Notifications
Clear all

CrptoLocker

16 Posts
13 Users
0 Likes
913 Views
(@ccvishnu)
Posts: 1
New Member
Topic starter
 

Hi All.

Just came across an interesting piece of work. One of our client has a NAS drive 2TB on their server containing all company emails\documents which was compromised a week back.

All the files - user documents where encrypted, they could not access any of the files since it wont open without being decrypt. They have been sending web links which takes them to a page asking for ransom of $700 per file and time period for the ransom amount else it would be doubled. we cannot trace the ip as they are behind a TOR.

Unfortunately they dont have a backup of any of this data. Been doing a lot of RnD and I havent come across a solution. Most of them suggest to pay / forget the data, reformat / be secure from hence fourth,

If any of you have any suggestions / similar circumstance please post. Thank you

Rgds
ccvish

 
Posted : 15/12/2015 1:41 pm
(@gremoui)
Posts: 6
Active Member
 

Can you provide the information about the campaign? What is the webpage? What is the contact address? What kind of NAS is it (Synology?)?

 
Posted : 15/12/2015 3:18 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I've seen stories of organizations getting hit and paying up…this has applied to at least one law enforcement organization so far, that I've seen. I've also seen folks hit with variants, paying, and then not getting a key to unlock their files.

So, I guess the question is, how important are these files? Are they worth the $700/file? If so, pay it, unlock the files, and do a better job with your information security.

I'm going to guess that since the files weren't backed up, they weren't really important to begin with…so maybe just write them off and reformat?

 
Posted : 15/12/2015 5:04 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The stories I've heard from people that were actually caught by Cruptolocker or one of it's common variants had a ransom around $300/400 for a decrypting key for all files, if it is 700 per file it is a new approach 😯 that sounds like extremely stupid.
I mean, 300/400 US$ to exit the situation is something that most people will be able to pay, US$ 700 multiplied by - say - 1.000 files amounts to something noone will ever pay.

jaclaz

 
Posted : 15/12/2015 5:22 pm
(@anirudhrata)
Posts: 17
Active Member
 

Apart from the suggestions given above, one thing you should be sure of is the variant of the Cryptolocker. There have been many variants with failures in their implementation of encryption, thereby making it easy to decrypt the files. So, first make sure the infection is from an actual cryptolocker (ex Cryptowall, CTB locker etc), and not imposters like DecryptorMax, Teslacrypt and others.

 
Posted : 15/12/2015 11:10 pm
(@digitalkiwi)
Posts: 3
New Member
 

Crypto Ransomeware like this usually makes an encrypted copy of the files and then deletes the originals. It is thus sometimes possible to recover some or all of the original files using the normal deleted file recovery tools / methods.

I would image the disks and then run a file carving tool and see what I could find.

 
Posted : 23/12/2015 5:05 am
jekyll
(@jekyll)
Posts: 60
Trusted Member
 

As anirudhrata says

be sure of … the variant of the Cryptolocker

We've found many new variants, often poorly implemented including powershell variants, that are circulating at present. They often purport to use PKI, but are in fact using a symetric key generated on the system with a static seed. There is a reasonable chance you can get data back without paying a ransom in these cases.

With those that have Win7 and earlier infections with Powershell variants, we are working on a key brute forcing tool at present as the implementation is based on a weak random number generator that MS has since updated in later versions of Windows.

 
Posted : 24/12/2015 4:12 pm
(@gorvq7222)
Posts: 229
Reputable Member
 

CryptoLocker is a satire on computers and M$ Windows. People would like to use encryption to protect their data. Ironically some bad guys will use encryption to lock other people's data and give those poor guys a ransom note. What could you do without any backup? No any backup is far beyond my imagination~

I have to admit that CryptoLocker is very dangerous because it looks just like a formal mail such as inquiry or quotation. No doubt lots of people will click the attachment and CryptoLocker will start to connect C & C Server to encrypt your data. The dangerous attachment will pretend to be a document file, but actually it's a exe file. Take a look at its file signature and you will know what is is. Everybody should know that .exe file won't work on Linux/Mac and always keep it in mind. One day you have to make decisions to immigrant to Linux/Mac for a better tomorrow…

Welcome to the real world and its very dangerous whenever your PC/Laptop connected to the internet. How to survive under these circumstances I have some suggestions as below
1.Schedule task to backup your data. Let the backup pool offline will be safer. Don't forget to check backup schedule and logs, also verify your backup data often.
2.Use Linux/Mac instead of M$ Windows. Of course if you are not a IT Pro, at least you could prepare a VM with Linux installed and check e-mails on that VM…

If you got infected, you should be more patient and keep the original hard drive. Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

 
Posted : 25/12/2015 6:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Welcome to the real world …

😯

… Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

Yeah, sure, wait for it…. roll

jaclaz

 
Posted : 27/12/2015 6:37 pm
Nicotrel
(@nicotrel)
Posts: 15
Active Member
 

Everybody should know that .exe file won't work on Linux/Mac and always keep it in mind. One day you have to make decisions to immigrant to Linux/Mac for a better tomorrow…

So you suggest switching to a Unix-based OS because one might not be able to withhold the temptation of opening peculiar e-mail attachment?
Do you also opt-out of using paper in your office for the off-chance you'd get a paper cut? wink

I LOL'd

If you got infected, you should be more patient and keep the original hard drive. Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

You might aswell wait for the tooth fairy to give you those keys wink

Welcome to the real world …

😯

jaclaz

LOL

 
Posted : 01/01/2016 12:45 am
Page 1 / 2
Share: