Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
This is a great time to reinforce the need to do backups. Since it's a sensitive thing - you need to judge how to deliver the news but it's critical. Now more than ever before. Couple of things. I'd save the data - LATER you might be able to get the drive unlocked. Don't allow them to waste the money on the unlock. The way I understand it, it's infrequent that they actually unlock it. In fact, by now the point at which they could be contacted might have been already shut down or compromised (more likely) by other 'hackers'. Just do not give in to paying. Better to wait. JMHO. I got lucky with a client that got hit with this, about a year earlier I really was adamant that they get into some sort of automated backup. They took an online (sorry, CLOUD) backup that I was able to resell. It paid for itself FOUR times over (so far)! Anyway, sorry for you & client On 7/18/2018 3:00 PM, Thane K. Sherrington wrote: I know someone with no backups who recently had his entire computer encrypted with the .arrow variant of Dharma (.cezar Family). (BTW, this isn't me.) There is apparently no way to decrypt without paying the ransom or recovering deleted files. So two questions: 1)Does anyone know if the ransomware encryption encrypts the file to a new file, then deletes the old one (giving me the possibility of deleted file recovery)? If so, what software is recommend for an Windows NTFS system (so far, Recuva and R-Studio have found squat). 2)If he decides to pay the ransom and take his chances, what are legit sites to purchase bitcoin (never done that before)? T
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
My office was hit by this exact same kind of attack. It came in through RDP over a nonstandard port. Started encrypting a multi-terabyte network share before I physically pulled the plug. Luckily had a backup from 24h before. Lesson: RDP exposed anywhere on the internet is NEVER safe. All covered with VPN and IP restrictions now. Sigh. Scott On Wednesday, July 18, 2018, lopaka polena wrote: > I do use RDP frequently but never through default ports. Bummer there's no > way to fix it without paying and no guarantee even if you pay. I still do > hardcopy backups onto blu-ray discs at times because I can't afford to lose > certain things to NAS failure or malware > > lopaka > > On Wed, Jul 18, 2018 at 5:14 PM, Thane K. Sherrington < > th...@computerconnectionltd.com> wrote: > > > There are a whole bunch of free decryptors available, but not for this > > variant. Basically, when the criminal group gets taken down, often they > > get the key and then the AV company makes a freeware program for people. > > Very nice of them. > > > > Some useful pages I've found during this mess: > > > > https://id-ransomware.malwarehunterteam.com/index.php > > > > https://heimdalsecurity.com/blog/ransomware-decryption-tools/ > > > > T > > > > > > On 18-Jul-18 6:50 PM, lopaka polena wrote: > > > >> https://support.kaspersky.com/viruses/utility > >> > >> Never tried any of these but did read an article where they tested some > of > >> these and were able to recover some users files > >> > >> lopaka > >> > >> On Wed, Jul 18, 2018 at 2:30 PM, Winterlight < > winterli...@winterlight.org > >> > > >> wrote: > >> > >> )Does anyone know if the ransomware encryption encrypts the file to a > new > >>> > file, then deletes the old one (giving me the possibility of deleted > file > recovery)? If so, what software is recommend for an Windows NTFS > system > (so far, Recuva and R-Studio have found squat). > > I am surprised it encrypted the entire drive. Everything I have read, > or > >>> been told it involved the user files. I have never heard of a single > >>> instance where the victim was able to recover their files without the > >>> key. > >>> I have read about people who pay up but still don't get the key which > >>> didn't surprise me. Even large companies, hospitals, and government > >>> agencies have been unable to overcome this, and usually pay up. I bet a > >>> lot > >>> of IT employees loose there jobs over being so unprepared to deal with > >>> this. > >>> > >>> 2)If he decides to pay the ransom and take his chances, what are legit > >>> > sites to purchase bitcoin (never done that before)? > > I have read that the ransom note often tells the victim how to go > about > >>> getting and transferring bit coin. Which make a lot of sense given that > >>> bit > >>> coin is so esoteric and most of the victims are naive about basic PC > >>> stuff. > >>> I have also heard of bit coin machines in places like NYC.There are > legit > >>> banking sites on line to do this... I would Google it. I understand > that > >>> I > >>> think it is Citibank that now deals with bitcoin. > >>> > >>> Sorry I don't have the answers you are looking for and too bad they > can't > >>> put these criminals in prison for a very long time. > >>> > >>> > >> > > > > > > >
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
I do use RDP frequently but never through default ports. Bummer there's no way to fix it without paying and no guarantee even if you pay. I still do hardcopy backups onto blu-ray discs at times because I can't afford to lose certain things to NAS failure or malware lopaka On Wed, Jul 18, 2018 at 5:14 PM, Thane K. Sherrington < th...@computerconnectionltd.com> wrote: > There are a whole bunch of free decryptors available, but not for this > variant. Basically, when the criminal group gets taken down, often they > get the key and then the AV company makes a freeware program for people. > Very nice of them. > > Some useful pages I've found during this mess: > > https://id-ransomware.malwarehunterteam.com/index.php > > https://heimdalsecurity.com/blog/ransomware-decryption-tools/ > > T > > > On 18-Jul-18 6:50 PM, lopaka polena wrote: > >> https://support.kaspersky.com/viruses/utility >> >> Never tried any of these but did read an article where they tested some of >> these and were able to recover some users files >> >> lopaka >> >> On Wed, Jul 18, 2018 at 2:30 PM, Winterlight > > >> wrote: >> >> )Does anyone know if the ransomware encryption encrypts the file to a new >>> file, then deletes the old one (giving me the possibility of deleted file recovery)? If so, what software is recommend for an Windows NTFS system (so far, Recuva and R-Studio have found squat). I am surprised it encrypted the entire drive. Everything I have read, or >>> been told it involved the user files. I have never heard of a single >>> instance where the victim was able to recover their files without the >>> key. >>> I have read about people who pay up but still don't get the key which >>> didn't surprise me. Even large companies, hospitals, and government >>> agencies have been unable to overcome this, and usually pay up. I bet a >>> lot >>> of IT employees loose there jobs over being so unprepared to deal with >>> this. >>> >>> 2)If he decides to pay the ransom and take his chances, what are legit >>> sites to purchase bitcoin (never done that before)? I have read that the ransom note often tells the victim how to go about >>> getting and transferring bit coin. Which make a lot of sense given that >>> bit >>> coin is so esoteric and most of the victims are naive about basic PC >>> stuff. >>> I have also heard of bit coin machines in places like NYC.There are legit >>> banking sites on line to do this... I would Google it. I understand that >>> I >>> think it is Citibank that now deals with bitcoin. >>> >>> Sorry I don't have the answers you are looking for and too bad they can't >>> put these criminals in prison for a very long time. >>> >>> >> > > >
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
There are a whole bunch of free decryptors available, but not for this variant. Basically, when the criminal group gets taken down, often they get the key and then the AV company makes a freeware program for people. Very nice of them. Some useful pages I've found during this mess: https://id-ransomware.malwarehunterteam.com/index.php https://heimdalsecurity.com/blog/ransomware-decryption-tools/ T On 18-Jul-18 6:50 PM, lopaka polena wrote: https://support.kaspersky.com/viruses/utility Never tried any of these but did read an article where they tested some of these and were able to recover some users files lopaka On Wed, Jul 18, 2018 at 2:30 PM, Winterlight wrote: )Does anyone know if the ransomware encryption encrypts the file to a new file, then deletes the old one (giving me the possibility of deleted file recovery)? If so, what software is recommend for an Windows NTFS system (so far, Recuva and R-Studio have found squat). I am surprised it encrypted the entire drive. Everything I have read, or been told it involved the user files. I have never heard of a single instance where the victim was able to recover their files without the key. I have read about people who pay up but still don't get the key which didn't surprise me. Even large companies, hospitals, and government agencies have been unable to overcome this, and usually pay up. I bet a lot of IT employees loose there jobs over being so unprepared to deal with this. 2)If he decides to pay the ransom and take his chances, what are legit sites to purchase bitcoin (never done that before)? I have read that the ransom note often tells the victim how to go about getting and transferring bit coin. Which make a lot of sense given that bit coin is so esoteric and most of the victims are naive about basic PC stuff. I have also heard of bit coin machines in places like NYC.There are legit banking sites on line to do this... I would Google it. I understand that I think it is Citibank that now deals with bitcoin. Sorry I don't have the answers you are looking for and too bad they can't put these criminals in prison for a very long time.
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
Thanks Lopaka. This appears to have been a hack through an open RDP port - there's a lesson there somewhere... :) T On 18-Jul-18 5:16 PM, lopaka polena wrote: Coinbase for bitcoin purchase. I always keep an offline backup (2nd NAS - only booted up once a month or so to copy important stuff and kept off/unpowered the rest of the time) just in case I ever get hit with one of these, but running through linux firewall and good malware software has kept me safe so far. lopaka
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
https://support.kaspersky.com/viruses/utility Never tried any of these but did read an article where they tested some of these and were able to recover some users files lopaka On Wed, Jul 18, 2018 at 2:30 PM, Winterlight wrote: > > )Does anyone know if the ransomware encryption encrypts the file to a new >> file, then deletes the old one (giving me the possibility of deleted file >> recovery)? If so, what software is recommend for an Windows NTFS system >> (so far, Recuva and R-Studio have found squat). >> > > I am surprised it encrypted the entire drive. Everything I have read, or > been told it involved the user files. I have never heard of a single > instance where the victim was able to recover their files without the key. > I have read about people who pay up but still don't get the key which > didn't surprise me. Even large companies, hospitals, and government > agencies have been unable to overcome this, and usually pay up. I bet a lot > of IT employees loose there jobs over being so unprepared to deal with this. > > 2)If he decides to pay the ransom and take his chances, what are legit >> sites to purchase bitcoin (never done that before)? >> > > I have read that the ransom note often tells the victim how to go about > getting and transferring bit coin. Which make a lot of sense given that bit > coin is so esoteric and most of the victims are naive about basic PC stuff. > I have also heard of bit coin machines in places like NYC.There are legit > banking sites on line to do this... I would Google it. I understand that I > think it is Citibank that now deals with bitcoin. > > Sorry I don't have the answers you are looking for and too bad they can't > put these criminals in prison for a very long time. >
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
There was a freeware coinvault decrypter from kaspersky that hardocp talked about way back when. I don't know if it would work for that variant. lopaka On Wed, Jul 18, 2018 at 2:30 PM, Winterlight wrote: > > )Does anyone know if the ransomware encryption encrypts the file to a new >> file, then deletes the old one (giving me the possibility of deleted file >> recovery)? If so, what software is recommend for an Windows NTFS system >> (so far, Recuva and R-Studio have found squat). >> > > I am surprised it encrypted the entire drive. Everything I have read, or > been told it involved the user files. I have never heard of a single > instance where the victim was able to recover their files without the key. > I have read about people who pay up but still don't get the key which > didn't surprise me. Even large companies, hospitals, and government > agencies have been unable to overcome this, and usually pay up. I bet a lot > of IT employees loose there jobs over being so unprepared to deal with this. > > 2)If he decides to pay the ransom and take his chances, what are legit >> sites to purchase bitcoin (never done that before)? >> > > I have read that the ransom note often tells the victim how to go about > getting and transferring bit coin. Which make a lot of sense given that bit > coin is so esoteric and most of the victims are naive about basic PC stuff. > I have also heard of bit coin machines in places like NYC.There are legit > banking sites on line to do this... I would Google it. I understand that I > think it is Citibank that now deals with bitcoin. > > Sorry I don't have the answers you are looking for and too bad they can't > put these criminals in prison for a very long time. >
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
)Does anyone know if the ransomware encryption encrypts the file to a new file, then deletes the old one (giving me the possibility of deleted file recovery)? If so, what software is recommend for an Windows NTFS system (so far, Recuva and R-Studio have found squat). I am surprised it encrypted the entire drive. Everything I have read, or been told it involved the user files. I have never heard of a single instance where the victim was able to recover their files without the key. I have read about people who pay up but still don't get the key which didn't surprise me. Even large companies, hospitals, and government agencies have been unable to overcome this, and usually pay up. I bet a lot of IT employees loose there jobs over being so unprepared to deal with this. 2)If he decides to pay the ransom and take his chances, what are legit sites to purchase bitcoin (never done that before)? I have read that the ransom note often tells the victim how to go about getting and transferring bit coin. Which make a lot of sense given that bit coin is so esoteric and most of the victims are naive about basic PC stuff. I have also heard of bit coin machines in places like NYC.There are legit banking sites on line to do this... I would Google it. I understand that I think it is Citibank that now deals with bitcoin. Sorry I don't have the answers you are looking for and too bad they can't put these criminals in prison for a very long time.
Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!
Coinbase for bitcoin purchase. I always keep an offline backup (2nd NAS - only booted up once a month or so to copy important stuff and kept off/unpowered the rest of the time) just in case I ever get hit with one of these, but running through linux firewall and good malware software has kept me safe so far. lopaka On Wed, Jul 18, 2018 at 1:00 PM, Thane K. Sherrington < th...@computerconnectionltd.com> wrote: > I know someone with no backups who recently had his entire computer > encrypted with the .arrow variant of Dharma (.cezar Family). (BTW, this > isn't me.) > > There is apparently no way to decrypt without paying the ransom or > recovering deleted files. > > So two questions: > > 1)Does anyone know if the ransomware encryption encrypts the file to a new > file, then deletes the old one (giving me the possibility of deleted file > recovery)? If so, what software is recommend for an Windows NTFS system > (so far, Recuva and R-Studio have found squat). > > 2)If he decides to pay the ransom and take his chances, what are legit > sites to purchase bitcoin (never done that before)? > > T > > > >
RE: [H] Ransomware
We were the first to discover Ransomware :-) way back about half a year or more ago -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Winterlight Sent: Monday, April 17, 2006 4:27 PM To: hardware@hardwaregroup.com Subject: [H] Ransomware http://www.foxnews.com/story/0,2933,187845,00.html Computer Virus Demands Ransom for Encrypted Files Wednesday, March 15, 2006 By Ryan Naraine Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password. The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files. It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar. While this type of attack, known as ransomware, is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab. The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom. According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images. Once commandeered, the files are zipped and overwritten by the text: Erased by Zippo! GO OUT!!! The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the _CRYPT.ZIP extension. A new directory named AUTO_ZIP_REPORT.TXT is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments. The instructions, which are marked by misspellings and poor grammar, contain the following text: Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations). The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive. If you really care about documents and information in encrypted files you can pay using electonic currency $300, the note says. Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back. The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory. Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment. Infection reports are not widespread, so it is not believed this is a mass threat by any means, LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections. [M]ore attention means the likely closing of the accounts used for the anonymous money transfer, LURHQ said.
