Warning for PC users

Sanjøy · Post by **Sanjøy** » Mon Oct 28, 2013 9:33 pm

Okay I do not normally post warning messages but was listening to a podcast on the way home that truly worried me and thought I would pen something.

If you are a Apple Mac user, gloat then move on, if not listen up and ask questions as this is a real threat.

Now most viruses and malware on your machine are not the best and they do crap to your machine but hey your credit card company covers you, 3 weeks ago a new breed was documented in the wild, Cryptolocker is an example of one.

Essentially the bad guys encrypts your My Documents folder and any network drives it can find where you may have backups and then lets you know when it has done and gives you 72 hours to pay ~$300 else they delete the "key" to decrypt it, this is not a 4 digit code this is what is known as strong encryption.

This is not a job for PC World or your Anti virus package or anyone you know, this is terminal, the bad guy has the one and only key and there is no option but to pay. Once they delete that key it is all gone, no point pleading.

So what should you do?

Backup to a USB hard drive monthly, then unplug it and give it to a friend.

Do not click links in unsolicited email, if it was from your bank or paypal and was that convincing that you need to check it then open Chrome and go to their site on your own, do not click the link.

Good luck out there.

http://blog.malwarebytes.org/intelligen ... d-to-know/
http://blogs.sophos.com/2013/10/10/info ... he-rounds/

mckeann · Post by **mckeann** » Mon Oct 28, 2013 10:14 pm

I'm not clicking those links, it could be a trap.

tut · Post by **tut** » Mon Oct 28, 2013 10:22 pm

gloating...........

tut

Post by **simon** » Tue Oct 29, 2013 12:09 am

Also gloating but at the same time I know of a company that was hit by it last week. Luckily they spotted it early and were able to remove it and restore from backups but it is a genuine threat not to be taken lightly if you have any files you are precious about!

vxc · Post by **vxc** » Tue Oct 29, 2013 12:37 am

Unfortunate we got hit with this at 2 of our sites, including the HQ i deal with end of last week. we are recovering so to speak, but its a nightmare and some files are gone beyond a recovery. BAckup methods not worked ...will hear the grunt of it soon once we settle no doubt.

unfortunately we were dealing initially with the first response as a 'slow laptop' so got my techs to dial in. and they were doing usual stuff, for slow speed issues. after a few hours same user called to say some files cant open (by this time crypto locker has now had a few hours), so techs dialed in and seen what happened. unfortunately this user was a member of most of the shares in the system.... absolute C@nt bags out there!

robin · Post by **robin** » Tue Oct 29, 2013 12:44 am

Is there any evidence that they can decrypt the file if you pay?

The reason I ask is that most cryptography assumes you don't know the plaintext. In this case, you do know the plaintext of lots of the files (assuming you have a backup and given many files don't change often) and so for any file that has not been altered recently and assuming you can determine the crypto in use, you should be able to reverse out the key.

I am not saying this is easy, but it would be easy to automate for somebody who knows how.

The other solution is offer to pay, then track your payment through the international payments system, hunt them down, torture them to get the key, then kill them.

Cheers,
Robin

tut · Post by **tut** » Tue Oct 29, 2013 6:45 am

Like your thinking Robin, especially the last paragraph.

Must be just about the worse one that has appeared yet. So much for virus checkers, spambots, Firewalls, and probably much more sophisticated methods that Companies use. Then again if they can hack into the Pentagon and the Kremlin it is not surprising.

I presume that there will be pros in that field working on it?

tut

Sanjøy · Post by **Sanjøy** » Tue Oct 29, 2013 7:50 am

Assuming it is not the pros like the NSA who wrote it Tut.

Robin, the payment methods are the non trackballs, bit coin and another one I had not heard of before.

Agree that if you were mid encryption you could stand a chance but you average Joe will not pickup the slowness until it was too late and even then who is going to help them with a partially encrypted drive and ciphers try need to create to get out I it. Would cost more than the $300.

The podcast did suggest they do release the key if you pay as the whole ruse needs some to pay an some not to pay so that the message gets out.

robin · Post by **robin** » Tue Oct 29, 2013 9:12 am

Sure, so of course it will depend on how it's done. But I assume that the virus will soon be isolated and decompiled at which point the basics of the encryption (cypher algorithm and key length) will become known.

Now everybody creates a randomly named file of known content on their hard disk (e.g. by using a known seed to a random number generator).

When you get hit by the virus, even if you only discover it after the fact, you regenerate the random data file (using the same seed to the same random number generator).

Now you have the cyphertext (the file they encrypted) and the plaintext (the file you started with). Given you know the cypher algorithm and key lengrh, it should be easy to work out the key.

So assuming that the crypto-aware folk at the normal anti-virus shops do this then we should have an anti-virus solution available in due course. What's more, even when the virus mutates, the basic principle of having lots of known content on your hard drive should provide useful to disarm future attacks.

Cheers,
Robin

Corranga · Post by **Corranga** » Tue Oct 29, 2013 9:33 pm

Often wondered why we don't see more serious virus threats like this tbh...

I've used this as an excuse to get my finger out and sort out my currently non-existent backup regime. I had planned to go RAID, but offsite (so to speak, as in on an USB drive) is obviously better if this is all true.

Just bought one of these 2TB drives for 50 quid.
Only USB2.0 but for backing up that shouldn't be a problem.
http://www.ebay.co.uk/itm/Toshiba-2TB-S ... 8081055688

Post by **campbell** » Tue Oct 29, 2013 10:02 pm

So is an installation of the free Malwarebytes edition worthwhile?

Sanjøy · Post by **Sanjøy** » Tue Oct 29, 2013 10:25 pm

campbell wrote:So is an installation of the free Malwarebytes edition worthwhile?

Always.

thesurfbus · Post by **thesurfbus** » Wed Oct 30, 2013 9:09 am

Corranga - Is that USB Hard Drive powered via the USB or with a seperate power adapter?

Corranga · Post by **Corranga** » Wed Oct 30, 2013 9:26 am

thesurfbus wrote:Corranga - Is that USB Hard Drive powered via the USB or with a seperate power adapter?

For my needs I didn't care enough to check..
I think all 3.5" drives (same size as the drive in an actual PC / server) are externally powered though, so I expect it to come with a separate power adapter.

For USB power I think you need a portable one, which would use a 2.5" drive, same as a laptop. I feel these are less reliable, but that might just be because I've had more laptop drives fail on me than full size drives..

Chris

robin · Post by **robin** » Wed Oct 30, 2013 9:31 am

Another defence for those able to use VMware or similar is to install your day-to-day Windows inside a VM which you then snapshot from time-to-time. If your drives get crypto-hacked then you can just revert to previous snapshot.

Cheers,
Robin

Scottish Elises