Your Computer And Smartphone, Held Hostage

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
We've all heard of ransomware but have any of you actually had it happen to you or someone you know?

It's called ransomware, a type of malicious code that leaves its victims feeling personally violated. Some versions destroy your data if you don't pay, while others merely threaten. And some versions will encrypt your device, scrambling everything it contains until you pay a ransom. And if your device encrypted and locked, you're toast -- with no way to remove the malware.
 
One guy I work with got hit by it, he was very upset until I pointed out that since he only uses the PC for Eve Online, all he lost were any screenshots he had taken.
 
It happened at my work last year. The file server that we use to keep all of our customers data on got encrypted and demanded a bitcoin payment for the key to decrypt them.

Luckily our IT department does weekly tape backups so we we're able to get back up and running in short order, but we did lose around 3-4 days worth of work because of it.
 
Dozens of people, but I work in IT support. Anyone who pays the ransom gets no respect from me. 2 wrongs don't make a right, back up your data.
 
I know of 2 companies... One, a small CPA firm, paid the ~$500.00 ransom and actually recovered the files that were encrypted. The other, a medium sized manufacturing company, didn't catch the virus until it was already too late. They lost ~10 years of old documents and records because management didn't think it was necessary to invest in a long term backup solution.

Where I work, we have an offline/secure backup system that keeps 3+ years of archival backups.
 
Had one person at the office get hit, and it encrypted some files on one of the servers.

Just cleaned the person's computer, and then restored the files from backup.

That's why you make regular backups.
 
My Father-in-Law got hit with Ransomware on his PC. They had encrypted his document folder. He is still freelancing as an account for some business clients, so his data was quite valuable.

Phishing "Update software" message got him...

I was able to simply use windows recovery and restored a previous version of his documents folder to save everything. It didn't take long once I sorted it out, but it was quite nerve racking and stressful until then. Lots of finger crossing. He lost 2 days of work, but that is nothing compared to losing everything.

We have since revised his storage and information management since then.

Most importantly he is actually listening to me on browsing habit advice... :rolleyes:
 
It happened at my work last year. The file server that we use to keep all of our customers data on got encrypted and demanded a bitcoin payment for the key to decrypt them.

Luckily our IT department does weekly tape backups so we we're able to get back up and running in short order, but we did lose around 3-4 days worth of work because of it.

Same thing happened where I work. We caught the encryption early and severed the affected file server from the network. We lost 4 hours of work and another couple of hours to restore the server.
 
Cleaned a coworkers one a few years back, luckily it wasn't the harmful type and only locked and posted fake law enforcement message.
 
The only one I know of was a co-workers family member. He paid the $500 and they didn't un-encrypt it. Hope he learned a couple of lessons there.
 
The only one I know of was a co-workers family member. He paid the $500 and they didn't un-encrypt it. Hope he learned a couple of lessons there.

Did he let the time window run out? Mostly all of these scammers honor it as it would be bad business and discourage people from paying.
 
We got hit here last year. Most employees are really good about asking IT here if they should open something or follow a link, if it's not an email they were expecting. I'm actually quite impressed with our staff. However, two people did get fooled, and it spread out to our main file-server via their mapped drives. It encrypted about half the file-server. I spent about two days restoring from shadow copies and backups, but we got everything back in the end. Since then, even though most of our people are great about this, I send out periodic reminder emails telling everyone to only open attachments and links from people they're expecting them from and only business related.
 
Fixed this for people more times than I can count honestly, most of it isn't terribly difficult to get rid of. As with anything, Backups can save you when you least expect it, especially if you aren't particularly tech savvy. That said, thus far i've yet to come across any ransomware I couldn't remove and restore. The upshot for me is it isn't a normal virus by any stretch and thus i don't charge normal virus removal prices.
 
Did he let the time window run out? Mostly all of these scammers honor it as it would be bad business and discourage people from paying.

It is true that you have a limited time to pay the ransom, because the ransom server gets shut down pretty quickly. Another reason to NOT PAY THE RANSOM. Do not do it, bite the goddamn bullet and don't be selfish.
 
I see these at least once or twice a month, but the number is increasing. Basically, there are several versions of this out. Some just lock the computer (and are usually easy to fix.) Some encrypt files, and even run in safe mode (actual Cryptowall.)
Please back up important files, and have them separate from the computer.
Make sure your PC is set to allow restore/ recovery, so you can go back to a previous known good date.
There is a Free Software from Bitdefender which prevents the install and/or running of this software:
http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

If you get hit, disconnect from the internet, as the encryption requires an active connection to continue the encryption. Turn the PC off, and then you can take the disk out, and slave it to a known clean system. Use its AV to protect as you pull off the files not yet encrypted. Put the disk back into the infected system, and format the drive, and reinstall your OS.

Interesting tid bits I have heard about this type of virus:
Generally, it is sent to the victim via e-mail. Usually as an attachment to some sort of USPS, UPS, Fed-Ex, or other shipping company fake e-mail.
Supposedly, one can get it as a download behind Corrupted Advertising: Supposedly, when the video ad runs in the sidebar, it is downloaded and activated on the unknowning victim's pc. So, I suggest ad blocking add-ons to your browsers.
 
I see these at least once or twice a month, but the number is increasing. Basically, there are several versions of this out. Some just lock the computer (and are usually easy to fix.) Some encrypt files, and even run in safe mode (actual Cryptowall.)
Please back up important files, and have them separate from the computer.
Make sure your PC is set to allow restore/ recovery, so you can go back to a previous known good date.
There is a Free Software from Bitdefender which prevents the install and/or running of this software:
http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

If you get hit, disconnect from the internet, as the encryption requires an active connection to continue the encryption. Turn the PC off, and then you can take the disk out, and slave it to a known clean system. Use its AV to protect as you pull off the files not yet encrypted. Put the disk back into the infected system, and format the drive, and reinstall your OS.

Interesting tid bits I have heard about this type of virus:
Generally, it is sent to the victim via e-mail. Usually as an attachment to some sort of USPS, UPS, Fed-Ex, or other shipping company fake e-mail.
Supposedly, one can get it as a download behind Corrupted Advertising: Supposedly, when the video ad runs in the sidebar, it is downloaded and activated on the unknowning victim's pc. So, I suggest ad blocking add-ons to your browsers.

Very very few of them require format/reinstall. Actually in the hundreds of flavors I've seen, not a single one required that. More often than not, formatting is just a lazy way of dealing with it.
 
Very very few of them require format/reinstall. Actually in the hundreds of flavors I've seen, not a single one required that. More often than not, formatting is just a lazy way of dealing with it.

While formatting the hard drive isn't always the best option, it is a definitive way of removing the virus from most desktop system. Having tools and off-line backups at my disposal, it's much easier for me to blast the HDD, re-image, and restore my content than trying to remove the virus manually. Sure, most viruses can be manually removed from an operating system with a little know how, but who wants to spend the time doing it when you can achieve the same results in a fraction of the time and effort.
 
Yup, we got tagged a couple of times and it hit up the mapped drives to the servers. Same department both times... We keep backups, so we restored the files and all was well. People like to click on e-mail links quite a bit. They learned the hard way to stop doing it when I told them "sorry, anything you kept stored locally on your computer is gone."
 
Yup, we got tagged a couple of times and it hit up the mapped drives to the servers. Same department both times... We keep backups, so we restored the files and all was well. People like to click on e-mail links quite a bit. They learned the hard way to stop doing it when I told them "sorry, anything you kept stored locally on your computer is gone."

Let me guess... Sales or Finance departments? :D
 
I've had about 6 users hit with it. Some had their online backups infected too. Nasty stuff.
 
I should have said the backups got encrypted, not infected.
 
I worry about my parents getting stuff like this.
I always tell them not to click ANYTHING. But inevitably, my dad clicks something.
 
Had 1 computer infect 5 severs because of a mapped drive. Only took a few days. Luckily have backups every hour, but had another company get this on their server that has all financial data, except they use tapes. Tapes aren't always successful, in fact they are a pain in the ass. Had to fork over $600 for decryption key and spend too much time restoring the decrypted files.

Who cares about a laptop or phone.
 
Removing these infections manually is very, very easy. However, restoring the encrypted files with no backup is more challenging. Sometimes, system restore works great and others time, it is no help at all to recover the files.
 
I've been seeing this pop up at my repair shop in one form or another since early last year...a truly devious thing. I've seen fake encrypting viruses for a while (not really encrypted, just hidden behind an impassable logon screen), but this is the first variant I've seen that actually does it. First I saw Cryptolocker, then imitation variants have occasionally surfaced over time. Most recent flavor is called CTBLocker (seen that three times in the past two weeks).

These viruses are especially evil, as they try to encrypt anything that is attached to the system: shared/mapped drives, external hard drives, online cloud storage folders like Dropbox/Google Drive, etc.. I've seen people lose all their colleagues work via an encrypted Dropbox folder. I've seen entire businesses brought down, because it can spread over a network. It usually manifests in the form of a suddenly slow system as the encryption is performed while hidden in the background. Then it changes the background to the ransom demand and it's all downhill from there. CTBLocker even changes the file extensions to a random name: changing it back does nothing (I never thought I'd actually miss the FBI virus...but this is worse on every level).

Every single one I've seen was due to an infected email attachment, usually a fake FedEx attachment saying a delivery was missed. The most recent one I encountered masqueraded as a fake Comcast bill. The only luck anyone has had is one guy took his system offline when he went on vacation (but left the system running), and his Carbonite wasn't able to record the most recently corrupted file changes. Some of them seem to only target known file types. I'll occasionally see some random files that were skipped by the encryption process, like when someone had a bunch of Word documents, some of which were .wbk files. Those were skipped, but the .doc and .docx were affected. Also, very large files seem to be unaffected (like one guy's 29 GB .pst file was untouched, and another person's Ghost image as well) but everything else was gone. I think Dropbox has a 'restore old version of file' option, but I think it's only one file at a time. Recent viruses even delete the shadow copies, which had been one way to previously rescue files.
 
I actually dealt with this before christmas. I had a faculty/professors laptop that was some how "compromised" with a encryption block when she was on sebaticle out of states. She brought it to the help desk that I help manage and after a few hours of trying to clean up her botched computer, I did some further research and found she had someone managed to activate the nastiest virus I have ever encountered named Cryptowall 2.0.

It essentially encrypted and locked down every single piece of personal data on her laptop and even jumped across to her USB jump drive when she tried to do an "emergency backup" when her laptop was acting weird. Ever single folder had a text file indicated that basically said "We are holding your data hostage because we can, follow these hyperlinks to bitcoin us money and we will send you a encryption key to unlock your data. You have 72 hours to respond, otherwise, we will lock you out of your data forever. She didn't bring in the laptop until over a week later....

I spoke with 3 data retrieval places and they basically told me "Nope, shes SOL, hope she has a backup' Well..no, she had NO backup of her data what so ever. At all. They said that she could send it to a forensic data retrival places with a .000001 % chance they could retriveve data. Needless to say, I was freaking out a bit at this time.

I had to contact the chief information security office for the university I work for and ask for help. Essentially, because of our government contracts, we would NOT pay for any funds for illegal activities or reimburse personal payment for data retrieval because we are essentially dealing criminals in a different nation as the IP address of the bitcoin payments for cryptowall 2.0 were shown to be located in Russia.

I had to have a phone confrence call with the associate dean of the college, IT security support and basically tell the facualty member that her years worth of sebatical data was completely gone forever and there was nothing we could do.

It was a really rotten week to be in IT.......
 
Cryptowall 2.0 is a nasty beast. And yes, I ran into one of those last week. Runs in safemode, runs continuously in the background encrypting everything. I do believe it has to have active access to the internet to continue encrypting. Thus, the "turn off internet and shut down" suggestion.

Other thing about this version is: It seems to impact the network. My repair network would go offline the moment the pc was connected to it. And would come back online the moment it was removed. I presume 2 reasons for this: 1) I believe it was attempting to jump to other computers via the network, and 2) I believe it was hogging bandwidth. A big spike in net usage is an indicator one can look for.

I have reason to believe this person was hit via the fake shipping email, as he had shipped a FedEx package. And he mentioned the email to me giving wrong info on the shipment, when I asked if he had gotten any bad email.

Again: watch for these types of email: FedEx, USPS, UPS, or any other shipping email should be suspect.
Any Banking email should also be suspect.
Any "Court" or "Legal" email should also be suspect.

Fair warning, I have also read these types of programs can be injected into compromised advertising, such the little videos that run in the sidebar. I have also heard legit websites can spread such viruses via the advertising. Due to this, I suggest an Ad Blocking addon for your web browsers. I am still trying to confirm if this type of infection has occurred, or not. But, I would not be surprised.

As for the format and reinstall the os and programs as being unnecessary... Well. I am one who errs on the side of making sure it is removed. So far, I have yet to run into a virus which survives a format... And it is much faster than going through the motions of getting rid of the virus. Motions which are not guaranteed to completely remove the virus, like a format can.
 
Back
Top