Posted on 07/19/2015 6:34:05 AM PDT by fwdude
I have recently had the unpleasant experience of having one of the new variants of the cryptolocker malware infect our computer servers at work. In case someone doesn't know, its a computer worm that encrypts all the standard-format files on a system so that the use can't open the file without a "key," supplied by the hacker for a ransom.
My question, which I have researched extensively over over the internet, is whether it is advisable consider paying the ransom, if there is enough "honor among thieves" to trust that the files will be unlock if I pay, and if there might remains some residual malware that might reinfect our computers.
And, no, there are no backup files that were untouched, the backups were infected as well.
Some of the files are critical, or at least would take an enormous amount of work to recreate or recover otherwise. Do you consider the risk worth the reward?
Did you try an old restore point ?
Kaspersky Rescue Disk 10
Because everyone knows that there is no downside to giving Google more power.
Cryptolocker hit my servers last year and I had good backups that could be restored. Experts told me the best defense are good backups for Cryptolocker can bust even the best Anti-Virus software.
I had Kaspersky on my servers and Crypto busted one of them to infect a few drives. I switched to Eset afterwards though.
In your case, I would pay since your backups are infected too. You can’t unlock the virus since it has 256bit encryption. Sorry, anyone selling a solution is lying.
After you get your files back, then invest in better backups for if you had a decent backup system, this wouldn’t be a problem. Also, teach users on the network to not open strange attachments in email messages.
You can get probably rid of it. Since your entire network is infected, it is going to take time because each system on the network has to be taken off line (put into isolation) and repaired individually. This involves safe booting with nothing loaded except the basic drivers needed to explore the drives, removing the infection reference link(s) from the startup list (you can get there from msconfig), removing the infection itself (usually there are multiple files because they are designed to reinfect if you don’t get all instances), and then removing the infection commands within the registry by manually searching for references to the infected file names and deleting all instances in the registry.
You need to keep notes about infected files names and dates as you work at this. It helps to know when the infection started. The infected files typically have long names made of random characters and tend to be in hidden cache areas of the user who infected the system originally. The exe files of the infection have no corporate name associated with them when looking at them in the startup list, and usually they are the most recently added to the list.
Cleaning out ransomware will take about 1.5 to several hours, just depending on how many instances of the infection are on the system. If you are not meticulous in cleaning, you can easily reinfect the computer when you reboot, so it is always best to reboot in safe mode and recheck your startup file list and registry until you are sure no more instances of the ransomware are running and it is safe to boot normally.
As soon as you get some control of the system, you need to turn off Java from the control panel, because outdated Java is usually what allows ransomware infection to take over. Normally you don’t need to have Java turned on anyway, so it should always be off until needed.
Be aware that simply turning off ransomware is not the same as removing it, and your infected systems will continue to be carriers and will likely spread the infection to any new system they connect to. So it is best to actually clean out the infection.
What ConservativeMind said is right, get a CD of the type he mentioned and run it. When Windows is running, most contemporary viruses and such have the ability to shut down not only your anti virus, but any application Windows can use to defeat it. I’ve seen them shut down msconfig, registry editor, services editor, even task manager, so you couldn’t shut down specific processes.
In that case the only option is to run anti virus and malware scans from a bootable CD, so the operating system is not running, therefore the software installed cannot run since it is placed in the Start Up routine and runs before even the antivirus is loaded.
It may also be possible to recover data by the same method, while running from a bootable CD instead of Windows. I don’t know if this type of malware actually encrypts files, or just acts like it does while the software itself is running. Like some I’ve seen that try to make everything in the Windows folder write protected, but boot to a CD and that attribute can be changed or it acts normally while the malware is not running.
I don’t have any of the newer ones, mine is at least 10 years old, I got out of the computer repair business a while back. 15 years of it and I got burned out on that, and it was getting to the point it was usually better to just reinstall than try to locate and fix crap like this.
And consider setting up a Linux server and possibly a Linux hardware firewall. The workstations behind it can run Windows with no trouble, but putting Windows on a server that is the connection to the Internet is literally advertising for trouble. Windows has an application that allows remote connections. As long as it is enabled, it’s sitting there waving its arm around yelling “here I am”...Remote Assistance Service should always be disabled for a server connected to the internet...It’s useful inside the network, but a problem when exposed to the internet.
The difference is Linux never allows Administrator access. You have to enter a password to install any software, period. Software cannot install itself. Some viruses have been written specifically for Linux, but they don’t get far for that reason. It’s difficult to infect one computer, but not impossible, but 99% of Linux machines will not let it install.
You can also get specific Linux versions that act strictly as a firewall, or server, print server, you name it. And a lot of them can run on older equipment newer Windows versions would laugh at. My first attempt at Linux was a Pentium 233MMK machine, Mandrake 8 ran great, Windows XP wouldn’t even install on that machine. XP required 400MHz minimum, and ran like a dog on that. So you could actually get an older 1GHz machine with 512MB RAM, make sure it has good hardware, set it up as a Linux hardware firewall, and it would run fine. That still wouldn’t stop software of this type getting in through email, the best antivirus in existence can’t stop them all.
Distro Watch is a good place for info
Use an external hard drive for backups, and unplug it the minute the backups are finished. If you use a computer, keep it disconnected from the internet. Even connected internally to a network is risky, it can be infected from other workstations. That’s why an external hard drive is best. With 2 TB and larger available, they are usable for backups these days. Mine for pictures is 1.5TB...always unplugged except while transferring.
Pay the ransom once, then pay it twice, then a third time. Soon you’ll realize that your business now has a new partner that you can’t get shead of and that doesn’t do anything for the business but take.
Ditto. I now keep Hitman Pro on a thumbdrive that travels with my laptop.
It’s a problem... I didn’t realize that it was a multiple computer problem. All it takes is one weak link to gain trust thoughout the whole network you have if it isn’t adequately firewalled through a server.
In my old company, for a long time we had both a local peer to peer intranet in the company combined with independent, multiple access to the internet. It was an accident waiting to happen, although fortunately it didn’t, and the system was eventually modernized.
If the price is not too high, I would pay.
Because MS is so ‘good’ to its end customers!
I had problems with Download.com about a year ago. Long-story-short, I had to reformat and reinstall. It may not be their fault but they are not protecting their clients.
The first time I received a ransomeware “lock”, I took my laptop to a local repair shop. He fixed it, and added Malwarebytes and “CleanUp”. The second (and third) time, I popped out the battery, drained what charge remained, and got back onto the Internet and FR!
Your solution to any Windows problem is to replace it with Apple, which in the context of this problem isn't going to help one bit. If the problem is indeed on the servers then there's nothing "Apple" to replace it with. Apple abandoned the enterprise server market years ago to pursue their fortune in pocket toys.
Beyond that, it isn't going to do anything to get the data back. I think you'd rather see the data lost so that it can be blamed on Windows than to see it actually get recovered.
This is from 2011:
Apple doesn't even have Apple servers in their own data centers.
You DO KNOW it’s 2015, don’t you ?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.