Posted on 11/21/2013 2:56:18 AM PST by markomalley
Massachusetts cops have admitted paying a ransom to get their data back on an official police computer infected with the devilish Cryptolocker ransomware.
Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key unless a ransom is paid before a time limit. The sophisticated software, which uses virtually unbreakable 256-bit AES and 2048-bit RSA encryption, even offers a payment plan for victims who have trouble forking out the two Bitcoins (right now $1,200) required to recover the obfuscated data.
On November 6, a police computer in the town of Swansea, Massachusetts, was infected by the malware, and the cops called in the FBI to investigate. However, in order to get access to the system the baffled coppers decided that it would be easier to pay the ransom of 2 BTC, then worth around $750, and received the private key to unlock the computer's data on November 10.
"It was an education for [those who] had to deal with it," Swansea police lieutenant Gregory Ryan told the Herald News. "The virus is so complicated and successful that you have to buy these Bitcoins, which we had never heard of."
Ryan said that essential police systems weren't affected by the infection, and federal agents are still investigating the infection, hopefully to find clues that'll lead the Feds to the malware's writer. The software nasty is thought to have been the work of Eastern European criminal gangs, but no one knows for sure.
"The virus is not here anymore," Ryan said. "We've upgraded our antivirus software. We're going to try to tighten the belt, and have experts come in, but as all computer experts say, there is no foolproof way to lock your system down."
Apart from not being a fool that is. Cryptolocker primarily spreads via email attachments, typically a PDF that claims to be from a government department or delivery service. As ever, experts advise not to open attachments unless you are sure of its contents and the source. ®
I bought the Nero Platinum suite a long time ago for the Nero Burning ROM software. I use the heck out of their backup software, it's pretty solid, and I can run regular backups to my NAS. However, since most of my personal stuff is either on the NAS or on a Linux machine, I don't get overly concerned with viruses.
CryptoPrevent just creates local security policy on a Windows machine to prevent executables from running in the %appdata% portion of your hard drive; however, unless you’re running Windows 7 Professional or Ultimate, it won’t work. Windows 7 Home and Home Premium do not have the capability of setting this local security policy since that portion of the registry hive is missing.
For a general rule is that we should keep an eye on what is running, and a primary free prog. for that is the well known Win Patrol , which is will alert you to changes made in start up apps, and home pages, etc. as well as many other things. Look for it in your system tray (by the clock).
Also, System Tray Meter , a very basic meter with a small footprint, which can show you cpu and memory load in your system tray. Download here.
Once downloaded, unzip it (r. clk and extract all) and then place it in your startup folder. To find that, look in your Start menu for the Startup folder, and right clk and hit Properties and copy (ctrl+c) the location).
Then, after you launch it, then right clk on the Taskbar, hit Properties, and then Customize, and choose to Show icon and notifications. Then you can always see it on your system tray,
Of course, if you have W/8, then use the free Classic Shell to gain easier access.
Also one should have Process Explorer which gives details on what is running, cpu and ram usage, and easy ability to restart, kill, resume programs. Familarize thyself with what normally runs.
While you are at technet.microsoft.com, get Autoruns , which provides a comprehensive list of everything that is set to start with Windows.
Depending on your cpu and program load, the cpu cycles should not be above 12% consistently.
Also worth mentioning is System Explorer (download ) as it gives Internet activity.
It does take time for CryptoLocker to do its encryption. Further reading on CryptoLocker:
BleepingComputer discussion thread.
Malwarebytes: Cryptolocker Ransomware: What you need to know.
Naked Security (Sophos): Destructive malware Cryptolocker on the loose.
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies
Reddit thread: Proper care and feeding of your Cryptolocker
Makeuseof.com: Cryptolocker is the nastiest malware ever and here’s what you can do
Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins
I can run regular backups to my NAS
You mean your NSA?:)
Or you can use get a USB 2.0 to IDE SATA 2.5 3.5 Hard Drive Converter Cable for about $3.35 for old drives. Open the case and plug in the drive and then plug in the USB once the OS is loaded. On IDE HDs make sure the pins are set to Master. . For a little more you can find ones with a power adapter
2048-bit encryption at the file-level on my NAS would make for a difficult time of the government decided to make me an enemy of the state. I’m not hiding much of anything unless they’re interested in pictures of my college years.
They seem to imply that it would work on "any Windows OS" i.e., that the program can create the security policy even if it's not "displayed" (I assume that means that it can create hive and the entries in the registry, which can be easily checked by examining the registry after it runs) but that "any Win OS" will nonetheless act on it. I have no way to test it at the moment, since I run Ultimate on my machines.
For a general rule is that we should keep an eye on what is running, and a primary free prog. for that is the well known Win Patrol
Check out AnVir Task Manager - does practically everything that WinPatrol ("Scotty"!) does, plus just about everything that System Explorer does, including event logging and other functions. It's a "freemium" model program, most people will be happy with the free package, but for even more features Pro version is available.
Besides Process Explorer, SysInternals (now owned by Microsoft) has an amazing collection of small utils that are very useful, especially in "silent" batch/non-interactive and scheduled modes. Similarly, some tiny free utils from NirSoft, by Nir Sofer, can be great time savers (and he checks his emails for suggestions or bug reports, too).
CCE (Comodo Cleaning Essentials) from Comodo Group contains excellent Autoruns, KillSwitch process monitor/manager and antivirus scanner.
Comodo (a security specialist and world's second largest Certification Authority, behind Symantec) also provides (free for personal use) firewall, antivirus, integrated Internet Security package, VPN, rescue disk, secure/encrypted email, secure DNS service, and "fortified" Web browsers Comodo Dragon (based on Chromium open source) and Comodo IceDragon (based on Firefox/Mozilla open source)
Or you can use get a USB 2.0 to IDE SATA 2.5 3.5 Hard Drive Converter Cable for about $3.35 for old drives. ... For a little more you can find ones with a power adapter
IDE/SATA-to-USB adapters are pretty cheap and are great for reusing older end-of-life IDE/SATA drives as a removable backup/archive solution - larger and slower than "native" USB 3.0 drives (such as WDC Passport), but excellent use for off-hours backup to portable media, especially for laptops.
Thanks. I think i have to try AnVir Task Manager Free, and NirSoft, have used some of NirSoft, offerings, and am familiar with the Comodo name.
I use Chrome rather than IE now, but FF for the main and power uses. Thank God for such helps.
Yes, I stand corrected on the Home/Premium situation. While secpol.msc is not installed with Windows 7 Home/Premium, the registry keys can still be populated, which is exactly what CryptoPrevent does. I installed it on my Win7 gaming machine, and while I don’t use it for email or much of anything remotely “dangerous,” it feels a little better knowing that my %appdata% user directory is “safer.”
Reiterating: CryptoPrevent works on ALL versions of Win7/8 by utilizing the registry keys normally modified by secpol.msc, which is not native to “lower end” versions of Windows. You would think that with something like CryptoLocker out there, Microsoft would make secpol a free download for people who want it.
I just got one of those PDF files a couple of days ago, supposedly from my bank. I immediately deleted it.
I checked my account, and there was no indication that they had sent me any sort of message other than the usual “your statement is ready to view” type of stuff.
Prevention is easier than the cure.
Foolishit offers the free CryptoPrevent tool which writes over 200+ restrictions to the Windows Software Policies folder. They will prevent Cryptolocker from installing itself in defined locations AND from encrypting files.
HitmanPro offers the free HPAlert tool - this will watch your files without need for user intervention and will block ANY suspicious executable that attempts to modify Windows files. Even if downloaded, Cryptolocker cannot run and encrypt files. The malware can then be safely deleted.
You can harden Windows against malware infection by installing both Blue Coat K9 Web Protection and block all known malware domains and servers and SpywareBlaster, to which one can add a custom blocklist to shut out all known malware domains and servers. If they can’t reach your PC, they can’t drop and run malware without your knowledge.
Never download files from addresses you don’t know and and scan all e-mail attachments that are downloaded prior to running them.
Keep your AV always up to date. And install all Microsoft Windows updates that can address ransomware threats.
Stay safe online and happy computing!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.