any other ransomeware like the FBI thing. Nobody ahs defeated Cryptoplocker. Not even WSA. Defeating it means blocking it even before it enters your system. Sure WSA has the rollback feature but that is not the same. Malware writers make different variations of ransomware daily. So stay on top of it is next to nearly impossible,. Best thing anyone can do is to backup data and never click or open suspicious email . NO antivirus is 100% effective. Therefore NO antivirus can guarantee protection against the ever changing CryptoLocker. 
 
You can have the best security in the world and eventually it will fail. Having a backup plan is a must now a days. Unfortunately 75% of pc users do not backup there pc till its too late. 
 
http://www.geek.com/news/cryptolocker-malware-masterminds-make-around-30-million-in-ransom-in-100-days-1580168/
Userlevel 3
WSA doesn't let it get to your system, it doesn't even have to pull out the rollback feature, as it looks for everything to encrypt in a specific order and still has not been changed, webroot sees that and imediatley blocks it, you have to actually disable the firewall and basically everything short of uninstall for you to get it with webroot.
 
  But there is one thing i have found cryptolocker to not touch that i still don't understand but i guess it makes it that much smarter to go for, andthat one thing is Libre Office docs in original format, it doesn't encrypt them. Don't know why they would skip those but it does, and cryptolocker is starting to become tame since everyone has been doing so much research into it, but it wont be a minimal threat till the variants become alot more different than what they are right now. Until they drastically change the traits of it then it still is a big danger, but once they change it it will then be a little easier to see the flaws in the design and have everyone further protected.
 
I just hate that there are so many people that don't have backups and don't have a good/up to date anti-virus, 
Why can't they do the same thing they do for the press conference's for the elections but instead talk about cryptolocker and let everyone know why it is so dangerous, thats the last thing someone who does this wants, and thats something that will help people understand why its a small price to pay to get a good a/v compared to loosing their memories and even jobs. 
 
Anyways: Libre Office docs don't get encrypted from the variants I have seen, and Webroot to date is the best defense I have seen against cryptolocker, and spread the word anyway possible about it, publicity is not what they want as it puts more people into finding ways to defend against it,
now lets all be happy we have webroot!
Userlevel 2
JHLittleDogTech........................I have been in the IT field for a long time. Before that i was a GM Master Mechanic. People buy new cars all day long and never maintain them. Then when the engine blows the blame the car. Same goes for a computer. Buying a computer is like buying a car. You have to maintain your car as well as your pc. But do most? Nope. Then the first time they get a virus they blame whatever protection they are using. I have seen computers infected using every product out there. Kaspersky, Norton, Avast, Avira, McAfee, Eset, AVG, Comodo,etc. Nothing is 100% effective. But keeping your pc up to date and patched is a huge step in staying malware free. I have a famous quote. It goes like this:
 
"90% of computer problems are caused by the space bewteen the chair and the keybaord" 
Userlevel 2
Things to think about:

1. Cryptolocker does not automatically download and execute itself, it requires you to manually download and execute.
2. Cryptolocker can be easily removed but your files will still be encrypted.
3. Cryptolocker is only available for download on suspicious websites, executable email attachments and fake alert sites. If you only download files from trusted sites like Softpedia, MajorGeeks, SnapFiles, FileHippo, DownloadCrew, etc., you will never be exposed to Cryptolocker.
4. Cryptolocker is commonly in zip format and disguised as a document file like .doc or .pdf with the extension of ".exe" at the end.
Example: "important.pdf.exe"
5. If you have accidentally downloaded the file, you can simply delete it to avoid infection as long as you did not execute it. 

If you just educate yourself, don't download the infected file and always keep your files backed up then you shouldn't require any extra security products to protect you.

If Cryptolocker continues to evolve, no security products will be able to keep you protected especially if you are a reckless user. 
Userlevel 3
@ wrote:
Things to think about:

1. Cryptolocker does not automatically download and execute itself, it requires you to manually download and execute.
2. Cryptolocker can be easily removed but your files will still be encrypted.
3. Cryptolocker is only available for download on suspicious websites, executable email attachments and fake alert sites. If you only download files from trusted sites like Softpedia, MajorGeeks, SnapFiles, FileHippo, DownloadCrew, etc., you will never be exposed to Cryptolocker.
4. Cryptolocker is commonly in zip format and disguised as a document file like .doc or .pdf with the extension of ".exe" at the end.
Example: "important.pdf.exe"
5. If you have accidentally downloaded the file, you can simply delete it to avoid infection as long as you did not execute it. 

If you just educate yourself, don't download the infected file and always keep your files backed up then you shouldn't require any extra security products to protect you.

If Cryptolocker continues to evolve, no security products will be able to keep you protected especially if you are a reckless user. 
For the most part yes you are right, but webroot doesn't just get rid of the exe, it kills the entire process before it can even send out for the keys, and i haven't found it to be a zipped file, the only way i have found it zipped is if it was for testing purposes to ensure you didn't get infected till you wanted to, normally it just disappears after download and the user goes and tries to click it multiple times and keep re-downloading it, they did it that way on purpose because there is a good probably 40% chance it won't get you on the first try due to the randomized servers and it having slight communication issues.
 
Either way Cryptolocker is genius but horrible at the same time, I'd rather not ever see it as if i see it chances are i am telling people that there is a good chance everything is gone but maybe a couple things will remain after VSS but there is a chance that nothing will, and if anything does it will be minuscule.
 
And thats why i use the 25GB of backup webroot provides and then the free 50GB that anyone can get from Bitcasa (I use the paid though)..... It provides me with as much prevention from it as i feel needed as i have other preventions in place and with all them together i haven't came across issues with any kind of threat.
Userlevel 1
@ wrote:
People that fall for these types of scams are really foolish. Or any other ransomeware like the FBI thing. Nobody ahs defeated Cryptoplocker. Not even WSA. Defeating it means blocking it even before it enters your system. Sure WSA has the rollback feature but that is not the same. Malware writers make different variations of ransomware daily. So stay on top of it is next to nearly impossible,. Best thing anyone can do is to backup data and never click or open suspicious email . NO antivirus is 100% effective. Therefore NO antivirus can guarantee protection against the ever changing CryptoLocker. 
 
You can have the best security in the world and eventually it will fail. Having a backup plan is a must now a days. Unfortunately 75% of pc users do not backup there pc till its too late. 
 
http://www.geek.com/news/cryptolocker-malware-masterminds-make-around-30-million-in-ransom-in-100-days-1580168/
Hi all,  new here.  I met CommanderShran at another forum and he mentioned this forum.
 
Agree about backups.  I routinely backup my "C" HDD on a periodic basis (cloning and full-disk Imaging) as well as use a daily unattended specific-item backup tool for those "must-protect" items.
 
I've been affected by a couple of malicious intrusions over the years and recovered the PC with a spare cloned HDD.  One such incidence was when I was visiting one of my daily reputable 'net sites.  In this case, no e-mail attachments, downloads from questionable sites, etc, was in play regarding this particular incident so I know the value of maintaining a verifiable repeatable backup routine.
 
It's a personal preference but I prefer to restore my PC using my backup/restore method vs downloading cleanup tools, or seeking assistance from online experts.  That's not to impune that approach at all; I just prefer to use my HDD backup methods to recover my PC.
 
It's an interesting subject.  I've recently been researching a related topic regarding the best method to sanitize an infected HDD.  That's another topic but I've learned some things about it that don't appear to be generally well-known about it.
 
I've been reading about this threat recently.  I read the article linked in the OP's post.  I commented in the article discussion when the author posted this in one of her replies to another commentor:
 
"Plugging in your backup drive to 'beat' CryptoLocker will just get all those files encrypted too."
 
I was asking the author to clarify the sentence but didn't receive a reply.  No problem there as I was just curious as to the meaning of her reply to another poster in that article.
 
I'm running Windows 7 x64 Home Premium.
 
I have some questions about a couple of things that have been mentioned about the Cryptolocker's process and where the dropper or *.exe  exists.
 
I was curious if anyone here may know the answers to these questions.
 
- What's the usual Process name when Crytolocker is running on one's PC?  Is it "ransom*" or something similar?
 
- Where does the dropper or *.exe, etc,  reside when a PC has Cryotolocker present?  For example, does it reside in the MBR?
 
- I'm assuming that Cryotolocker will create folders or files in, for example,  %temp% , %appdata% , %localappdata% .  If so, what are the typical names of such items?
 
- If Cryptolocker is present on one's PC, does it copy/install any droppers or other launchers in the non-OS Drives that were connected to the PC at the time Cryptolocker initially entered the PC's OS HDD?
 
I realize that all files/items on any attached Drives, will be potentially encrypted by the launcher/dropper, etc. What I'm curious about is, does the "root/parent" dropper or launcher *.exe get inserted into any other Drives on the PC other than the OS/boot Drive?
 
It would appear to me that the window of vulnerability with this particular threat would be limited to the time period where Cryptolocker launched and began the encryption activities, and when the PC user sees the "ransom" dialog window appear on their PC.
 
For network users, ie, small business or those that have multiple PC's connected on a network, this issue can be complicated.
 
Regarding the typical residential PC user with 1 or 2 PC's, recovery should be simpler with a restoration plan in place.
 
If one knows that the threat launcher has begun and is running/executing, then recovery should be easy if they have been maintaining a robust backup routine.
 
I mention these points since I've read in other forums where the backup topic, in the context of this specific threat, appears to be somewhat diminished or dismissed by some posters at various forums.  That attitude is puzzling to me since, excepting a rare BIOS issue (infection), recovery from malicious intrusions should be a fairly quick activity, assuming one has a proven HDD backup scheme in place.
Userlevel 7
Badge +56
Hello Scoop and Welcome to the Webroot Community Forums!


 
So the Commander sent you over are you a user of WSA? You can have a look at the web cast from Webroot from Jan 21, 2014 it's great info on Cryptolocker. https://www.brighttalk.com/webcast/8241/95617
 
Cheers,
 
TH
Userlevel 7
Hi Scoop
 
Welcome to the Community Forums.
 
What you write is very interesting and to cut to the chase I believe personally that the premise that "recovery from malicious intrusions should be a fairly quick activity, assuming one has a proven HDD backup scheme in place." is great and I would agree with you on that in the case of a tech savvy/security switched on user...but for one thing...from my experience the large majority of normal users are not that fastidious or meticulous.
 
In fact I was having a discussion with someone I know how believed that they were able to recover from CryptoLocker because they backed up their documents to the cloud automatically, not realising that this is not the same as period full imaging or base imaging and then regular incremental or differential backups, etc...and they considered themselves very tech savvy.
 
So, having said that prevention (where possible as WSA has recently introduced) or 'cure' (the monitoring of unknown .exes, etc. & journalling of their activities for eventual roll back if found to be malicious) provides the aforementioned users with a defense/remedy to the likes of CryptoLocker.
 
But having said that...I would never disagree with yo when you talk about having a robust backup routine...I run WSA and have a base imaging and regular incremental backups schedule as a final line of defense.
 
Regards
 
 
Baldrick
Userlevel 7
Hi Scoop and welcome to the Community!
 
It is good to have you here, and we won't hold it against you that the Commander referred you :)
 
 
 
Joking: he is a great fellow and we think a lot of him around here 😉
Userlevel 7
Badge +54
Hi Scoop and welcome, there is a really good team here and the Commander is just one of them, I hope you enjoy yourself here.
 
Userlevel 1
@ wrote:
Hello Scoop and Welcome to the Webroot Community Forums!
 
So the Commander sent you over are you a user of WSA? You can have a look at the web cast from Webroot from Jan 21, 2014 it's great info on Cryptolocker. https://www.brighttalk.com/webcast/8241/95617
 
Cheers,
 
TH

TripleHelix
 
Thanks for the link :D  I listened to the entire presentation and the presentor answered one of my previous questions:
 
At present, the "dropper" (*.exe/launcher) doesn't install itself in the non-OS connected Drives on one's PC.  That's what I had guessed but it was nice to hear it verified. 
 
That's not to say it wouldn't happen with future variants but it appears that hasn't been reported as yet.
 
The Presentor also mentioned the folder locations that I had mentioned earlier (appdata, etc).  As expected, the dropper creates items in those locations but the names weren't discussed in the presentation.  If I recall from reading posts elsewhere, the names would probably not be too difficult to identify, ie, "ransom", etc, but that's only my guess about it.
 
@ wrote:
Hi Scoop
 
Welcome to the Community Forums.
 
What you write is very interesting and to cut to the chase I believe personally that the premise that "recovery from malicious intrusions should be a fairly quick activity, assuming one has a proven HDD backup scheme in place." is great and I would agree with you on that in the case of a tech savvy/security switched on user...but for one thing...from my experience the large majority of normal users are not that fastidious or meticulous.
 
In fact I was having a discussion with someone I know how believed that they were able to recover from CryptoLocker because they backed up their documents to the cloud automatically, not realising that this is not the same as period full imaging or base imaging and then regular incremental or differential backups, etc...and they considered themselves very tech savvy.
 
So, having said that prevention (where possible as WSA has recently introduced) or 'cure' (the monitoring of unknown .exes, etc. & journalling of their activities for eventual roll back if found to be malicious) provides the aforementioned users with a defense/remedy to the likes of CryptoLocker.
 
But having said that...I would never disagree with yo when you talk about having a robust backup routine...I run WSA and have a base imaging and regular incremental backups schedule as a final line of defense.
 
Regards
 
Baldrick
Baldrick
  
Thanks for the "welcome" and reply :D
 
Believe me, I'm no backup expert 😃.  It's just that the topic interests me as I like to be able to recover from malicious intrusions without outside assistance required.
 
It's also coming from someone that's "been there", ie, having to wipe the HDD and re-install the OS.  That happened years ago and I told myself "never again" :D   When I read many daily posts about other PC users that have been hit by this ransomeware and malicious objects, I feel for them as I've been there in the past.
 
I probably overdo the "backup" scheme as I always process and test-restore images from "rescue" bootable media.  I clone the same way, always with a CD, booting to RAM outside of Windows as I prefer to test the methodology in a "worse-case" scenario, simulating a wiped HDD, no OS to boot, etc.
 
That's a bummer about your friend and the cloud backups.  All of my full-HDD backups are air-gap protected and only connected during cloning or imaging.  That's a "must" to insure protection from a "delayed-action" infection such as Cryptolocker.
 
Hopefully, as this ransomware threat is discussed more at various locations around the 'net and between contacts, more will become aware of the importance of backup plans within the PC world.
 
I haven't entered the cloud-storage world yet as I prefer to manage backups locally.
 
@DavidP1970 wrote:
Hi Scoop and welcome to the Community!
 
It is good to have you here, and we won't hold it against you that the Commander referred you :)
 
 Joking: he is a great fellow and we think a lot of him around here ;)
 DavidP1970
 
Thanks :D   That's no surprise as I knew that when we met at another forum :D
 
@ wrote:
Hi Scoop and welcome, there is a really good team here and the Commander is just one of them, I hope you enjoy yourself here.
 
 Jasper_The_Rasper
 
? That's a unique name :D   Thanks for the 'welcome' 😃
Userlevel 7
Hi Scoop
 
Thanks for the reply.  Cool to have you here and looking forward to some interesting discussions.
 
Backups are a great topic to air in the Forums, and as you say they have their place in a layered defense...and if I may say so I do not think that you "overdo the "backup" scheme" as one can never tale too much care...and as we agree a lot do not take as much care as they should...through lack of knowledge & patience with software that can be complex for the average user.
 
I was interested by what you said about your full HDD backups being "...air-gap protected and only connected during cloning or imaging" as it was my understanding that CryptoLocker, and the like, currently only look for set file types and as yet I was not aware that they are targeting files with imaging extensions.  I can see that there is no reason as to why they should not...and so will have to look into that some more.
 
I also share your hope that the message spreads more widely re. the importance of propoer backups, etc.

 
In the meantime I believe that we use the most effective AV/IS application against this pestilence and I am sure that the Webroot development team will continue to make it so.

 
Have a great rest of weekend...and see you around...;)

 
Regards

 
 
Baldrick
Userlevel 1
--------------------------------------------------------------------------------
Baldrick wrote:
 
Hi Scoop
 
Thanks for the reply.  Cool to have you here and looking forward to some interesting
discussions.
 
Backups are a great topic to air in the Forums, and as you say they have their place in a
layered defense...and if I may say so I do not think that you "overdo the "backup"
scheme" as one can never tale too much care...and as we agree a lot do not take as much
care as they should...through lack of knowledge & patience with software that can be
complex for the average user.
 
I was interested by what you said about your full HDD backups being "...air-gap protected
and only connected during cloning or imaging" as it was my understanding that
CryptoLocker, and the like, currently only look for set file types and as yet I was not
aware that they are targeting files with imaging extensions.  I can see that there is no
reason as to why they should not...and so will have to look into that some more.
 
I also share your hope that the message spreads more widely re. the importance of propoer
backups, etc.
In the meantime I believe that we use the most effective AV/IS application against this
pestilence and I am sure that the Webroot development team will continue to make it so.
 
Have a great rest of weekend...and see you around...;)
Regards 
 
Baldrick
 
--------------------------------------------------------------------------------
Baldrick
 
You're welcome and Thank You for the warm 'welcome' here :D
 
Regarding Cryptolocker and the "air gap" mention earlier:
 
That had been an early question of mine as well, Image file extenstions being excluded
from the encryption engine.
 
I use 2 programs for my images, "Acronis" (2011 paid ver) and "Macrium Reflect" (free
ver).
 
Acronis image extensions are *.tib files and that extension has been added to a recent
Cryptolocker extension / inclusion report that I read at another forum.  The member that
posted the report is a malware-removal expert and is a member at "Bleepingcomputer.com"
as well as another forum where I've interacted with him in discussions about malware
threats.
 
I don't recall seeing the Macrium image extension *.mrimg   included in the list that I
saw recently but it may have been on the list.
 
Regarding my "air gap" practice, that is actually due to me being too careful perhaps
😃 but I have kept my cloned HDD and my external storage HDD disconnected from
my PC'S except during image processing to keep malicious-transport at a minimum risk to
those items as they are my verified-HDD restore methods.
 
I was doing that before the Cryptolocker threat became widely-known.  I do this to reduce
the remote chances of a more rare "delayed-launch" malicious code, where the PC user
doesn't become aware of the existance of an intrusion into their HDD until additional
damage has been done by the intrusion.
 
The backup approach is widely diverse in opinions about the best approach to pursue for
one's PC.  It depends on the user's specific requirements, their data storage plans,
and their 'net user habits.
 
The way I see this backup scene, is it's a fast way to multi-protect one's PC as periodic
cloning or full-HDD Imaging will do the following:
 
- Protect the user from virtually any malicious intrusion
- Protect from HDD failure
- Protect from user error, bad downloads, Registry errors, mstakes. We've all made
mistakes, me for certain :D
 
Restore Points and volume shadowing can also achieve the same results, ie, "rolling back
the PC clock" but there are occasions where Restore Points won't result in completely
sucessful results.
 
What I'm doing at present is,
 
- Cloning every 2 weeks with one of my spare HDD's.   I've used 3 programs to compare the
required cloning time and reliability.  I usually use "Acronis" since it takes the least
amount of time to clone my 1 Tb Seagate HDD.  I'm not sure as to the reason that it takes
the least time (about 35 minutes) to clone the HDD but it's consistant with that time
frame.
 
If one has expansion bays available in their Desktop Tower, this item makes cloning and imaging fast and easy.  I have 2 Sata Hot-Swap racks installed.  Amazon link:
 
Kingwin KF-1000
 
- Imaging on a less-frequent basis.  I usually Image (always full-HDD) occasionally but I
don't have a set routine for it as it takes a lot longer on my PC to image and I'm also
only imaging full-HDD images and not "chaining" with Incremental or Differential imaging.
 
- Automated daily item-specific backup, using Acronis.  This backs up my few "must-have"
items to another Drive.  That Drive is continuously connected so it's vulnerable in the
event of a "Cryotolocker" intrusion but I also run a manual "file copy" script daily that
copies the same items to a flash drive and another external HDD,  Those drives are
connected only during the script's copying action.
 
Image-chaining concepts are great and it's not a matter of me rejecting fhe methodology
with that approach.  It's more for me, a matter of having adequate storage space for
keeping a few full-HDD Images on a 4 Tb HDD.  That's where I store my Desktop, Laptop,
and my Mom's Desktop PC's full-HDD images.
 
The other reason I'm not currently chain-Imaging, and this is admittedly a very small
reason for me, is that, from what I've read about Incremental and/or Differential
Imaging, if there's one backup in the parent chain that's corrupt or for some reason
didn't Image correctly, then that Image chain isn't recoverable in the event that it's
needed later for restoring the HDD.
 
That scenario is probably very remote but I prefer to test a full-HDD Image after it's
completed so that I know I have a verified bootable full-HDD recovery method in place.
 
I have a 2nd spare HDD for testing Images so that my other spare shelf cloned HDD is
always ready in case of emergencies.
 
The 2nd spare HDD is also useful for testing HDD-wipe/erase tools for possible sanitizing
requirements in the event of a malicious infection presence on my Source HDD.
 
That topic is another semi-hot-button topic 😃 , as there are some PC users
that have removed their infected HDD, formatted, and re-installed the OS only to have the
same malicious object remaining on the HDD and so requires another approach to achieving
a sucessful HDD-wipe and OS re-install.
 
What I'll usually do, and have in the past when one of those "FBI" ransomware variants penetrated my previous AV's defenses* , I'll delete the partitions on the infected HDD with a bootable CD tool. such as "Gparted", a HDD-utility Linux boot, then I'll clone back to the previously-infected unallocated HDD. I've done that twice with sucessful results.  It's best to delete the partitions vs formatting as you'll have a better chance in removing previous malicious items with the first method.
 
There was a incident recently where a member over at another forum had Cryptolocker so he formatted the HDD, re-installed the OS (Windows 7 if I recall) and loaded all of his apps, etc, back onto his HDD.
 
The next morning, he found a Cryptolocker "ransom" screen was still present on his HDD. 
I can only imagine the annoyance the user was going through at that moment.
 
He then deleted the partitions on the affected HDD, re-insalled Windows again and all was
well.
 
In the majority of cases with malicious infections, partition-deletes will remove the
issues.  If one has a spare cloned HDD available or a full-HDD Image, then the can
restore the original HDD back into service as a completely cleaned bootable HDD.
 
That's the advantage of cloning or full-HDD Imaging as, even if the malicious items were
dropped into the MBR (Master Boot Record) on the HDD, the MBR is over-written and
restored during the cloning (and full-HDD Imaging) restoration process.
 
Regarding the MBR, some aren't aware that this sector resides outside of the default
partitions on a Windows HDD.  In other words, if one installs WIndows 7 (I'm not positive
about XP) using the "automatic" installation method, WIndows creates a "System Reserved"
partion and the main partition.
 
The System Reserved Partition contains the Boot Manager but not the actual MBR since the
MBR (512 bytes) begins at Sector 0 whereas the System Reserved Partition begins at
Absolute Sector 2048.
 
* This occured at one of my daily 'net site visits, a reputable site.  I was running an
updated mainline AV product, no e-mail attachments were opened, no questionable downloads
were clicked, etc.  This, to me, illustrates the importance of maintaing a tested full-
HDD backup routine as we can be careful 'net users but still get hit with the multitide
of malicious variants that are out there in the wild.
Userlevel 7
Hi Scoop
 
What can I say but...WOW...that is some backup plan you have there.  In fact I suspect that it would shame a large number of small business.
 
You certainly seem to have all the angles covered...very well covered...and I suspect that for most users this would be too onerous an approach (but better too onerous an approach than NO approach at all, eh?
 
I used to use ATI for image & Rollback Rx for...short term rollback, but have dropped those in favour of AX Time Machine (thread over at WIlders if you are interested) which is a great compromise between both of them.  Hopefully, not being mainstream...yet...its image extension has not and will not come to the attention of the bad guys...but I will check periodically given what you said about "...*.tib files and that extension has been added to a recent Cryptolocker extension / inclusion report".
 
Having said all of that the v8.0.4.46 release version of WSA has improved protection against CryptoLocker (see this post) so hopefully it will be stopped before it can do damage that requires the use of the backup.
 
Anyway, thank you for the detailed post...very informative...I will be re-reading it a number of times to make sure I have all the nuances worked out (will probably also bookmark it for future reference).
 
A pleasure to discuss with you. :D
 
Have a great week.
 
Regards, Baldrick
Userlevel 1
?  Baldrick
 
Thanks :D  but believe me, I'm an amateur compared to the many backup guru's out there.
 
I know what you mean about the onerous aspect of backups.  I think that's one reason it's not more widely done among residential PC users.  I also tend to believe that some, perhaps, most of the reason is due to a lack of experience and/or the "intimidation" factor with the terminology.
 
I know for me, that was partly the reason I hesitated getting into this backup scene.  Until I learned some of the fundamentals about this stuff, I thought that a "clone" was referring to the "Star Wars" movies :D
 
I have a friend that helped reduce the learning curve with the basics.  Afterward, it became an interest to me so I tried to dig deeper into the topic.
 
I can say this, and it's true for just about anything:  Once someone gets familiar with this backup stuff, they find that it's really easy and, with cloning, it's fast.  I can clone my 1 Tb HDD, boot it up to verify a working spare, and return to normal PC activity on my Source HDD within an hour. 
 
I have offloaded my video and most picture files onto another HDD.  That speeds up full-HDD Imaging as those files don't compress as efficiently as other files when Imaging using standard compression rates.
 
Another benefit that I didn't mention earlier, of maintaining full-HDD backups is the "peace of mind" aspect.  One can take some chances when learning how to use some PC tools, such as the many utilities available in "cmd" mode.
 
If something goes "south" when learning a utilitiy command, you can always install the cloned HDD to recover from a mistake or mishap.
 
This is somewhat unrelated but I had the following sites bookmarked.  They may come in handy for anyone that may be required to re-install Windows due to malicious infections or corrupted Windows System files, Registry issues.
 
This guide walks through a procedure on re-installing a Windows 7 "no-reformat, nondestructive reinstall".  This procedure will supposedly (I haven't tested this myself yet) allow the user to re-install their Windows 7 OS without damaging your user accounts, data, installed programs, or system drivers.  I plan on testing this out with my "lab" HDD when I get some spare time as it sounds intersting to prove on my PC.
 
Windows 7 Reinstall
 
There is a link for Win 8 users as well.  I haven't read this article since I'm not running Win 8 but here's the link:
 
Windows 8 Reinstall
 
Both offer an alternative to reloading all programs, etc, in the event of a necessary Windows clean install required.
 
Thanks for the "AX Time Machine" info.  I'll check that out.  Sounds interesting.
 
I tried to locate the updated list of file extensions for Cryptolocker, where I saw the *.tib extension included but I can't locate it now.  It was posted at another forum.  If I locate the link, I'll post it here.
 
I did post the question over at the Acronis Forum under my account.  I haven't read that forum in a while so I'm not sure when or if I'll receive a reply.
 
Regarding cloning in general, one often reads some confusing things about cloning HDD's.  For example, when I was researching the topic a few years ago, I read in forums where, when cloning a Laptop HDD, it's necessary to install the "Target" HDD in the Laptop and the "Source" HDD in an external Enclosure.
 
That proved for me to be inaccurate, at least when I clone my Toshiba Laptop.  I've cloned both ways with the Source HDD in either position and in each case, all of my cloned Target HDD's booted into Windows and ran ok.
 
I achieved the same results when cloning my Desktop PC's HDD's.  I've cloned with the Source in my "A" Sata slot with the Target HDD in the "B" slot, and vice versa, all with sucessful results.
 
I'd recommend, for novice cloners, to do a "pre-format" or delete the partitions on the Target HDD before booting up the Cloning tool and starting the cloning process.
 
The reason is, assuming that the Target HDD was cloned previously, it can be confusing during the cloning tool's setup dialog since the Source and Target HDD's will appear identical when the user is in the selection process.
 
If the Target is prepared as above, the user will be able to easily identify the Target HDD as it wil display the HDD as "unallocated".
 
I use the DIsk Management utility within Windows to delete the partitions before I exit Windows to boot up on my Acronis CD.
 
Disk Management should allow the user to delete any partition on the Target HDD since that HDD isn't the "boot" device at the time Windows is running.
 
However, some PC's, like my Toshiba Laptop, include a "recovery" partition which Disk Management won't allow that partition to be deleted from within Disk Management.
 
If that happens, I'll go to "cmd" and use the "diskpart" utility to do a "delete partition override" command for that partition.
 
Thanks for the post link about the v8.0.4.46 release version of WSA.  I read the thread.  Fortunately, the mainline AV's have implemented the known variants of Cryptolocker but you know how that one goes... new variants are being released in the wild all the time so it's always a race against the bad guys out there.
 
Personally, I rely on an AV (plus an antimalware tool) to block nearly all intrusion attempts but I don't count on 100% protection with any AV or antimalware tool.  As long as the tool notify me that something's amiss, the backups will restore my PC's fairly quickly, except for a very rare BIOS dropper.  I've only read about 2 such malicious codes and there's debate whether or not they really reached "the wild" in any number.
 
I did look at my Mother Board a while back and my BIOS IC is an 8-pin DIP package that is socketed (easy removal and replacement if needed).  BIOS IC's can be purchased online, pre-flashed to their Mother Board's factory condition so that was good to know just in case.
 
Early Mother Board models included a BIOS "write protect" jumper but most manufacturers moved away from that design due to the improvements in "easy flash" utilities that are included with many Mother Boards CD's.  As BIOS flashing became more convenient, they removed the write-protect jumpers on the boards.  I'd have preferred they keep that jumper in the designs since it offers a failsafe protection against malicious flashing and also most PC users never flash the BIOS anyway.
 
Fortuantely, with most malicious intrusions, the symptoms become noticable fairly quick, with popup's, browser hijack's, unusual CPU usage, etc.
 
Here's a link that a member provided in a reply to my post about Cryptolocker's file names, Registry locations, etc. Link is to the "Bleepingcomputer.com" site:
 
CryptoLocker Ransomware Information Guide and FAQ
 
 
"A pleasure to discuss with you"   Thanks :D  "Ditto"  :D

Reply