Hit with RANSOMWARE

S

sanitarium16

Limp Gawd
Joined
Dec 5, 2007
Messages
328
My work computer has been hit with a form of ransomware. Its the Trojan/Ransom-U variant. When you turn the computer on it demands $120 to decrypt the files. It encrypted all .doc files and others. I tried CA's tool and and Kaperskys decrytion tool but it doesnt seem to recognize this variant. Does anyone know of a tool to decrypt the encrypted files?
 
Sophos has an article about it here:

http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/

A few points from the article worth mentioning here:

"Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware."

"Of course, we don't recommend paying money to ransomware extortionists. There's nothing to say that they won't simply raise their ransom demands even higher once they discover you are prepared to pay up."

"Once again, users who make regular backups of their important data have good reason to pat themselves on the back."

There is at present no way to decrypt the files. If you didn't back them up, you lost them.

Is it at all possible that you can use Windows 7's Previous Versions to get the files back?
 
sanitarium16 said:
My work computer has been hit with a form of ransomware. Its the Trojan/Ransom-U variant. When you turn the computer on it demands $120 to decrypt the files. It encrypted all .doc files and others. I tried CA's tool and and Kaperskys decrytion tool but it doesnt seem to recognize this variant. Does anyone know of a tool to decrypt the encrypted files?
Click to expand...

Call the NSA. :D

Seriously, if you didn't back up your files, you would need what's called a "brute force attack" by trying every possible decrypt key for all the possible encryption algorithms. Not practical for ordinary mortals. :(
 
I don't get how a PDF, a static file with text/images embedded in it, can have exploits. How is it that Adobe can make a product (the reader) that sucks THIS bad? There should be no paths of execution in a viewer app. Worse part is, they update this multiple times a day, and they STILL screw up.

And yeah, why don't they actually go after THESE people instead of spending so much time on piracy? These virus writers and hackers are the ones doing the real damage. I guess if it's not affecting multi billion dollar corporations then the government does not really care.
 
Red Squirrel said:
I don't get how a PDF, a static file with text/images embedded in it, can have exploits. How is it that Adobe can make a product (the reader) that sucks THIS bad? There should be no paths of execution in a viewer app. Worse part is, they update this multiple times a day, and they STILL screw up.

And yeah, why don't they actually go after THESE people instead of spending so much time on piracy? These virus writers and hackers are the ones doing the real damage. I guess if it's not affecting multi billion dollar corporations then the government does not really care.
Click to expand...

It's because they included javascript and the ability to launch external applications are part of the spec (which was somehow adopted in by the ISO). Turn off javascript, external applications, and Flash that will block nearly all PDF attacks. PDF is really a broken standard as far as I'm concerned since it does way more than a document needs to, but at this point it has become the standard so we need to secure it as best as possible.
 
Ah did not know it had that, not a smart move by Adobe then. Definitely not something a document should have.

Really I would love to see someone come up with a better document standard, and have it take off. Something that is open and does not have more then text/images, no need for anything else in a document.
 
darkpaw said:
It's because they included javascript and the ability to launch external applications are part of the spec (which was somehow adopted in by the ISO). Turn off javascript, external applications, and Flash that will block nearly all PDF attacks. PDF is really a broken standard as far as I'm concerned since it does way more than a document needs to, but at this point it has become the standard so we need to secure it as best as possible.
Click to expand...

Another way to use a PDF as the "vector" is to somehow install a corrupted Acrobat reader on your system. Once that corrupted reader is in place, it will execute Trojan code in a corrupted PDF. Same approach works with mp3s, videos, etc.
 
this is the first time I've heard of ransomware, that's nuts. Nigerian hackers are getting ballsy.
 
After doing malware research/security testing for several years, there is one thing I can attest too, any parser no matter text/binary can be opened to exploit's if the program didn't properly sanitize it's inputs...

(Now, PDF is an atrocious format to parse for any program, it really needs to be complerely redesigned so people can avoid making a lot of mistakes.)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Just ran into this. One of our local clinics got hit with it. What a mess. No fix anywhere from what I can find.
 
Not going to help the OP, but for the record I don't have any pdf readers or java installed on my home pc's because of crap like this now. If I come across a pdf I need to read I'll install a reader, then uninstall when I'm done.

Most folks don't even need java anymore.

If I could go without flash I would. I only have flash installed for IE and I use Firefox with noscript when browsing the net from home.
 
Adobe has finally released Adobe Reader X which uses the sandbox programming model available in Vista and Windows 7 to limit what Adobe Reader has access to work with, much like how IE is now limited.

Only took them 2 years to finally use what has been there...
 
Putting the PDF discussion aside, the lesson that should be taken from this thread is this:

HAVE A BACKUP PLAN!

1TB external drives are way under $100 these days.
 
You must log in or register to reply here.
Back
Top