Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Yolomon Wayne
Jun 10, 2014

You call it "The Big Bang", but what really happened is


Grimey Drawer

So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again.
Awesome.
Of course my company doesnt believe in backups of local harddrives because "we have firewall and some guy on tv said thats good".

Now i have the first of what i guess could turn out as a series of notebooks that managed to get infected with a Cryptolocker clone and the super funny thing this time is, guys are using their own encryption algorythms. So the savior-page that went live last year (which let you upload one file to analyze the algorythm and produce a decryption key) is no longer of use since it doesnt recognize the files frmo the newest infection as proper Cryptolocker encryption and tells you to shove it.

For those who never heard of Cryptolocker, it was a big thing last year. Ransomware. It doesnt simply kill off your files, it encrypts them and then tells you to pay money to have them accessible again. Smart move basically, you dont kidnap someone and send their relatives pictures of the corpse expecting them to pay. You send them a finger first. Or an ear. Or a popup demanding 100 bucks for a decryption key.

Any of you goons stumbled over this recently?

Adbot
ADBOT LOVES YOU

Alighieri
Dec 10, 2005


:dukedog:



The ticket came in thread gets one about every other page.

https://www.decryptcryptolocker.com/

Yolomon Wayne
Jun 10, 2014

You call it "The Big Bang", but what really happened is


Grimey Drawer

Yup, thats the one i mentioned that doesnt work for the infection i have here... tells me that the encryption is not cryptolocker, since its a clone most likely.

EkardNT
Mar 31, 2011


Look on the bright side: your company now believes in backups.

Maneki Neko
Oct 27, 2000



Yolomon Wayne posted:

So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again.
Awesome.
Of course my company doesnt believe in backups of local harddrives because "we have firewall and some guy on tv said thats good".

Now i have the first of what i guess could turn out as a series of notebooks that managed to get infected with a Cryptolocker clone and the super funny thing this time is, guys are using their own encryption algorythms. So the savior-page that went live last year (which let you upload one file to analyze the algorythm and produce a decryption key) is no longer of use since it doesnt recognize the files frmo the newest infection as proper Cryptolocker encryption and tells you to shove it.

For those who never heard of Cryptolocker, it was a big thing last year. Ransomware. It doesnt simply kill off your files, it encrypts them and then tells you to pay money to have them accessible again. Smart move basically, you dont kidnap someone and send their relatives pictures of the corpse expecting them to pay. You send them a finger first. Or an ear. Or a popup demanding 100 bucks for a decryption key.

Any of you goons stumbled over this recently?

Yup, we've picked up a few clients who got hit by this as well. :(

Yolomon Wayne
Jun 10, 2014

You call it "The Big Bang", but what really happened is


Grimey Drawer

EkardNT posted:

Look on the bright side: your company now believes in backups.

Not a chance.
We dont even believe in shadowcopies anymore :razz:

quote:

Yup, we've picked up a few clients who got hit by this as well.
That smiley at the end implies you didnt have much luck either?

Maneki Neko
Oct 27, 2000



Yolomon Wayne posted:

Not a chance.
We dont even believe in shadowcopies anymore :razz:

That smiley at the end implies you didnt have much luck either?

Well, we've been fortunate in that they had enough backups to reconstruct. Pretty sure you are boned, there's now a number of variants running around, and they only cracked the keys for the original version.

Don Lapre
Mar 28, 2001

If you're having problems you're either holding the phone wrong or you have tiny girl hands.


Alighieri posted:

The ticket came in thread gets one about every other page.

https://www.decryptcryptolocker.com/

This only works for files encrypted by the group that got busted by Operation Tovar i believe.

Altimeter
Sep 10, 2003




Yolomon Wayne posted:

So some genius/rear end in a top hat leaked the original "gib money or no more photos" code, and now scriptkiddies all over the planet (might be exxagerated) are trying to cash in once again.
Awesome.


Do you have a source for this? Trying to get more ammo for my "Holy poo poo just get crashplan to back up these workstations" conversation.

skooma512
Feb 8, 2012

You couldn't grok my race car, but you dug the roadside blur.


Cryptowall is kind of freaking me out. Sure I can not open attachments, but it's known to hide in malicious ads in perfectly legit websites.

Yolomon Wayne
Jun 10, 2014

You call it "The Big Bang", but what really happened is


Grimey Drawer

Mutar posted:

Do you have a source for this? Trying to get more ammo for my "Holy poo poo just get crashplan to back up these workstations" conversation.

Not my original source, i cant remember where i found that during my 6-hour session of gathering information...
But i think you cant go wrong with this:
http://www.cnbc.com/id/101195861?goback=.gde_3959309_member_5807100619516825603#!

Especially

quote:

"Anytime you see an underground business that is doing well, you will always see more people copying it,"

Also, my client got his from a legit cmpanies legit mailserver - someone hacked into their exchange and simply had the server attach the faked files.
Genius basically. Im left with the cleanup.

EDIT:

Think it was this thread on the norton boards:
http://community.norton.com/comment/5978771#comment-5978771
Especially the comments of "Quads" (ignore animu avatar)

Yolomon Wayne fucked around with this message at 10:01 on Nov 13, 2014

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


skooma512 posted:

Cryptowall is kind of freaking me out. Sure I can not open attachments, but it's known to hide in malicious ads in perfectly legit websites.

I just re-ran a tape backup job for all my crap specifically because of this poo poo. This is the one nice part about tapes, it's really really hard to accidentally install malware on the shoebox you keep them in.

SentinelXS
Aug 30, 2009

Why don't you make like a tree, and FUCK OFF?

We've had Cryptolocker and friends hitting clients a lot recently. There was one machine where we could grab unencrypted shadow copies of the files, but just yesterday I looked at one where all the prior shadow copies were nuked.

It'd be great if we could block the emails from even getting to people, but the Sonicwalls aren't blocking them. We've been sending in samples of the malware but apparently the signatures keep changing.

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


SentinelXS posted:

We've had Cryptolocker and friends hitting clients a lot recently. There was one machine where we could grab unencrypted shadow copies of the files, but just yesterday I looked at one where all the prior shadow copies were nuked.

It'd be great if we could block the emails from even getting to people, but the Sonicwalls aren't blocking them. We've been sending in samples of the malware but apparently the signatures keep changing.

If you're a reasonably large firm, look into Bit9 for protection. My firm uses it, and our malware tickets are a once a month thing for 4k users. I think the minimum it allows is 100 seats.

Philthy
Jan 28, 2003



Pillbug

gently caress this thing. We had about 10 businesses in the past week or so get this. The variants are getting past everything. Hooray for good backups, but this poo poo seriously SUCKS. I can see in a year most businesses will simply not be on the internet if they want to function.

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Philthy posted:

gently caress this thing. We had about 10 businesses in the past week or so get this. The variants are getting past everything. Hooray for good backups, but this poo poo seriously SUCKS. I can see in a year most businesses will simply not be on the internet if they want to function.

If viruses were going to drive businesses to air-gap it already would have happened. There's pretty substantial benefits to being online, so in the end businesses will suck it up and pay for a decent backup solution. If you have backups, it's only slightly more annoying than any other virus.

And really airgapping isn't a total solution either, it just makes it a little more difficult to spread. Before internet connectivity, floppy disks were a major vector. USB sticks are pretty loving insecure, if airgaps became common then viruses would spread by that. And you bet your rear end an airgapped business is going to be plugging in USB sticks like there's no tomorrow.

Hypothetical "airgap variant" - spreads via USB stick, with a (say) 2-week trigger latency or a fixed trigger time to help it spread. Rather than sending the decryption key back to a C&C server and deleting it from the victim's PC, it encrypts the decryption key (with the hacker's public key) and leaves an encrypted copy on the victim's machine. You have to send the encrypted decryption key back to the hacker along with your ransom, and he uses his private key to decrypt it for you.

Paul MaudDib fucked around with this message at 01:54 on Nov 16, 2014

Double Punctuation
Dec 30, 2009

Ships were made for sinking;
Whiskey made for drinking;
If we were made of cellophane
We'd all get stinking drunk much faster!


Also, airgapping will do jack poo poo when your hard drive/RAID controller inevitably crashes and takes all your unprotected data with it.

psydude
Mar 31, 2008

Perry'd.


What's the standard delivery mechanism for most of these, malicious code in ad networks?

Don Lapre
Mar 28, 2001

If you're having problems you're either holding the phone wrong or you have tiny girl hands.


psydude posted:

What's the standard delivery mechanism for most of these, malicious code in ad networks?

Always download flash player from download.flashplayerfree.com

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


psydude posted:

What's the standard delivery mechanism for most of these, malicious code in ad networks?

That's how one of our folks got hit. Went to Yahoo and a flash ad infected them. Not sure if their Flash was fully patched, or if it was an unknown exploit.

I've disabled java and flash in all of my browsers, installed secunia psi to make sure all my apps are patched, and unmapped any network drives I had. I also moved all my documents to my OneDrive.

The only additional thing I think I'm going to do is disconnect my external drive that takes weekly image backups of my machine when it's not being used.

I can't wait until a big portal gets sued for serving up malicious ads. They don't even bother scanning the ad content first.

edit: and why haven't we figured out a way for this poo poo to run in a sandbox type environment yet?

skipdogg fucked around with this message at 19:08 on Nov 16, 2014

Philthy
Jan 28, 2003



Pillbug

Paul MaudDib posted:

If viruses were going to drive businesses to air-gap it already would have happened. There's pretty substantial benefits to being online, so in the end businesses will suck it up and pay for a decent backup solution. If you have backups, it's only slightly more annoying than any other virus.

Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything.

Nothing about these are "slightly more annoying".

Mo_Steel
Mar 7, 2008

Let's Clock Into The Sunset Together



Fun Shoe

Philthy posted:

Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything.

Nothing about these are "slightly more annoying".

Are there individual businesses getting hit repeatedly every other week? Or is this something hypothetical? Because I can hardly imagine a business functioning without Internet access if they have more than a single physical location they are based out of.

Paul MaudDib
May 2, 2006

"Tell me of your home world, Usul"


Philthy posted:

Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything.

Nothing about these are "slightly more annoying".

If you are getting hit with a couple grand worth of infections "every other weak" and you aren't investing a paltry sum into a backup system, you deserve to be run out of business for Not Being Able To Take A Hint.

Losing internet access is going to impair you much more than the cost of a backup system. If you are losing $3,000 every two weeks - you can buy an awful lot of backup system for $78,000 a year.

Paul MaudDib fucked around with this message at 20:54 on Nov 16, 2014

Tapedump
Aug 31, 2007


College Slice

Philthy posted:

Businesses are not going to be able to afford a few grand every other week to restore data, and to get their practice software back to running shape and to go through the past days transactions all over again. The latest variants are not just encrypting Office files. They're getting nearly everything.
Huh? :confused: Since when are (non-foolish, relevant) backups only handling Office files? Are you posting from a decade ago?

Any business should be protecting their whole LOB with file AND image-based backups. File for the sanity of it, images for the recovery speed.

Granted, an alarming number of businesses that should, don't, but that has zero to do with the validity of your statement.

Do you realize that you're speaking in a forum populated to a majority extent by professionals who, day in and day out, actually research, plan, implement, and maintain the real world cases you're hypothesizing about?


vvv Edit: See, now, that post below is much better formed and would have served the conversation better had you made it initially rather than the hyperbole you offered.

Tapedump fucked around with this message at 21:33 on Nov 16, 2014

Philthy
Jan 28, 2003



Pillbug

Office files are easiest to restore, yeah, it is trivial. Restoring applications is not as easy, and often takes vendor tweaking to get everything back into shape to the point where the business can start re-entering all the data for the missed time, and going over all the transactions that have already been processed between the time of the backup and the time the virus hit. I am not just talking restores here, there is so so much more that a business has to deal with once they are back up and going. Financial, inventory, scheduling, re-scheduling visits that were canceled while they were down, everything needs to be redone, corrected, and fixed. The cost of all this beyond just an IT guy is high.

Philthy fucked around with this message at 21:35 on Nov 16, 2014

spog
Aug 7, 2004

It's your own bloody fault.


I was under the impression that you could protect yourself from it and its variants by adding in some GPOs to prevent exes running.

Or by using AppLocker if you were in a Win7 environment to lock out unsigned programs.

Thanks Ants
May 21, 2004

#essereFerrari




I imagine the overlap on the venn diagram of "companies who don't take backup seriously" and "companies that see no value in central management of end-user systems" is quite high.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



A few months after I left, the company I used to network admin at got cryptolocked.

Backups? They have this stupid setup where they backup individual PC's to a farm of Synology units using Retrospect which is (like all backup software) a terrible piece of software.

However, they do store some things on a file server (why not everything? Users are too stupid to trust or retrain. Exact words from the IT Director) So just run the risk of losing everyone's data? Alright! I got in so many huge fights with him about that. Also after I left I found a VP's computer wasn't being backed up regularly and her HD crashed, losing everything for the last 4 months. Duh.

Anyway, back to my story about Cryptolocker. They were using Nod32 for antivirus but I'm not sure what computer actually infected their system. But sure enough, the backups of the file server weren't working, and they had to pay like $2,000 to get their files back. Ouch. They never hired a qualified administrator after I left and 'promoted' one of the lovely helpdesk guys to admin, who didn't know how to keep things running.

Don Lapre
Mar 28, 2001

If you're having problems you're either holding the phone wrong or you have tiny girl hands.


Bob Morales posted:

A few months after I left, the company I used to network admin at got cryptolocked.

Backups? They have this stupid setup where they backup individual PC's to a farm of Synology units using Retrospect which is (like all backup software) a terrible piece of software.

However, they do store some things on a file server (why not everything? Users are too stupid to trust or retrain. Exact words from the IT Director) So just run the risk of losing everyone's data? Alright! I got in so many huge fights with him about that. Also after I left I found a VP's computer wasn't being backed up regularly and her HD crashed, losing everything for the last 4 months. Duh.

Anyway, back to my story about Cryptolocker. They were using Nod32 for antivirus but I'm not sure what computer actually infected their system. But sure enough, the backups of the file server weren't working, and they had to pay like $2,000 to get their files back. Ouch. They never hired a qualified administrator after I left and 'promoted' one of the lovely helpdesk guys to admin, who didn't know how to keep things running.

They should have just paid cryptolocker the $300

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Don Lapre posted:

They should have just paid cryptolocker the $300

Whatever hackergroup that they got the virus from wanted 2k

TehRedWheelbarrow
Mar 16, 2011





Fan of Britches

spog posted:

I was under the impression that you could protect yourself from it and its variants by adding in some GPOs to prevent exes running.

Or by using AppLocker if you were in a Win7 environment to lock out unsigned programs.

the GPO option can affect users programs though specifically the clicktorun versions of the latest office can poo poo the bed on you.

Pedestrian Xing
Jul 18, 2007



nthalp posted:

the GPO option can affect users programs though specifically the clicktorun versions of the latest office can poo poo the bed on you.

Unless the gpos have changed substantially since I last looked, couldn't you explicitly white list the office files you need?

dox
Mar 4, 2006


We have a client get hit by Cryptowall every week when a new variation rolls around.

I'd love for someone to correct me but as far as we can tell, there is no PERFECT solution to block Cryptowall or any future variants. Sure, GPO restrictions may help but then they will just avoid the folders like %AppData%. OpenDNS is great but every client that has been hit is using them... they just changed the variant to encrypt before sending to C&C so even if it can't contact the C&C you're still hosed.

If anyone wants to enlighten me with a perfect solution for MSPs I'd be flabbergasted-- we can't come up with one.

Thanks Ants
May 21, 2004

#essereFerrari




Not running as local admin, and not allowing applications to execute from inside the user profile I thought covered most bases? If you're supporting customers who want local admin for everyone and no restrictions then I guess you're hosed.

The Gunslinger
Jul 24, 2004

Do not forget the face of your father.

Fun Shoe

Bob Morales posted:

A few months after I left, the company I used to network admin at got cryptolocked.

Backups? They have this stupid setup where they backup individual PC's to a farm of Synology units using Retrospect which is (like all backup software) a terrible piece of software.

Speaking of which, what is decent backup software these days? Does it exist? I need automated images of a few PCs tossed to a NAS on a weekly schedule, that's it.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



The Gunslinger posted:

Speaking of which, what is decent backup software these days? Does it exist? I need automated images of a few PCs tossed to a NAS on a weekly schedule, that's it.

We use Veaam where I'm at now, it's cool I guess.

Lord Windy
Mar 26, 2010


Does cryptolocker effect Macs or Linux boxes?

Don Lapre
Mar 28, 2001

If you're having problems you're either holding the phone wrong or you have tiny girl hands.


Lord Windy posted:

Does cryptolocker effect Macs or Linux boxes?

If the developer wants it to, there is no reason why it cant. I believe the original had an osx version.

somecallmetim
Mar 30, 2004



This is a slick little program that sets all the local GPOs. Seems to work well and free even for commercial. I have not tried for their subscription yet though.

https://www.foolishit.com/vb6-projects/cryptoprevent/

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

#essereFerrari




What an unfortunate URL

  • Locked thread