Notifications
Clear all

CrptoLocker

16 Posts
13 Users
0 Likes
619 Views
ccvishnu
(@ccvishnu)
Posts: 1
New Member
Topic starter
 

Hi All.

Just came across an interesting piece of work. One of our client has a NAS drive 2TB on their server containing all company emails\documents which was compromised a week back.

All the files - user documents where encrypted, they could not access any of the files since it wont open without being decrypt. They have been sending web links which takes them to a page asking for ransom of $700 per file and time period for the ransom amount else it would be doubled. we cannot trace the ip as they are behind a TOR.

Unfortunately they dont have a backup of any of this data. Been doing a lot of RnD and I havent come across a solution. Most of them suggest to pay / forget the data, reformat / be secure from hence fourth,

If any of you have any suggestions / similar circumstance please post. Thank you

Rgds
ccvish

 
Posted : 15/12/2015 1:41 pm
Gremoui
(@gremoui)
Posts: 6
Active Member
 

Can you provide the information about the campaign? What is the webpage? What is the contact address? What kind of NAS is it (Synology?)?

 
Posted : 15/12/2015 3:18 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I've seen stories of organizations getting hit and paying up…this has applied to at least one law enforcement organization so far, that I've seen. I've also seen folks hit with variants, paying, and then not getting a key to unlock their files.

So, I guess the question is, how important are these files? Are they worth the $700/file? If so, pay it, unlock the files, and do a better job with your information security.

I'm going to guess that since the files weren't backed up, they weren't really important to begin with…so maybe just write them off and reformat?

 
Posted : 15/12/2015 5:04 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The stories I've heard from people that were actually caught by Cruptolocker or one of it's common variants had a ransom around $300/400 for a decrypting key for all files, if it is 700 per file it is a new approach 😯 that sounds like extremely stupid.
I mean, 300/400 US$ to exit the situation is something that most people will be able to pay, US$ 700 multiplied by - say - 1.000 files amounts to something noone will ever pay.

jaclaz

 
Posted : 15/12/2015 5:22 pm
anirudhrata
(@anirudhrata)
Posts: 17
Active Member
 

Apart from the suggestions given above, one thing you should be sure of is the variant of the Cryptolocker. There have been many variants with failures in their implementation of encryption, thereby making it easy to decrypt the files. So, first make sure the infection is from an actual cryptolocker (ex Cryptowall, CTB locker etc), and not imposters like DecryptorMax, Teslacrypt and others.

 
Posted : 15/12/2015 11:10 pm
DigitalKiwi
(@digitalkiwi)
Posts: 3
New Member
 

Crypto Ransomeware like this usually makes an encrypted copy of the files and then deletes the originals. It is thus sometimes possible to recover some or all of the original files using the normal deleted file recovery tools / methods.

I would image the disks and then run a file carving tool and see what I could find.

 
Posted : 23/12/2015 5:05 am
jekyll
(@jekyll)
Posts: 60
Trusted Member
 

As anirudhrata says

be sure of … the variant of the Cryptolocker

We've found many new variants, often poorly implemented including powershell variants, that are circulating at present. They often purport to use PKI, but are in fact using a symetric key generated on the system with a static seed. There is a reasonable chance you can get data back without paying a ransom in these cases.

With those that have Win7 and earlier infections with Powershell variants, we are working on a key brute forcing tool at present as the implementation is based on a weak random number generator that MS has since updated in later versions of Windows.

 
Posted : 24/12/2015 4:12 pm
gorvq7222
(@gorvq7222)
Posts: 227
Reputable Member
 

CryptoLocker is a satire on computers and M$ Windows. People would like to use encryption to protect their data. Ironically some bad guys will use encryption to lock other people's data and give those poor guys a ransom note. What could you do without any backup? No any backup is far beyond my imagination~

I have to admit that CryptoLocker is very dangerous because it looks just like a formal mail such as inquiry or quotation. No doubt lots of people will click the attachment and CryptoLocker will start to connect C & C Server to encrypt your data. The dangerous attachment will pretend to be a document file, but actually it's a exe file. Take a look at its file signature and you will know what is is. Everybody should know that .exe file won't work on Linux/Mac and always keep it in mind. One day you have to make decisions to immigrant to Linux/Mac for a better tomorrow…

Welcome to the real world and its very dangerous whenever your PC/Laptop connected to the internet. How to survive under these circumstances I have some suggestions as below
1.Schedule task to backup your data. Let the backup pool offline will be safer. Don't forget to check backup schedule and logs, also verify your backup data often.
2.Use Linux/Mac instead of M$ Windows. Of course if you are not a IT Pro, at least you could prepare a VM with Linux installed and check e-mails on that VM…

If you got infected, you should be more patient and keep the original hard drive. Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

 
Posted : 25/12/2015 6:25 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Welcome to the real world …

😯

… Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

Yeah, sure, wait for it…. roll

jaclaz

 
Posted : 27/12/2015 6:37 pm
Nicotrel
(@nicotrel)
Posts: 15
Active Member
 

Everybody should know that .exe file won't work on Linux/Mac and always keep it in mind. One day you have to make decisions to immigrant to Linux/Mac for a better tomorrow…

So you suggest switching to a Unix-based OS because one might not be able to withhold the temptation of opening peculiar e-mail attachment?
Do you also opt-out of using paper in your office for the off-chance you'd get a paper cut? wink

I LOL'd

If you got infected, you should be more patient and keep the original hard drive. Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

You might aswell wait for the tooth fairy to give you those keys wink

Welcome to the real world …

😯

jaclaz

LOL

 
Posted : 01/01/2016 12:45 am
sgreene2991
(@sgreene2991)
Posts: 77
Trusted Member
 

If you got infected, you should be more patient and keep the original hard drive. Maybe some other day FBI will again got those bad guys caught and seize those servers. FBI will release those encryption keys and you could get your data back.

I certainly won't be holding my breath for that, and neither should you. IF these guys are caught (slim to zero chance of that happening) they have no incentive to release your data.

 
Posted : 01/01/2016 3:11 am
S3cureMe
(@s3cureme)
Posts: 1
New Member
 

Hello All.

Does anyone know the best way to analyse / discover PC > C&C traffic using only the hard drive as a source of information?

Specifically which C&C web sites the "virus" communicated to.

I presume there will be reg entries with C&C details. Where would I be able to find this information.

Thanks in advance.

 
Posted : 06/01/2016 11:08 am
dacorr
(@dacorr)
Posts: 8
Active Member
 

Hello All.

Does anyone know the best way to analyse / discover PC > C&C traffic using only the hard drive as a source of information?

Specifically which C&C web sites the "virus" communicated to.

I presume there will be reg entries with C&C details. Where would I be able to find this information.

Thanks in advance.

This depends a great deal on the situation surrounding the device and the malware. Assuming malware has been confirmed on the device it depends on what type of malware and if there is just a single type as well as how long it has been there.

Also how the machine was obtained can also impact this as if the power was cut some memory resident samples may be lost.

C2C details are often stored in memory and can be harvested that way although some samples are hard coded into the malware to obtain configuration details. If you only have a HDD of a possibly infected machine you best bet would be to locate the malicious samples and construct a time line.

Once located I would conduct behavioural analysis on the malware in a suitable environment to identify the IOC details you need. I would also consider network logs and any monitoring tools if available.

Dac

 
Posted : 14/02/2016 3:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hmmm. ?

http//www.acronymfinder.com/C%26C.html
http//www.acronymfinder.com/C2C.html

I am in doubt between
Command and Conquer Coast to Coast
and
Cash and Carry Cash to Cash

With IOC is easy
http//www.acronymfinder.com/IOC.html
it must be Indirect Operating Costs …

For NO apparent reason
http//www.forensicfocus.com/Forums/viewtopic/p=6561872/

jaclaz

 
Posted : 14/02/2016 6:46 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

IOC = Indicator Of Compromise

 
Posted : 14/02/2016 7:10 pm
Page 1 / 2
Share:
Share to...