|
So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again. Awesome. Of course my company doesnt believe in backups of local harddrives because "we have firewall and some guy on tv said thats good". Now i have the first of what i guess could turn out as a series of notebooks that managed to get infected with a Cryptolocker clone and the super funny thing this time is, guys are using their own encryption algorythms. So the savior-page that went live last year (which let you upload one file to analyze the algorythm and produce a decryption key) is no longer of use since it doesnt recognize the files frmo the newest infection as proper Cryptolocker encryption and tells you to shove it. For those who never heard of Cryptolocker, it was a big thing last year. Ransomware. It doesnt simply kill off your files, it encrypts them and then tells you to pay money to have them accessible again. Smart move basically, you dont kidnap someone and send their relatives pictures of the corpse expecting them to pay. You send them a finger first. Or an ear. Or a popup demanding 100 bucks for a decryption key. Any of you goons stumbled over this recently?
|
#
?
Nov 12, 2014 16:04
|
|
|
|
| # ? Apr 19, 2024 12:46 |
|
|
The ticket came in thread gets one about every other page. https://www.decryptcryptolocker.com/
|
|
#
?
Nov 12, 2014 16:35
|
|
|
Yup, thats the one i mentioned that doesnt work for the infection i have here... tells me that the encryption is not cryptolocker, since its a clone most likely.
|
|
#
?
Nov 12, 2014 16:42
|
|
|
Look on the bright side: your company now believes in backups.
|
|
#
?
Nov 12, 2014 16:57
|
|
|
Yolomon Wayne posted:So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again. Yup, we've picked up a few clients who got hit by this as well. 
|
|
#
?
Nov 12, 2014 17:29
|
|
|
EkardNT posted:Look on the bright side: your company now believes in backups. Not a chance. We dont even believe in shadowcopies anymore  quote:Yup, we've picked up a few clients who got hit by this as well.
|
|
#
?
Nov 12, 2014 17:45
|
|
|
Yolomon Wayne posted:Not a chance. Well, we've been fortunate in that they had enough backups to reconstruct. Pretty sure you are boned, there's now a number of variants running around, and they only cracked the keys for the original version.
|
|
#
?
Nov 12, 2014 18:04
|
|
|
Alighieri posted:The ticket came in thread gets one about every other page. This only works for files encrypted by the group that got busted by Operation Tovar i believe.
|
|
#
?
Nov 12, 2014 18:16
|
|
|
Yolomon Wayne posted:So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again. Do you have a source for this? Trying to get more ammo for my "Holy poo poo just get crashplan to back up these workstations" conversation.
|
|
#
?
Nov 12, 2014 18:54
|
|
|
Cryptowall is kind of freaking me out. Sure I can not open attachments, but it's known to hide in malicious ads in perfectly legit websites.
|
|
#
?
Nov 12, 2014 19:01
|
|
|
Mutar posted:Do you have a source for this? Trying to get more ammo for my "Holy poo poo just get crashplan to back up these workstations" conversation. Not my original source, i cant remember where i found that during my 6-hour session of gathering information... But i think you cant go wrong with this: http://www.cnbc.com/id/101195861?goback=.gde_3959309_member_5807100619516825603#! Especially quote:"Anytime you see an underground business that is doing well, you will always see more people copying it," Also, my client got his from a legit cmpanies legit mailserver - someone hacked into their exchange and simply had the server attach the faked files. Genius basically. Im left with the cleanup. EDIT: Think it was this thread on the norton boards: http://community.norton.com/comment/5978771#comment-5978771 Especially the comments of "Quads" (ignore animu avatar) Yolomon Wayne fucked around with this message at 11:01 on Nov 13, 2014 |
|
#
?
Nov 13, 2014 10:55
|
|
|
skooma512 posted:Cryptowall is kind of freaking me out. Sure I can not open attachments, but it's known to hide in malicious ads in perfectly legit websites. I just re-ran a tape backup job for all my crap specifically because of this poo poo. This is the one nice part about tapes, it's really really hard to accidentally install malware on the shoebox you keep them in.
|
|
#
?
Nov 13, 2014 20:38
|
|
|
We've had Cryptolocker and friends hitting clients a lot recently. There was one machine where we could grab unencrypted shadow copies of the files, but just yesterday I looked at one where all the prior shadow copies were nuked. It'd be great if we could block the emails from even getting to people, but the Sonicwalls aren't blocking them. We've been sending in samples of the malware but apparently the signatures keep changing.
|
|
#
?
Nov 15, 2014 00:21
|
|
|
SentinelXS posted:We've had Cryptolocker and friends hitting clients a lot recently. There was one machine where we could grab unencrypted shadow copies of the files, but just yesterday I looked at one where all the prior shadow copies were nuked. If you're a reasonably large firm, look into Bit9 for protection. My firm uses it, and our malware tickets are a once a month thing for 4k users. I think the minimum it allows is 100 seats.
|
|
#
?
Nov 15, 2014 00:37
|
|
|
gently caress this thing. We had about 10 businesses in the past week or so get this. The variants are getting past everything. Hooray for good backups, but this poo poo seriously SUCKS. I can see in a year most businesses will simply not be on the internet if they want to function.
|
|
#
?
Nov 15, 2014 00:53
|
|
|
Philthy posted:gently caress this thing. We had about 10 businesses in the past week or so get this. The variants are getting past everything. Hooray for good backups, but this poo poo seriously SUCKS. I can see in a year most businesses will simply not be on the internet if they want to function. If viruses were going to drive businesses to air-gap it already would have happened. There's pretty substantial benefits to being online, so in the end businesses will suck it up and pay for a decent backup solution. If you have backups, it's only slightly more annoying than any other virus. And really airgapping isn't a total solution either, it just makes it a little more difficult to spread. Before internet connectivity, floppy disks were a major vector. USB sticks are pretty loving insecure, if airgaps became common then viruses would spread by that. And you bet your rear end an airgapped business is going to be plugging in USB sticks like there's no tomorrow. Hypothetical "airgap variant" - spreads via USB stick, with a (say) 2-week trigger latency or a fixed trigger time to help it spread. Rather than sending the decryption key back to a C&C server and deleting it from the victim's PC, it encrypts the decryption key (with the hacker's public key) and leaves an encrypted copy on the victim's machine. You have to send the encrypted decryption key back to the hacker along with your ransom, and he uses his private key to decrypt it for you. Paul MaudDib fucked around with this message at 02:54 on Nov 16, 2014 |
|
#
?
Nov 16, 2014 01:05
|
|
|
Also, airgapping will do jack poo poo when your hard drive/RAID controller inevitably crashes and takes all your unprotected data with it.
|
|
#
?
Nov 16, 2014 17:59
|
|
|
What's the standard delivery mechanism for most of these, malicious code in ad networks?
|
|
#
?
Nov 16, 2014 19:19
|
|
|
psydude posted:What's the standard delivery mechanism for most of these, malicious code in ad networks? Always download flash player from download.flashplayerfree.com
|
|
#
?
Nov 16, 2014 19:40
|
|
|
psydude posted:What's the standard delivery mechanism for most of these, malicious code in ad networks? That's how one of our folks got hit. Went to Yahoo and a flash ad infected them. Not sure if their Flash was fully patched, or if it was an unknown exploit. I've disabled java and flash in all of my browsers, installed secunia psi to make sure all my apps are patched, and unmapped any network drives I had. I also moved all my documents to my OneDrive. The only additional thing I think I'm going to do is disconnect my external drive that takes weekly image backups of my machine when it's not being used. I can't wait until a big portal gets sued for serving up malicious ads. They don't even bother scanning the ad content first. edit: and why haven't we figured out a way for this poo poo to run in a sandbox type environment yet? skipdogg fucked around with this message at 20:08 on Nov 16, 2014 |
|
#
?
Nov 16, 2014 20:04
|
|
|
Paul MaudDib posted:If viruses were going to drive businesses to air-gap it already would have happened. There's pretty substantial benefits to being online, so in the end businesses will suck it up and pay for a decent backup solution. If you have backups, it's only slightly more annoying than any other virus. Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything. Nothing about these are "slightly more annoying".
|
|
#
?
Nov 16, 2014 20:58
|
|
|
Philthy posted:Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything. Are there individual businesses getting hit repeatedly every other week? Or is this something hypothetical? Because I can hardly imagine a business functioning without Internet access if they have more than a single physical location they are based out of.
|
|
#
?
Nov 16, 2014 21:23
|
|
|
Philthy posted:Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything. If you are getting hit with a couple grand worth of infections "every other weak" and you aren't investing a paltry sum into a backup system, you deserve to be run out of business for Not Being Able To Take A Hint. Losing internet access is going to impair you much more than the cost of a backup system. If you are losing $3,000 every two weeks - you can buy an awful lot of backup system for $78,000 a year. Paul MaudDib fucked around with this message at 21:54 on Nov 16, 2014 |
|
#
?
Nov 16, 2014 21:46
|
|
|
Philthy posted:Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything.  Since when are (non-foolish, relevant) backups only handling Office files? Are you posting from a decade ago?Any business should be protecting their whole LOB with file AND image-based backups. File for the sanity of it, images for the recovery speed. Granted, an alarming number of businesses that should, don't, but that has zero to do with the validity of your statement. Do you realize that you're speaking in a forum populated to a majority extent by professionals who, day in and day out, actually research, plan, implement, and maintain the real world cases you're hypothesizing about? vvv Edit: See, now, that post below is much better formed and would have served the conversation better had you made it initially rather than the hyperbole you offered. Tapedump fucked around with this message at 22:33 on Nov 16, 2014 |
|
#
?
Nov 16, 2014 22:26
|
|
|
Office files are easiest to restore, yeah, it is trivial. Restoring applications is not as easy, and often takes vendor tweaking to get everything back into shape to the point where the business can start re-entering all the data for the missed time, and going over all the transactions that have already been processed between the time of the backup and the time the virus hit. I am not just talking restores here, there is so so much more that a business has to deal with once they are back up and going. Financial, inventory, scheduling, re-scheduling visits that were canceled while they were down, everything needs to be redone, corrected, and fixed. The cost of all this beyond just an IT guy is high.
Philthy fucked around with this message at 22:35 on Nov 16, 2014 |
|
#
?
Nov 16, 2014 22:30
|
|
|
I was under the impression that you could protect yourself from it and its variants by adding in some GPOs to prevent exes running. Or by using AppLocker if you were in a Win7 environment to lock out unsigned programs.
|
|
#
?
Nov 17, 2014 10:58
|
|
|
I imagine the overlap on the venn diagram of "companies who don't take backup seriously" and "companies that see no value in central management of end-user systems" is quite high.
|
|
#
?
Nov 17, 2014 11:51
|
|
|
A few months after I left, the company I used to network admin at got cryptolocked. Backups? They have this stupid setup where they backup individual PC's to a farm of Synology units using Retrospect which is (like all backup software) a terrible piece of software. However, they do store some things on a file server (why not everything? Users are too stupid to trust or retrain. Exact words from the IT Director) So just run the risk of losing everyone's data? Alright! I got in so many huge fights with him about that. Also after I left I found a VP's computer wasn't being backed up regularly and her HD crashed, losing everything for the last 4 months. Duh. Anyway, back to my story about Cryptolocker. They were using Nod32 for antivirus but I'm not sure what computer actually infected their system. But sure enough, the backups of the file server weren't working, and they had to pay like $2,000 to get their files back. Ouch. They never hired a qualified administrator after I left and 'promoted' one of the lovely helpdesk guys to admin, who didn't know how to keep things running.
|
|
#
?
Nov 17, 2014 14:57
|
|
|
Bob Morales posted:A few months after I left, the company I used to network admin at got cryptolocked. They should have just paid cryptolocker the $300
|
|
#
?
Nov 17, 2014 15:58
|
|
|
Don Lapre posted:They should have just paid cryptolocker the $300 Whatever hackergroup that they got the virus from wanted 2k
|
|
#
?
Nov 17, 2014 16:13
|
|
|
spog posted:I was under the impression that you could protect yourself from it and its variants by adding in some GPOs to prevent exes running. the GPO option can affect users programs though specifically the clicktorun versions of the latest office can poo poo the bed on you.
|
|
#
?
Nov 17, 2014 16:58
|
|
|
nthalp posted:the GPO option can affect users programs though specifically the clicktorun versions of the latest office can poo poo the bed on you. Unless the gpos have changed substantially since I last looked, couldn't you explicitly white list the office files you need?
|
|
#
?
Nov 17, 2014 19:23
|
|
|
We have a client get hit by Cryptowall every week when a new variation rolls around. I'd love for someone to correct me but as far as we can tell, there is no PERFECT solution to block Cryptowall or any future variants. Sure, GPO restrictions may help but then they will just avoid the folders like %AppData%. OpenDNS is great but every client that has been hit is using them... they just changed the variant to encrypt before sending to C&C so even if it can't contact the C&C you're still hosed. If anyone wants to enlighten me with a perfect solution for MSPs I'd be flabbergasted-- we can't come up with one.
|
|
#
?
Nov 17, 2014 19:49
|
|
|
Not running as local admin, and not allowing applications to execute from inside the user profile I thought covered most bases? If you're supporting customers who want local admin for everyone and no restrictions then I guess you're hosed.
|
|
#
?
Nov 17, 2014 19:53
|
|
|
Bob Morales posted:A few months after I left, the company I used to network admin at got cryptolocked. Speaking of which, what is decent backup software these days? Does it exist? I need automated images of a few PCs tossed to a NAS on a weekly schedule, that's it.
|
|
#
?
Nov 17, 2014 21:37
|
|
|
The Gunslinger posted:Speaking of which, what is decent backup software these days? Does it exist? I need automated images of a few PCs tossed to a NAS on a weekly schedule, that's it. We use Veaam where I'm at now, it's cool I guess.
|
|
#
?
Nov 17, 2014 21:51
|
|
|
Does cryptolocker effect Macs or Linux boxes?
|
|
#
?
Nov 17, 2014 23:28
|
|
|
Lord Windy posted:Does cryptolocker effect Macs or Linux boxes? If the developer wants it to, there is no reason why it cant. I believe the original had an osx version.
|
|
#
?
Nov 17, 2014 23:52
|
|
|
This is a slick little program that sets all the local GPOs. Seems to work well and free even for commercial. I have not tried for their subscription yet though. https://www.foolishit.com/vb6-projects/cryptoprevent/
|
|
#
?
Nov 18, 2014 01:11
|
|
|
|
| # ? Apr 19, 2024 12:46 |
|
|
What an unfortunate URL
|
|
#
?
Nov 18, 2014 03:04
|
|