Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Ransomeware attack, need advice
self | 07/16/15 | fwdude

Posted on 07/19/2015 6:34:05 AM PDT by fwdude

I have recently had the unpleasant experience of having one of the new variants of the cryptolocker malware infect our computer servers at work. In case someone doesn't know, its a computer worm that encrypts all the standard-format files on a system so that the use can't open the file without a "key," supplied by the hacker for a ransom.

My question, which I have researched extensively over over the internet, is whether it is advisable consider paying the ransom, if there is enough "honor among thieves" to trust that the files will be unlock if I pay, and if there might remains some residual malware that might reinfect our computers.

And, no, there are no backup files that were untouched, the backups were infected as well.

Some of the files are critical, or at least would take an enormous amount of work to recreate or recover otherwise. Do you consider the risk worth the reward?


TOPICS: Computers/Internet
KEYWORDS: computers; computing; cryptolocker; internet; malware; ransomware
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-85 next last
To: TomGuy
You have to determine whether reconstructing the data would cost less than paying the ransome and possibly getting nothing in return.

Some of it cannot be reconstructed, ever. We are only finding out little by little what we've lost.

One saving grace is that attachments to Outlook e-mail files weren't affected, so any email hoarders may have copies of the files they need in one mail box or another.

Anything saved to the server subsequent to the attack is perfectly accessible. The different applications apparently work fine, and performance isn't seemingly affected.

Why were backups on the same server(s) as the data files? Why were servers not backed up/imaged?

Yeah, that's a question I have for our IT guy, who is a part-time contractor since we are such a small company. He "cleaned" our system of any remains of the malware, and suggested all users download and run Malwarebytes for their own stations and hard drives, but he could not answer the obvious questions you pose. Apparently, this is the situation with a lot of victims, so ours wasn't an unusual case of apathy.

How did the perps get the malware planted onto the system?

The malware comes attached to an innocuous looking email as a zip file. One click to open unleashes the malware. Since we are hiring a couple of positions, this one likely came in as a resumé in answer to one of the job ads. We've gotten several more like it since the infection, but users have been wise to it.

One thing I can't figure out is that our servers are supposed to have protection against such attacks that come through in any form. Does a zip file protect these viruses from detection?

We are definitely looking at more robust solutions going forward. We do have one intact saved exterior hard drive from about a year ago which wasn't attached to anything, so the only data that was lost is about a year's worth.

21 posted on 07/19/2015 7:07:26 AM PDT by fwdude (The last time the GOP ran an "extremist," Reagan won 44 states.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: fwdude

Makes sense to me. The interest of the attacker is to collect the ransom, give them back their data and move on. If word were to get around that you paid money but didn’t get your data back, people would stop paying the ransoms.

Also, I doubt they’d come back for another bite. With hundreds of millions of accounts out there to attack, why focus on one?

The biggest advantage these guys have is that they don’t hit any one victim hard enough to make it worthwhile to spend large sums fighting back. Easier to just pay and move on. To a considerable extent they just fly below the radar.


22 posted on 07/19/2015 7:07:48 AM PDT by Sherman Logan
[ Post Reply | Private Reply | To 3 | View Replies]

To: fwdude

Get this: “The FixMeSticks - External hardware-based removal of viruses, spyware, trojans, rootkits and more that cannot be removed by software security programs.”

After, you get rid of the malware, install a Chrome Browser, save your data on a cloud, and buy Chrome Desktops for your people.

Or keep using IE and MScrewu systems and enjoying the thrill.


23 posted on 07/19/2015 7:09:25 AM PDT by Grampa Dave (Rev. 22:11 Let the evildoer still do evil, the filthy still be filthy, the righteous still do right!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; fwdude

Tech ping


24 posted on 07/19/2015 7:10:47 AM PDT by BuckeyeTexan (There are those that break and bend. I'm the other kind. ~Steve Earle)
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude

Tools to recover files... I hope this works for you.

http://blogs.technet.com/b/mmpc/archive/2014/08/12/fireeye-and-fox-it-tool-can-help-recover-crilock-encrypted-files.aspx

Good luck.

Report this to the FBI


25 posted on 07/19/2015 7:18:17 AM PDT by Organic Panic
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude

FWIW, the rumor on the grapevine is that these hackers are trying to establish “credibility” by honoring the ransom payment from small companies. The end goal being to extract more lucrative payments from bigger companies as they establish a reputation.

So, yeah, they’ll probably give you a key because your company is likely not the end game.


26 posted on 07/19/2015 7:19:45 AM PDT by BuckeyeTexan (There are those that break and bend. I'm the other kind. ~Steve Earle)
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude

Sorry. Just read your post again.

It is the company’s network and worth the risk? Yes. It’s their money and they should have taken precautions with their IT department to protect the servers. And having no offsite back up is something any IT tech should have done.


27 posted on 07/19/2015 7:23:10 AM PDT by Organic Panic
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude

I have a relative who got an early version of that. That was the one that had a fix for it. If you have that one, then you will be able to freely unlock your files.

http://www.itproportal.com/2014/08/06/a-cryptolocker-cure-has-finally-landed-—and-its-free/

If it is not this specific version, then you are out of luck.

Some people pay and don’t get the fix, while others do.

If you pay, you help criminals hurt others.


28 posted on 07/19/2015 7:26:30 AM PDT by ConservativeMind ("Humane" = "Don't pen up pets or eat meat, but allow infanticide, abortion, and euthanasia.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: BuckeyeTexan; fwdude; dayglored

Weekend tech ping.

Any experience with a Cryptolocker?


29 posted on 07/19/2015 7:29:19 AM PDT by texas booster (Join FreeRepublic's Folding@Home team (Team # 36120) Cure Alzheimer's!)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Organic Panic

Thanks for this article, but it’s almost a year old, and is probably obsolete by now. This thing has morphed exponentially.


30 posted on 07/19/2015 7:29:59 AM PDT by fwdude (The last time the GOP ran an "extremist," Reagan won 44 states.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: fwdude

My condolences. Out of curiousity and caution, what version of Windows were you running? Was it up to date with patches? What was your virus scanner, if any?

These are valid questions, because if you either pay or somehow recover the files, you don’t want to e vulnerable to a re-occurrence.


31 posted on 07/19/2015 7:30:41 AM PDT by Pearls Before Swine
[ Post Reply | Private Reply | To 1 | View Replies]

To: ConservativeMind; Grampa Dave

Many thanks for the links!

I’m saving this one:

http://www.itproportal.com/2014/08/06/a-cryptolocker-cure-has-finally-landed-—and-its-free/

And the one in this post:

http://www.freerepublic.com/focus/f-chat/3313809/posts?page=23#23


32 posted on 07/19/2015 7:32:55 AM PDT by WildHighlander57 ((WildHighlander57, returning after lurking since 2000)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Pearls Before Swine

I have to confess that our various systems are a patchwork of different versions of Windows operated on the different work stations, even back to Windows XP Pro. I’m not certain what the servers are running.


33 posted on 07/19/2015 7:33:11 AM PDT by fwdude (The last time the GOP ran an "extremist," Reagan won 44 states.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: mountainlion
“Fixing” virus infections from within an infected Windows instance is no longer assured of wiping a virus. You need to download and use one or two emergency boot CD/DVD disks from an antivirus vendor and run those against your hard drive.

Once you burn the disk image, boot only using the CD/DVD and let it clean your system. This works because the virus isn't capable of thwarting the cleaning, while when in a booted Windows session, it can actively outwit being cleaned.

Almost all antivirus companies have these boot images, now. 80+% of them are free.

34 posted on 07/19/2015 7:33:23 AM PDT by ConservativeMind ("Humane" = "Don't pen up pets or eat meat, but allow infanticide, abortion, and euthanasia.")
[ Post Reply | Private Reply | To 9 | View Replies]

To: fwdude
I ran a virus scan yesterday and it found ransom-ware on my Windows 7 PC. I removed it, but it had not been able to do any harm because I had taken the precautions shown HERE:>p CryptoLocker Ransomware Information Guide and FAQ

Go to this section and follow the directions:

How to prevent your computer from becoming infected by CryptoLocker

35 posted on 07/19/2015 7:35:40 AM PDT by Dalberg-Acton
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude

I would never pay.


36 posted on 07/19/2015 7:41:47 AM PDT by rockrr (Everything is different now...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: fwdude
This infection takes advantage of standard practices just about everyone already has.

It has always made sense to have a backup drive mapped to your computer—this is the most common way to backup on a completely separate device. People then run a backup program that sends the backed up files to that device.

Unfortunately, any mass storage device connected to that infected computer will be encrypted, and the malware has the knowledge of extensions and file types to know there's data in those backups. Cryptolocker only keeps the Windows native files working because it wants you to boot up just enough to know how to pay the criminals.

This new infection has now alerted people to the need to have either multiple back up devices (which can be occasionally tested) or the need to create a special, separate FTP-type connection to send your backup file to (because Windows won't see it as a volume to easily infect).

This malware was a game changer.

37 posted on 07/19/2015 7:44:49 AM PDT by ConservativeMind ("Humane" = "Don't pen up pets or eat meat, but allow infanticide, abortion, and euthanasia.")
[ Post Reply | Private Reply | To 21 | View Replies]

To: fwdude

Every year I buy the best preventive/detective solution from independent tests on this site:

http://www.av-comparatives.org/


38 posted on 07/19/2015 7:49:31 AM PDT by ConservativeMind ("Humane" = "Don't pen up pets or eat meat, but allow infanticide, abortion, and euthanasia.")
[ Post Reply | Private Reply | To 33 | View Replies]

To: Dalberg-Acton

yours is the best resource offered so far. Thanks!


39 posted on 07/19/2015 7:54:23 AM PDT by fwdude (The last time the GOP ran an "extremist," Reagan won 44 states.)
[ Post Reply | Private Reply | To 35 | View Replies]

To: Yosemitest
Dump WINDOWS, and get a different Operating System !

Malware targets the user as the vulnerability, not the OS. Switching to a different OS isn't going to help one bit.

This has been said enough times I can't believe you don't know that.

40 posted on 07/19/2015 7:55:41 AM PDT by tacticalogic
[ Post Reply | Private Reply | To 6 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-8081-85 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson