Ransomware

[Bryan Gibson]

Greetings;

I was listing to the radio yesterday and heard the story linked below.  The topic is ransomware, where the malware infection (acquired through the usual means) infects the computer then encrypts the hard drive until the user pays.  If the user does not pay, then the data is lost forever.

I did see some post much early this year about "ransomware" but wanted to find out if anybody has encountered it lately and what steps they've taken to resolve the issue.  I realize the best thing to do is avoid the infection and have a good data backup, but I know I'm preaching to the choir.  :-)  If the trend in the story continues, I'm pretty sure we're all going to face this sort of challenge sooner or later.

http://www.npr.org/blogs/alltechconsidered/2014/12/08/366849122/ransomware-when-hackers-lock-your-files-to-pay-or-not-to-pay

Regards,

Bryan Gibson

[Randy Blair]

Those are clearly cases of poorly designed LAN security.

My guess is that every user is local admin for their PC and probably for the server too!

[John-Paul Damico]

Anyone know if there is an issue with data syncing when this happens?  For instance, can your backup files or synced files also be encrypted when this ransomware take affect?

[Bryan Gibson]

If the above story is true, any storage or network data object connected to the infected computer is at risk. >>The very best defense, he says, is having a backup that's not connected to your machine in any way. Storing things on the cloud or on a USB drive that's plugged into your computer won't cut it.<<

[John-Paul Damico]

With that being said, most of those services have shadow copies of the files that date back a month or so.  So, as long as you catch it in that amount of time, you should be able to get those backups back before they were encrypted.  

[jga...@afterhourscr.com]

Exactly.  I came here to say this.  I work for another IT company for businesses and we've had two clients get hit with cryptolocker which is terribly nasty.  One client paid the ransom of $400 and got their data back.  Another client brought their computer in and another tech and I reviewed it.  Each file was encrypted with a note in each folder with instructions how to pay the ransom.  We transferred a few excel and word files to a flash drive and tried to open them to see if they could be salvaged and they could not.  I researched a bit and came across a thread talking about shadow copies.  I was fully prepared to boot to WinPE and load a shadow copy file transfer program to see if that would work.  Unfortunately, this was a client that did not have a contract so they would be billed our hourly rate and decided against it.  Stupid.  There were thousands of tax and business files lost.  

There are some good threads on /r/sysadmin on this subject and obviously the first line of defense for users is a solid backup.  This is often not done for residential clients and sometimes not for business either.  The second line of defence was locking down the %userprofile%\appdata folder.  This is done through group policy and is more of a whitelist to only allow certain programs to run which is a bitch if the client has multiple line of business apps and this can't be done quickly for a residential client.  

JP, does our backup solution protect against cryptolocker/ransomware? I do know that depending on the business and the settings in GP the mapped drives have a chance of being skipped in the encryption, but I've read stories that make me sweat.  If they figure out how to infect cloud storage we are screwed.  I do know that we have versioning so that will probably be the key.

[John-Paul Damico]

Yep - IDrive as well as IDrivesync has had versioning for a long while.  I have used it once for AHCR actually.  Works splendidly!

Here is an article where they are addressing it, they rebranded versioning to IDrive Rewind.

LOS ANGELES, Aug. 7, 2014 /PRNewswire/ -- IDrive Inc., reputable online backup and cloud storage provider, is highlighting their IDrive Rewind cloud backup functionality. Rewind is ideal for people wanting to protect their data from new Crypto Virus and ransomware attacks in which data is encrypted by a third party, who then demand fees to unlock that data.

In the wake of recent cases of Crypto Viruses being shut down, an influx of new, and stronger, ransomware is appearing. Critroni, more complex and resilient than the well-known CryptoLocker, both encrypts data faster and makes data recovery even more impossible. Another threat, Simplocker, encrypts data on Android phones and their SD card archives; even data backups stored on the SD card will be useless.

"No one is safe from these Crypto Viruses, especially as the ransomware becomes more complex," says Raghu Kulkarni, CEO of IDrive. "Protecting data with online backup is essential to ensure a copy of the data is secure in an offsite location, unreachable to these Crypto Viruses. It's vital to proactively protect data, so in the event that files are infected or encrypted by a third party, preventing access to users, a recovery option is already in place. Our Rewind functionality is a key feature for users who need to restore data from a previous backup, especially if a more recent backup is infected or corrupt."

IDrive Rewind offers an improved method for accessing and restoring data, providing up to ten previous folder versions. Rewind allows users to dive into their backup history, restoring earlier file or folder versions in bulk rather than one at a time. So, even if the latest file is corrupt, IDrive Rewind enables restoration of earlier unaffected versions.

The feature is part of IDrive's current service offering with no additional cost to utilize the functionality. Rewind is currently available to every active IDrive customer. IDrive offers several account options with competitive pricing plans.

[Ryan Telfer]

Sadly, the newer variants of some of the ransomware like cryptolocker etc even hose the shadow copies, or wipe them out. If you are lucky and its infected with one of the original variants of cryptolocker, then theres a website...https://decryptcryptolocker.com/ that can handle some of the older variants but some of the more recent, to the best of my knowledge, haven't been cracked yet and if they don't have a disconnected backup like was previously mentioned, they are looking at either paying or losing the data :(

[wra...@afterhourscr.com]

I've run into this twice the only way I found to get around it, is a boot disk. If it's a windows system an up to date windows defender boot disk seems to work well to remove it but as these become more common and refined this may not work. The two I ran into were similar but hard to remove. Saying the computer was locked by the FBI even locking out Safe mode having a screen overlay the desktop and locking out the keyboard and mouse. They were very hard to get rid of.

[rjo...@afterhourscr.com]

I just had a customer who has the CBT Locker ransomware installed on his computer. Does anyone know of any good procedures to remove this ransomeware and restore encrypted files?

[rjo...@afterhourscr.com]

Correction: CTB Locker

[John-Paul Damico]

The only thing that I have seen is to try to get the encryption code from https://www.decryptcryptolocker.com/  

But if that doesn't work.  Its a format reinstall and pull from any backups he might have.

[Sergio Lopez]

Check this link out.
https://noransom.kaspersky.com/

Kaspersky developed a tool to remove coinvault ransomware. Hope it helps.

[Roger Hopkins]

I've ran into CryptoLocker a few times, someone somewhere I imagine is getting quite rich off of it...

That being said there really is no way of defeating the encryption. You either need a backup or shadow copies which a lot of times don't work. Sometimes you can get some of the data back using standard recovery tools, but for the most part it's a loss. And yes, your backup system needs versioning, otherwise the backups will be encrypted as well, doing you no good. Likewise RAID mirroring won't help either.

[Randy Lee]

One of the best ways to remove ransomware is to use another computer and google the address or bitcoin address with phrases like verification. There is a database online where you can pretend to have paid the ransomware by putting in verification codes that whitehat hackers have discovered so that you can access the user's computer and remove the virus through their profile incase the virus was profile specific or just to access control panel to get rid of it. A lot of ransomware have this flaw and after you put in a fake verification code to pretend like you have paid off the ransomware, you are pretty much safe to get rid of it through whatever options you deem necessary. This is really useful if you find the fbi ransomware that tells you to pay money to a random bitcoin address or paypal account to receive a code to unlock your desktop.