Ransomware

A

Azuresnow

n00b
Joined
May 21, 2013
Messages
49
Has anyone run into Cryptolocker?
If so, what was your reaction?
Were you able to beat it or did you pay the ransom fee?
or just scrap the computer altogether?
 
PAY or SCRAP?????? The day I let scareware or ransomware win, is the day I walk away from tech and never come back! :mad: I remember the first time I dealt with this type of BS, the wife got that xp antivirus bug, I worked on her computer for 4 hrs. before cleaning it up. Next time I ran into it it took 30 min. Moral of story is, always back up your data.
 
Last edited:
People on HardOCP paying a ransom? LMFAO .... nah, not here.

I've serviced several computers, maybe 12 - 15 machines that were locked down with this ransomware bullshit.

I just smoked the drive, replaced the mbr and installed a fresh copy of Windows
 
Well, This is what happened:
I work at a company and one of my colleagues opened an "official" looking email. The virus came on the email and started encrypting our files, even on our servers, but luckily we pulled the ethernet on the computer before it got too bad. So what ended up happening, none of my colleague's files (pdfs,excel spreadsheets, word documents) were accessible. The some of the files that run on our server got encrypted as well, but luckily our IT guy has our servers backed up on a remote drive which he just replaced, but everyone on my colleague's computer was just unaccessible.
 
You have two routes: pay the ransom (and hope they give you the key), or reformat the affected drives and start fresh. Good thing your IT guy had backups! But no, there's no beating these things, it uses very strong encryption, whatever data was on your coworker's computer that wasn't backed up is toast.
 
I've ran into one person who did pay the ransomware company and their data was not unlocked. On top of that, the company now has their CC number.
 
bigdogchris said:
I've ran into one person who did pay the ransomware company and their data was not unlocked. On top of that, the company now has their CC number.
Click to expand...

The ransom folk don't typically take CC numbers for payments because of how traceable they are; it's usually a money order or bitcoin...
 
I have twice beaten the ransomware by actually just spamming ctrl+alt+del to get enough processes stacked up that I could close the process that was running the ransomware then try to kill it with anti-virus. The third one did win and the drive was just wiped.
 
teh_chem said:
The ransom folk don't typically take CC numbers for payments because of how traceable they are; it's usually a money order or bitcoin...
Click to expand...
I don't know the details, I only know the person said they paid them.
 
EspoNation said:
I have twice beaten the ransomware by actually just spamming ctrl+alt+del to get enough processes stacked up that I could close the process that was running the ransomware then try to kill it with anti-virus. The third one did win and the drive was just wiped.
Click to expand...

But that doesn't unecrypt the files, right? So you never really "won".
 
I've had some experience with CryptoLocker. Long story short, you either need backups or you need to pay. In my experience, anyone who has paid has had their files decrypted. The decryption keys are never stored on the client computer so there is zero chance to decrypt the files without paying.
 
PCunicorn said:
But that doesn't unecrypt the files, right? So you never really "won".
Click to expand...

It didnt come back after two of them, which come to think of it now was odd. It might have just been more a hassle. The third one was the one I could not beat, which meant it was probably more like the one you were describing with the encryption, that was the one we just nuked.
 
Never negotiate with terrorists. If you work as a Windows admin, look in to using Group Policy to prevent execution from %appdata%
 
NobleX13 said:
Never negotiate with terrorists. If you work as a Windows admin, look in to using Group Policy to prevent execution from %appdata%
Click to expand...

Obviously it would be ideal to not pay these scumbags, but if you've got sensitive data that you can't get back, what do you do? One company I know of was a software development firm. They were nearing release of a new piece of software they had been developing for over two years. Cryptolocker encrypted all of their network drives which included their git directories. They did have a tape backup system but it wasn't working properly. Do you pay $100 to decrypt the files or stick it to the terrorists and fold your business, writing off a million dollars in work?
 
JoBUSH said:
Obviously it would be ideal to not pay these scumbags, but if you've got sensitive data that you can't get back, what do you do? One company I know of was a software development firm. They were nearing release of a new piece of software they had been developing for over two years. Cryptolocker encrypted all of their network drives which included their git directories. They did have a tape backup system but it wasn't working properly. Do you pay $100 to decrypt the files or stick it to the terrorists and fold your business, writing off a million dollars in work?
Click to expand...
That sounds like the most incompetent software development firm in history.
NobleX13 said:
Never negotiate with terrorists. If you work as a Windows admin, look in to using Group Policy to prevent execution from %appdata%
Click to expand...
^^^This. There's even a clear and concise tutorial on bleeping computer. Literally anyone could follow that simple tutorial and secure their system(s).
 
crusty_juggler said:
That sounds like the most incompetent software development firm in history.^^^This. There's even a clear and concise tutorial on bleeping computer. Literally anyone could follow that simple tutorial and secure their system(s).
Click to expand...

Yea, they're not well regarded in the industry. None the less, lots of people have found themselves in the same situation. Kind of tough to tell these people to make a stand on principle when their future is the cost.

I'm not really sure what benefit preventative measures like the tutorial would provide. If these people had any sense they wouldn't be in this problem in the first place. An up-to-date anti-virus also protects you from cryptolocker... It's kind of unreasonable to expect people who can't protect themselves using the normal methods will go out of there way to pre-emptively protect themselves using a more complex and manual procedure.
 
crusty_juggler said:
Preventing CryptoLocker from running would be one benefit.
Click to expand...

Right... but anyone who was vigilant enough to seek out and follow such tutorials would likely already be protected by their anti-virus and/or common sense. CryptoLocker infects the stupid and incompetent. So again, I'm not sure what benefit such a tutorial really has in the grand scheme of things.
 
Our IT guy expects the users to keep their Virus protection up to date. I'm much more tech savvy than the majority of the people here. /sigh.
 
Some of our clients have been hit with both Cryptolocker and Cryptowall. For the most part, the ones with backups were fine. Two have paid, and had their data decrypted.
 
My place of employment has gotten hit and their response to it has been laughable.

Some of my personal clients have been hit. Some we recovered through recent backups while 2 had to pay. A few I'm finding have AVs that are successfully stopping it.
 
I've had to deal with it twice at work here...removed the infection, restore from backup's and move on. Never pay, that's how they win.
 
We had this last fall...McAfee SaaS did absolutely nothing, let it walk right in.

One of the web people got an email from Wells Fargo and opened it. One of the other IT guys (who is no longer here and was lazy as shit) told her he didn't see anything wrong and left her computer like it was, didn't unplug it from the network or anything under suspicion. (More than likely blew her off.)

During those couple of hours (before the ransom popup finally appeared), it encrypted over 400K files on the shared drives.

Had to pay the ransom because Mozy Pro eats shit and the cloud backup takes precedence over local backup, so we had no full backup available to restore from (we have over 12TB of backup, which never finished).

Needless to say we no longer use Mozy Pro and have switched to CrashPlan Pro (probably soon to be CrashPlan Enterprise) on my recommendation, which backs up locally first.
 
Why do so many people have such important data that they must have it back but do not have it properly backed up?
 
I've had to deal with it about 8 times (not my machines). I don't know anyone who paid the ransom. We typically restore from shadow copies or from backup. Data loss is typically minimal if anything.
 
Useful tool for any interested:

http://www.foolishit.com/vb6-projects/cryptoprevent/

It's been improved over the months so that it doesn't just rely on group policy anymore. Useful for protecting against other malware and trojans, as well. Includes ability to self-update.


Another idea I came across -- setting up "honey pot" files to get encrypted first, should you get hit. It was postulated that CL searches shares by alphabetical order.

Anyway, just an idea. Any little bit can help.
 
EspoNation said:
I have twice beaten the ransomware by actually just spamming ctrl+alt+del to get enough processes stacked up that I could close the process that was running the ransomware then try to kill it with anti-virus.
Click to expand...

Sounds like a tall tale, but apparently it's happened before:

dTTv4lb.png

from: http://www.mrlovenstein.com/comic/364#comic
 
Hadn't really read about this virus before. That's some pretty heavy duty bullshit right there. I could see how that could cause havoc. Especially in a work environment where you inherently need people to have access to network drives.
 
You must log in or register to reply here.
Back
Top