Posted on 07/19/2015 6:34:05 AM PDT by fwdude
I have recently had the unpleasant experience of having one of the new variants of the cryptolocker malware infect our computer servers at work. In case someone doesn't know, its a computer worm that encrypts all the standard-format files on a system so that the use can't open the file without a "key," supplied by the hacker for a ransom.
My question, which I have researched extensively over over the internet, is whether it is advisable consider paying the ransom, if there is enough "honor among thieves" to trust that the files will be unlock if I pay, and if there might remains some residual malware that might reinfect our computers.
And, no, there are no backup files that were untouched, the backups were infected as well.
Some of the files are critical, or at least would take an enormous amount of work to recreate or recover otherwise. Do you consider the risk worth the reward?
Some of it cannot be reconstructed, ever. We are only finding out little by little what we've lost.
One saving grace is that attachments to Outlook e-mail files weren't affected, so any email hoarders may have copies of the files they need in one mail box or another.
Anything saved to the server subsequent to the attack is perfectly accessible. The different applications apparently work fine, and performance isn't seemingly affected.
Why were backups on the same server(s) as the data files? Why were servers not backed up/imaged?
Yeah, that's a question I have for our IT guy, who is a part-time contractor since we are such a small company. He "cleaned" our system of any remains of the malware, and suggested all users download and run Malwarebytes for their own stations and hard drives, but he could not answer the obvious questions you pose. Apparently, this is the situation with a lot of victims, so ours wasn't an unusual case of apathy.
How did the perps get the malware planted onto the system?
The malware comes attached to an innocuous looking email as a zip file. One click to open unleashes the malware. Since we are hiring a couple of positions, this one likely came in as a resumé in answer to one of the job ads. We've gotten several more like it since the infection, but users have been wise to it.
One thing I can't figure out is that our servers are supposed to have protection against such attacks that come through in any form. Does a zip file protect these viruses from detection?
We are definitely looking at more robust solutions going forward. We do have one intact saved exterior hard drive from about a year ago which wasn't attached to anything, so the only data that was lost is about a year's worth.
Makes sense to me. The interest of the attacker is to collect the ransom, give them back their data and move on. If word were to get around that you paid money but didn’t get your data back, people would stop paying the ransoms.
Also, I doubt they’d come back for another bite. With hundreds of millions of accounts out there to attack, why focus on one?
The biggest advantage these guys have is that they don’t hit any one victim hard enough to make it worthwhile to spend large sums fighting back. Easier to just pay and move on. To a considerable extent they just fly below the radar.
Get this: “The FixMeSticks - External hardware-based removal of viruses, spyware, trojans, rootkits and more that cannot be removed by software security programs.”
After, you get rid of the malware, install a Chrome Browser, save your data on a cloud, and buy Chrome Desktops for your people.
Or keep using IE and MScrewu systems and enjoying the thrill.
Tech ping
Tools to recover files... I hope this works for you.
Good luck.
Report this to the FBI
FWIW, the rumor on the grapevine is that these hackers are trying to establish “credibility” by honoring the ransom payment from small companies. The end goal being to extract more lucrative payments from bigger companies as they establish a reputation.
So, yeah, they’ll probably give you a key because your company is likely not the end game.
Sorry. Just read your post again.
It is the company’s network and worth the risk? Yes. It’s their money and they should have taken precautions with their IT department to protect the servers. And having no offsite back up is something any IT tech should have done.
I have a relative who got an early version of that. That was the one that had a fix for it. If you have that one, then you will be able to freely unlock your files.
http://www.itproportal.com/2014/08/06/a-cryptolocker-cure-has-finally-landed-—and-its-free/
If it is not this specific version, then you are out of luck.
Some people pay and don’t get the fix, while others do.
If you pay, you help criminals hurt others.
Weekend tech ping.
Any experience with a Cryptolocker?
Thanks for this article, but it’s almost a year old, and is probably obsolete by now. This thing has morphed exponentially.
My condolences. Out of curiousity and caution, what version of Windows were you running? Was it up to date with patches? What was your virus scanner, if any?
These are valid questions, because if you either pay or somehow recover the files, you don’t want to e vulnerable to a re-occurrence.
Many thanks for the links!
I’m saving this one:
http://www.itproportal.com/2014/08/06/a-cryptolocker-cure-has-finally-landed-—and-its-free/
And the one in this post:
http://www.freerepublic.com/focus/f-chat/3313809/posts?page=23#23
I have to confess that our various systems are a patchwork of different versions of Windows operated on the different work stations, even back to Windows XP Pro. I’m not certain what the servers are running.
Once you burn the disk image, boot only using the CD/DVD and let it clean your system. This works because the virus isn't capable of thwarting the cleaning, while when in a booted Windows session, it can actively outwit being cleaned.
Almost all antivirus companies have these boot images, now. 80+% of them are free.
Go to this section and follow the directions:
How to prevent your computer from becoming infected by CryptoLocker
I would never pay.
It has always made sense to have a backup drive mapped to your computer—this is the most common way to backup on a completely separate device. People then run a backup program that sends the backed up files to that device.
Unfortunately, any mass storage device connected to that infected computer will be encrypted, and the malware has the knowledge of extensions and file types to know there's data in those backups. Cryptolocker only keeps the Windows native files working because it wants you to boot up just enough to know how to pay the criminals.
This new infection has now alerted people to the need to have either multiple back up devices (which can be occasionally tested) or the need to create a special, separate FTP-type connection to send your backup file to (because Windows won't see it as a volume to easily infect).
This malware was a game changer.
Every year I buy the best preventive/detective solution from independent tests on this site:
http://www.av-comparatives.org/
yours is the best resource offered so far. Thanks!
Malware targets the user as the vulnerability, not the OS. Switching to a different OS isn't going to help one bit.
This has been said enough times I can't believe you don't know that.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.