Restarted my Windows Server the other day, to discover my files locked and a message on my desktop about how they want 1 Bitcoin (~ 590 AUD) to unlock it. I don't use Anti-Virus, because I'm very careful, and haven't had any viruses in my 3 years of doing it. That changes this year.
Lost about 2TB / 8TB of my data, as it only hit one drive, and the boot SSD.
Noticed my friends were asking a tonne of questions, so curious, anyone want to ask anything about it? Just shoot.
Bonus points if you run a different operating system inside the VM. If the ransomware wants to "escape" from the VM, it has to compromise TWO operating systems - the OS running inside the VM, and the parent OS.
Pretty sure this is bunk, cause he had the server running inside a VM!
The main reason to have a VM is to put a "wall" between some programs and the rest of your system. Running a server inside a VM does not do this, because you have to "poke a hole" in the wall, because you WANT your server to have access to all of your system!
As the ransomware came in from the internet, the solution is to put the "wall" around the programs that connect to the internet. Web browsers, email programs and torrent programs are the main dangers for most people.
If all your internet-connected programs are inside a VM, then normally they can only access the virtual disk space inside the VM - not your entire filesystem. Same with any malware that comes in through your internet-connected programs. It will exist inside your VM, but can't get out unless you manually copy it out, and you should do any copying from OUTSIDE the VM. Never give access to your entire filesystem to the VM.
Note that the VM thing has to be done on ALL of the computers connected to your network. If you decide to run a torrent program or web browser outside the VM, and it has access to your network, your files can still be compromised.
Note also that ransomware and/or viruses can also be put inside media files, accessing flaws in your media player. This is where a good anti-virus scanning program is needed, you should scan all files that you copy from inside the VM to outside the VM.
Uh, I like the idea of running inside a VM. Sounds viable !
I should have said that ALL of your internet-connected programs should be inside the VM, not just web browsers. In this case, the malware came in through a torrent program.
The "problem" they have with Linux is that even if it's made to run on LINUX, it will be locked out easy. Linux will not install or execute files without proper admin permissions.
Also, in Ubuntu (for example) you just type: "sudo apt-get install clamav" and that's it. You have a free antivirus, updated to date and no worries.
EVEN if you get locked out in Linux, just put a new disk/usb in and run it from that, reinstall OS or copy everything you need and your done. No hassle.
Looks like Crytolocker trojan. Do not copy any files from your hard drive or from USB drive to Computer. The best way is to if you have backed up your data format the hard drive and restor your last good known copy from USB drive.
Do not try to backup your drive at this instance as the system is already infected.
https://malwaretips.com/blogs/remove-cryptolocker-virus/
The encrypted files cannot be decrypted so forget about recovering them anymore.
KASPERSKY BOOT CD OR DVD SHOULD IS HELPFUL IN GETTING RID OF THE TROJAN PROCESS . Belive me its good to format the system and re-install OS. :-)
It's already pointed out it's not cryptolocker, but rather a much newer generation that was created in the last months or so. And nobody is quite sure what it is or who created it — just some random Anon with a bitcoin account.
Cryptolocker is already shut down… but many others are on the rise. If you are brave enough to delve into the deep web and into the TOR network, you might even be able to download a crypto trojan from the publisher and deploy to earn some money (of course, the publisher takes most of the profits). That's how prevalent the problem is — it's basically a criminal industry.
antivirus wont help with what seems to be the most common vector for these attacks, drive-by infections from flash/java exploits run in ads.
disable plugins and require authorisation to run in chrome or whatever you use. I use AV but it's been largely ineffective over the 20+ years I've been using pcs. Knowing when a source is dodgy and could potentially be infected is the best defence, but these drive-by infections use different attack vectors and get elevated permissions without you ever having to run anything.
If its something like Cryptolocker then you are out of luck. Format the drive and start again. Your files will be gone. No way to recover unless you have a backup.
Hi Guys I'm a first time poster here.
Just before Christmas my company was hit with a crypto variant taking out approx 216GB of files on 2 network shares replicated between Syd and Mel.
Even with cloud based email scanning, server + desktop scanning etc, etc, this thing comes down to user error and clicking on a Word document (or similar) that had a macro (the person enabled macro's, then executed the macro so in total a 3 step process to make the payload download from the web and execute) embedded. The macro is changed enough each time for the virus signature not to pick it up. Even when we submitted the infected file to the likes of Sophos, Symantec etc, etc it took them about 3-5 days to start blocking.
We did a full network share restore that took almost 36 hours to complete to get our files back.
For those at home run the free backup program from Veeam called "Veeam Endpoint Backup FREE" and buy yourself a portable USB hard drive. The only cost is a HDD. There is a Linux version coming into beta soon for those on that platform.
https://www.veeam.com/endpoint-backup-free.html
Ok today, I went out and bought a backup harddrive, and was scared to reset my computer. Thanks. lol
OP, did you run your Windows as unprivileged user or as admin?
Out of curiosity, if one gets infected, is there a reporting mechanism that can forward these infections to antivirus/malware companies so that they can be incorporated into their database?
On the "Enterprise" realm, as mentioned by one of my colleague here (J03) one of the few solutions we've bet our livelihoods to is a security suite by Cylance called CylanceProtect. Pity its really only available to the "Enterprise" ie. 1000+ End Points. Its taken care of drive by flash,java,macro,etc ransomware exploits too. The solution is not based on conventional AV tech.
To save some of the BOLD people here pinning their heads on the wall trying to start debugging/cracking the good ol' ransomware and its encryption methods… heres for your reading
http://blog.cylance.com/cracking-ransomware
I partially work in the Forensics & Data Recovery field and communicate with experts @Cylance in their progress to recover files from ransomware encryption. Its one of the few companies that had success in cracking "some" forms of ransomwares encryption. It will probably cost you more than an arm and a leg to seek for their services on this topic … even then its not guaranteed they will be successful in the recovery of your encrypted files.
So remember.
1. Proper Tested Backup (even if you had a cold backup snapshot weekly or monthly, at least you have something to fallback to).
2 the rest… already have been mentioned.
Do you know if the data is actually encrypted?
Have you looked into a recovery software that will analyse the NTFS file system?
Have you plugged this drive into another PC for testing (A PC you don't mind formatting should something go wrong)?
You might be surprised what you find.
Damn.
Very technical comments going on.
Same thing happened to me on a home office computer.
I dont have anything technical set up.
Just that we can use the same printer and access a shared folder.
I dont even download anything on it but somehow i got some ransomware on it.
I think i had to format or just delete the files as it was just my documents folder.
Pretty annoyed i lost it at the time but eventually replaced them.
I didnt have a backup of the folder (now i do) and i didnt run anti virus (now i do) hahaha.
Lucky it wasnt on the main computer…
Hi deanylev,
I've attempted to summarise the main attributes of the new Ransonware as described in your posts (and also slix_88's post on 05/01/2016 - 10:23)
https://www.ozbargain.com.au/node/228888?page=2#comment-3353…
So far, the identifying features of this variant of Ransonware are:
As you already noted, the Hugeme45.exe filename seems to be the unique identifying attribute for this Ransonware. So far, a google search returns only 4 hits (this thread and your reddit thread, and two hits on weibo)
https://www.google.com.au/?gws_rd=ssl#q=Hugeme45.exe
I suggest you add the above info (or similar) to the OP as it may be useful to others, particularly computer security companies and law enforcement departments.
Message text:
All your files encrypted with strong encryption.
To unlock your files you must pay 1 bitcoin to address :
1GvQ9GsMgwAUz91PKNpAJxrAwsztg1S7jy
Search google for how to buy and send bitcoin.
After you send the bitcoin email to :
[email protected]
[email protected]
[email protected]
use all email to communicate
with the information of username and pcname and the time you send bitcoins.
When we will confirme the transaction you will receive decryption key and decryption program.
You have 5 days to make transaction after that your decryption key will be deleted.And your files gone forever.
try googling any of the below.
hugeme.exe instead of hugeme45.exe (its just a naming variant)
[email protected]
[email protected]
[email protected]
If you have a sample of the virus plonk it into virustotal.
Tried all of these things before. No luck :(
Deleted virus, may be in Recycle Bin.
just wondering what you are trying to achieve now?
reporting it?
Happened to a friends business,
they needed accesss to the computers (it was all of them), the whole business so they paid it.
It was a fair amount of cashola
And the hackers actually gave the data back?
yes
If you don't have backup and really want the locked data, the only way is to pay the ransom.
If you are in this situation, DO NOT INSTALL any anti virus software, if the anti virus removes the ransom malware, you will have no way to unlock those files, the files can be lost forever.
had this happen at work once, we wanted to pay the ransom, but the malware has already been deleted.
I'm past that. Can't justify the cost of ransom, just ordered a NAS with 4TB included storage to avoid situations like this. Mine is different, deleted the malware, but files are still there in encrypted form.
Yes, if you delete the malware, the files will be encrypted forever, there's no way unlocking it
backups are really important
You know, I've tried many antivirus over the years; anti-malware; ad and cookie blockers… In fact after this thread appeared I tried a few again that I haven't for a while.
Bitfender & Kaspersky are supposed to be two of the best. So I'm pretty much fed up the lot of them! What's the point when these exploits sit on your system for months without detecting it!?
So is there an online guide of the best way and software (and combination of that software) to protect your computer?
Including setting up an old computer as a Linux server if necessary??
There are anti-exploit programs out there designed to protect you from zero day vulnerabilities. Malwarebytes Anti-Exploit is very user friendly and the free version protects browsers and Java. While the premium version includes Adobe, Microsoft Office etc. Microsoft's Enhanced Mitigation Experience Toolkit is also good and can protect any application, but it's designed for advanced users and can be difficult to understand.
For ransomware there is CryptoPrevent that adds several hundred group policy objects, but I don't use it due to the issues it causes with my software. You'd probably already know about CryptoGuard as it's part of Hitman and their company got bought out by Sophos.
I have different setups on my own workstations depending on their role. One is setup with ESET Endpoint Security for live protection, Emsisoft Anti-Malware for an extra level, Malwarebytes Anti-Exploit and EMET working together for exploits/zero day.
From the research I did and after speaking with a friend of myne who is an IT security expert he thinks that Webroot and Sophos have the best detection rates for ransomeware and seem to be at the forefront for providing the 0 day defintions for the variants. Webroot especially has allot of predictive smarts in it for detection.
Home Server? Otherwise it'd be a fairly pricey "home" server. Should be running a Linux server distro. It's free, it will do everything you need it to and unless you can't read and follow simple instructions it's very easy to configure. Sure it might take a while to figure things out but if you spent the time to understand the Windows arch then you're more than capable of learning how to use Linux. Point and click isn't exactly the highest server based priority. Even if it is … You can install an X desktop manager and VNC/mirror in for a GUI. Not saying Linux is and will be devoid of Ransomware and Virii but more so than Windozer.
Consider working with /keeping your more important files in the cloud if feasible. Recently our CFO (who is not tech savvy), was the victim of ransomware, and because our policy dictates we keep the vast majority of files in the cloud, i simply reverted his files to the previous version of the file to what it was before it became encrypted.
.encrypted extension
From your other comments it's crypt0l0cker there are no unlockers out for that.
I thought they did manage to find some decryption keys for cryptolocker some time ago?
http://www.bleepingcomputer.com/forums/t/543518/decryption-k…
Edit: my bad, didn't realise there was a diff between cryptolocker and crypt0l0cker. Thought it was just misspelling.
.encrypted isn't exclusive to crypt0l0cker. I can think of 6 variants of the original Cryptolocker that use it.
After reading your problems i'm ATM uploading an image to the cloud, about 54hrs!! ..but figure its worth it , it takes days-weeks to get the pc back with all settings just how you like it ,even though I have another drive with the pc at differing points of time.
Good luck with it Deany ,to others make sure hidden extensions are enabled—- ala pdf-could be pdf.exe & take tips from these 4 pages
keep pics & docs on a usb & whatever else you can't afford to loose , the rest can be re-downloaded
Do!! Learn from my mistakes, that's what this post is about :)
Thanks for the tips!
I don't know that bitlocker viruses are rare, they were all over the news when they first started showing up. My parent's got one on their computer via a link in a spam email. Microsoft Security Essentials didn't detect it, and it encrypted all their documents and photos. Years worth of irreplaceable files. Of course I had backups running but they were saving to a USB drive, which the virus encrypted as well. The real kicker was that we couldn't even pay to get the files back if we wanted to - the site they linked to had been taken down. I rate the people who created this virus right up there with child molesters. (profanity) them.
(profanity) them indeed. What an evil, evil practice. It needs to be stopped.
Hey deanylev. Do you have Teamviewer installed? I just did some quick research and one post suggested a Teamviewer file transfer.
If so, check your file transfer history to see if the virus came through that way - scary stuff.
I do actually, didn't even think of that… Holy crap that's terrifying
I'll check in a bit. I never use Teamviewer anyway, so if it's that I'm going to be so mad.
Dunno if anyone has chimed in here…
I work in IT.
FYI this is the most common type of ransomware out there….
Not rare, happens all the time.
Only virus scanner i have seen that can stop "Some/Most/50%" variants is Webroot.
Any brand new variant though most likely always goes through.
It ALWAYS goes through ANY local drive, and ANY mapped drive, no where else.
Cryptowall
Cryptolocker
CrytpoL0Cker
They are all variants of the same thing, just different people make it.
I can say it nearly 99% came in as a email, most likely a Aus Post/DHL/Fed/License type email
I have dealt with these variants in over 50 cases now…
80-90% of the cases it was a email.
OLD variants can be decrypted, send some examples to these Russian guys if ur willing
They will tell you if your variant can be decrypted, but going from what you have said its def a more recent one, my latest one i dealt is the same i believe.
https://support.drweb.com/new/free_unlocker/for_decode/?lng=…
Ok. So if you use an external drive for storage/backup and keep it disconnected from the online computer… What's the safe way of connecting it to transfer those files? Obviously I don't mean the physical connection. What I'm referring to is, virii etc. can hide on flashdrives, antivirus doesn't always get it until weeks/months later, etc. So you can't even keep a separate computer, copy files to a flashdrive, and take that to the disconnected computer - safely.
I understand this stuff basically happens quickly, does it's job… but surely there's a better method than copying files - pulling that drive - waiting a few days to be sure your computer wasn't infected (only knowing because nothing nasty happened) - and only then transfering those files onto the real backup.
I'd say offline backup is the best option. HDDs can fail, can get hit by some new variant of ransomware or malware. Of course it's a pain to constantly connect/disconnect but I think it's worth the effort. Also what I learnt over the years is that I don't care about everything on the HDD, I only backup photos and some important documents.
Movies/music/tv shows are always available online and it's cheaper to get a Netflix UHD+DNS subscription than paying a hacker to unlock your movie or torrent collection if you're hit by ransomware. ☺
Bad luck OP, thought I'd chip in with my exp on ransomware, I work in IT and have seen this happen in past few years. Apologies if the below is a lot of IT jargons, I'll try to keep it simple.
How many get hit by ransomware - some reports state that one group of hackers generated >$300mill in ransom. So yeah it's a very lucrative business.
How to get the decryption keys: The decryption keys for old variants were published online by FireEye after the FBI busted the ring, but not the newer ones. I haven't met/heard anyone decrypt it the newer ones themselves so far, but hey, I've seen some really smart people in my life so never know there may be a mad genius out there. AFAIK you pay the ransom and they've got the keys back. However there's no guarantee to it.
How to avoid getting infected : Couple of things - 1 : Backup all your important data onto a BD/DVD or a external HDD (and disconnect after backup). 2. Don't click on random emails, be very careful of the links on emails. If you have doubts, contact the person and verify. 3. Don't visit dodgy sites 4. Don't download random software on your PC without verifying the source. 5. There are other techy solutions as well - eg. sandboxie or AVAST sanboxing, running without admin rights, running different user profiles etc, but am sure that's enough IT dosage for the early morning read! :)
Re AV comments, it's definitely good to have a proper AV on your PC. I know it's an outdated concept, but it helps in keeping your PC off any old/known malwares.
Hope this helps.
Thanks a lot for the info! Quick stupid question, if I just click on an infected email, can that spread it? Or do I have to download/open an attachment?
Depending on the type of malware actually. Some malware would mail itself into others on your address book,some would just be infecting the pc from where the email is accessed.
Re attachments, yes since malware would be embedded within the attachment, so if the email body, language isn't right, stay away from the attachment and the email. Recently there were some reports on malicious MS word attachments (macro enabled)
In case of ransomware it usually only infects that PC.
Thanks a tonne for the info! If you've got any more IT walls of text you feel like posting, please do! I'm writing posts like yours into a little booklet for myself, for good security practices, the more advanced and detailed, the better! :)
As requested: :)
* Ensure you update the OS, browsers and apps to the latest version
* List all the hardware you have incl (and mainly router)and check for the firmware upgrades regularly
* Install a reputed ad blocker on the browser
* Uninstall the bloatware and other software that you don't use frequently. You can always download the latest version if/when you need it again.
* Install cc cleaner (or similar) and run it once in a while to clean up the PC and registry
* Run a full PC scan once in a while
* Since you dabble with FW, disable unwanted rules
* Just subscribe netflix/stan/any other streaming platforms. Much cheaper than torrenting!
Have to say first i feel your frustration however at the same time antivirus is a must and there is no excuse for not having it when you can purchase kaspersky for as little as $8. I work in an Enterprise level IT environment and have battled different versions of CryptoLocker over the last year with users who like to click on bad emails. Firstly you should see if there are any previous versions of the folders available on your server usually enabled on servers and this will save you if it is enabled. then wipe your drives and reinstall everything don't save any server configurations unless you know that you can completely trust it as there may be a secondary infection.
1) disable the everyone group and use authenticated users and give your more critical files a higher security level as cryptolocker can effect shares
2) Install Kaspersky…. there is a feature in kaspersky to block specific file extensions such as .encr and this will prevent Cryptolocker from completing the encryption at a later date and you can also protect specific file types such as photos and documents which is what these type of infections seem to target
Good Luck and would be interested to hear how you go
Agree with the above about protecting documents but I am not sure about kaspersky blocking files with specific extension..would it work if the hackers change the extension from .encr to .encr1? Although it is def worth trying for to block some known extensions such as .encr, .encrypted.
From my research another software vendor claims to be able to reverse the changes i.e. by keeping the older version whenever a change is made. I haven't tested, heard or seen it work as yet, but conceptually it seems to work and the vendor claims it will. Not sure about how much it costs etc.
yeah its a bit hit and miss with the extention blocking but the filetype protection is pretty good… have use kaspersky products for some time now and has saved the day many times, the one to stay away from is Norton it is the virus ROFL
Cryptolocker and its variants are hardly new or rare.
Reading through this travesty, you're free-balling your server on the internet and downloading random files. What did you expect? You would be the root cause of your entire network being infected, not everyone else… Why is it your fault? You're the admin!
This is a perfect case on how not to operate a home torrenting set-up.
I wish I could argue.. But yep. I'm an idiot. But no more, bought top AV, and a big NAS. Also going to practice better security practices.
Unfortunately it's something certain people need to go through before they start taking security seriously. I'm glad you have invested in good AV and a have come up with a backup strategy. To be honest the backup strategy is more important than the AV for obvious reasons and it often takes AV companies a while before they provide definitions for the new variations of cryptolocker that seem to be coming out daily. Sophos and Webroot seem to be on the forefront in this space but everyone has their theories.
I'm also hoping that your client machines which have access to your server also have AV?? There is a good potential that the server AV will not pickup the Cryptolocker variant if it's initiated from a client machine. Just something to think about.
Goodluck and stay safe..
Client machines always had AV, except mine. I've always been so against it, but my family were too cautious to not use it. Guess it was a good thing.
Hope you get it sorted deany… umm any word on half life 3?.. sorry just trying to cheer you up
Thanks mate, and that's just the type of cheering up I need :D
But in all seriousness, I'd actually know about Half Life 3 faster than the general public, I've got some.. Connections ;)
k.. will just leave it at that then :)
I don't have the Gaben profile pic for nothing :3
Hey Deanylev
Happened to me only a month or so ago, it came up right after log in.
I was lucky enough to have another account to the PC, and was able to access all files again before wiping windows and building my boot drive again.
The the other account, I was able to recover all the desktop / docs and other files from the main admin account.
Will be backing up like crazy in the future with off system hdd's for the critical non replaceable stuff.
hope this helps
Same here, just bought a NAS with 4TB of storage included.
Hi all.. Just a note that Edu.au email holders can usually get 1tb one drive and unlimited google drive for free now.
I am using Google because the app seems more stable and also it allows long pathnames and bandwidth control.
It's good to know that my data is clouded.. But it took ages for the initial uploading of 100gb.
Crap thing about gdrive is it doesn't resume uploads. 4gb files over a slow connection are painful!
I last checked this about 6 months ago but I don't believe the problem is fixed.
Oh yeah I think that's still the case unfortunately.. Very painful to upload/sync.. Especially on my flakey exetel connection
Dropbox doesn't have that limitation and from memory neither does onedrive. I pushed up 60gb over the last few months to Dropbox on an ADSL2 connection…it was painful but it got there. Largest file was 20gb.
Funny you say that about exetel, I was with them for my ADSL and over 6 months or so it went to shit. My speeds were inconsistent and downright unusable alot of the time. They made me do some testing and from what I gathered they had oversold my area and couldn't resolve the issue, they told me to find another company. Moved to TPG and my sync speeds went from 6 to around 10mbit, and best of all the speeds are consistent and stable. It did cost me an extra $15 per month though.
@knk:
Thanks for the feedback on exetel experience. Will look into tpg etc once I get flatmates to share the bill.
Yeah I tried to use one drive last week but many files had names/paths that were too long for the server.. And I was prompted to manually change them. This is not possible as they are website embedded resources.
Thanks for the Dropbox suggestion. It's not free for uni people tho.. I don't think.. Maybe one day.
Yeah it isn't free but 1tb is like 130 a year I think? Not too pricey, but not ozbargain-esque.
This is exactly RARE at all. Read about cryptolocker, been around for at least couple of years. Have been the most successful ransomware ever.
4 pages of comments proving this isn't Cryptolocker. Infact the original Cryptolocker isn't even being actively distributed as it can be easily decrypted.
This is a new variant based off Cryptolocker or another type of ransomware that isn't as widespread and "professional" like Cryptowall 4.0, Radamant and TelsaCrypt etc.
Yeah, how many people are going to tell me that this is Cryptolocker without reading the comments? Jesus, it's getting pretty old. If you're not going to comment something helpful in any way, don't comment.
I don't run any antivirus because it slows my system down.
If we don't download any torrents or open any suspicious email or webpage, would our changes of getting attacked be greatly reduced to 0?
Or do the attackers target any random IP?
Thanks.
You're using the wrong product if it's slowing your system down. A lot of security suites include Gamer Mode or similar that reduce the amount of resources it uses.
reading this made me copy all my mp3s onto another hdd and stash it at my folks place. Would never pay those c**ts but then again, i don't have anything worth $600 on my computer.
Good, that's what I want. People to improve their practices, based off my mistakes.
Just curious, how much $$$ are these scumbags charging to get your computer/files unlocked?
1 Bitcoin (~ $600), and a couple phony emails in broken English crying poverty got them down to 0.5 Bitcoin (~ $300).
ok seems like you may have a chance of decryption if they are negotiable this could mean that the private key is located somewhere on your computer, if you make a clone of your drive and run a antivirus scan with one of those rescue disk's you may be able to find a bit more info about the variant that you have. worst case if you have a clone and someone cracks it at a later date then you will possibly be able to reverse the damage. by the way i recommend HD clone by mirray software there is a free one it just works at a slower rate very detailed clones.
Personally, I'd use clonezilla for the backup but it's a good idea.
I don't see where you're drawing the conclusion that the private key is on his computer though, they're negotiable because some money is better than no money.
This happened to me about 6 months ago.
I paid the 1 bitcoin and the hacker gave me the unlock keys to decrypt my 4 internal hard drives
:)
Suxs but I didnt lose 20 years worth of data. (not p0rn)
@scubacoles: Na I didn't. Cause I'm stupid :P
This time I definitely will.
Just bought a NAS with 4TB of storage included.
I'm ready for whatever they have to throw at me.