PDA

View Full Version : New Ransomware



blanco
10-01-2015, 09:59 PM
Just been reading this article about PCLOCK from Emisoft. They have a new free decryption
tool to get rid of it, similar to Cryptoprevent. Read the article here:

http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/

wainuitech
10-01-2015, 10:33 PM
:thumbs:

Sneaky stuff :devil
The malware will then delete the Shadow Volume Copies on the infected computer by issuing the vssadmin Delete Shadows /All /Quiet comma

Emsisoft do some good stuff. Interesting reading on their Blogs as to how much crap happens all the time http://blog.emsisoft.com/

blanco
11-01-2015, 12:08 AM
Agreed. Nice to know that there are people out there that monitor/detect
and find solutions for these problems.
I mistakenly compared the PClock decryption tool to CryptoPrevent which
is an installed system monitoring program. The PClock Decryptor is a scan/
removal tool. I believe that the latest vers of HitmanPro may also deal with
PClock - not sure about that.

Digby
12-01-2015, 07:11 AM
I think I have just been hit with something like this.

I cannot access any data files on my C or D drive. It says the file extention is wrong.

MS Defender was warning me of security issues last night.

But I went to bed.

This morning I cannot read any of my data files on C or D drive using Windows 7.

doc, xls, mdb jpg or video !

I was not asked for a ransom.

Luckily I have all of my files on an E drive and a back drive stored off site.
But its 2 weeks old.

blanco
12-01-2015, 07:41 AM
If you had been hit by either PClock or Cryptolocker you should have
a notice on your screen or at least a shortcut to it on your desktop.
Look here:
http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/

Lawrence
12-01-2015, 11:12 AM
See if you can see a solution here http://malwaretips.com/forums/malware-removal-guides.11/

Digby
12-01-2015, 02:37 PM
There is no desktop item or message.

There no help on that Malwarebytes link.

But office cannot read any of my data files - A message says they have the wrong extension or they are corrupt.

Also I cannot view any jpgs or video files.

But after running Defender and Malware Bytes any new files I create with Word etc are OK.

So my question is - do I try to find a fix for all of my files.
Or try system restore
Or Revert to Backups (2 weeks old)

wainuitech
12-01-2015, 03:17 PM
Wouldn't go running System restore just yet.

Suggestion, download and run the portable Shadow Explorer (http://www.shadowexplorer.com/downloads.html). Run it, top left select the drive the items are on, to the right is a date, from the drop-down box select a date that the files were OK. ( may take a moment to load) Select the files, right click - Export ( select location) see if they work OK.

Digby
12-01-2015, 06:51 PM
Yes I just got the message on my desktop.

From Crpytolocker

Send them 1.00 bitcoin (US 270)

So whilst I may have been able to delete the malware.
My files are encrypted and I will have to go to my off site baclup.

They use 1024 bit encryption.

Bast.....s

wainuitech
12-01-2015, 07:15 PM
Give https://decryptcryptolocker.com/ a crack ( no pun intended). Nothing to lose, never tried it though.

Some advise -- If you have other computers on a LAN, disconnect them, it can infect them all over the LAN.


What are Your Options after an Attack?
Instead of paying the hackers, you should immediately unplug your computer from the Internet, shut it down, and let the professionals at Lanspeed take a look at it. CryptoLocker can quickly infect your computer, and by the time you realize something is wrong, it may be too late. Additionally, you really don't want to have a virus like this active on your computer while it's plugged into your company's network because it will spread to other workstations.

Calling in the professionals for this one is really your best course of action because CryptoLocker is designed to make changes to your PC's registry upon restart, as well as encrypt the files for your remote and fixed drivers. This means that you don't have time to troubleshoot the problem from the backend, and turning your computer on and off again will just make the problem worse.

blanco
12-01-2015, 08:49 PM
CryptoLocker prevention tool: https://www.foolishit.com/vb6-projects/cryptoprevent/

Read the description - may have prevented Digby's problem ?

Digby
12-01-2015, 09:38 PM
CryptoLocker prevention tool: https://www.foolishit.com/vb6-projects/cryptoprevent/

Read the description - may have prevented Digby's problem ?

But how many more security software programs does the world need.

And surely Defender and Malware bytes look for it.

Maybe I should have bought the full version of Malware Bytes.

Maybe I should not have let two people use my computer for a day.
I have been using it for years with no problems like this.
I know what to look for in phishing emails etc etc.

blanco
12-01-2015, 10:03 PM
[QUOTE=Digby;1214207]But how many more security software programs does the world need.
And surely Defender and Malware bytes look for it.

It seems that ransomeware such as CryptoLocker are able to bypass most if not all
conventional protection programs installed on Windows operating systems. Hence the
need for additional protection against encryption malware.
Cryptoprevent is a small unintrusive system monitoring tool (about 4MB) which runs
alongside your main installed protection and is dedicated to detect and prevent any
attempt to encrypt system files. Must be worthwhile downloading and installing.

By now it should be a component of all AV software but sadly not.

wainuitech
12-01-2015, 10:23 PM
Sorry if this sounds a bit blunt, BUT Who ever opened the files, and they are generally zipped -- Its done so "maybe" is irrelevant. I'm sure you know better, no one I know would send " your invoice, Receipt" in a zipped file.

This is NOT a criticism on your skills, its just some points.

What many people don't understand, the Free Versions, like Malwarebytes are NOT real-time protection. A person needs to purchase to get that, some people are tighter than a fishes bum. The same with the software linked above for CryptoLocker , the free version is partly disabled. These types of programs are really cures rather than prevention. Even then they still need to be setup fully.

Its a like ALL antivirus Software, some of the more real-time protection is not enabled by default.
Some AV's dont enable PUPS by default, that's why when installing a person has to either have a read or get help from someone who knows the software. Most people simply install and "She'll be right" :D

Seen it MANY times, some resellers Of Nod32 simply install the software, and don't enable the advanced features. The same with Avast, some of the higher options are disabled. Today did a scan with Nod on a PC riddled with infections, several Trojans and rootkits (over 160 total) , had latest Avast and at least 40% of Avast was disabled.
When setting up Nod, it only takes a few seconds to enable the advanced features and it works a lot better -- Its all about what you are providing & knowing the software.

Rant Over :p

Digby
13-01-2015, 05:47 AM
@Wainuitech

That was a good rant.
I am pretty sure that I did not open any email zipped file.
But I do get a lot of them from the IRD (dur) and overseas courier companies and banks that I do not even bank with.
As I have said there were two people using my pc that day. It may have been them.
It may have been me.

But Yes I need to look into getting a paid for live version of my anti virus.

Lawrence
13-01-2015, 07:07 AM
Their is lots of ways this gets in,when the first Ransomware virus was going around last year there was lots of ways it got in

At the time Hitman Pro was a fix and they added Hitman Pro Alert and another,Cryptoprevent was bought out to stop intrusions

I installed Hitman Pro alert after fixing a couple of comps disabled by ransomware,latest build http://www.surfright.nl/en/home/press/surfright-announces-alert-3

This has now morphed into Cryptolocker which encrypts files which is scary ,sure makes you up your security

Last year Malwarebytes was offering lifetime licences as a givaway for a time for their Pro version which is on watch full time(Realtime protection)

Digby
13-01-2015, 12:37 PM
CryptoLocker prevention tool: https://www.foolishit.com/vb6-projects/cryptoprevent/

Read the description - may have prevented Digby's problem ?

Whilst it "May have prevented" my problems.

the name of the website and the fact that they offer me bingo type prizes hardly gives me encouragement to try it.

I think the best thing will be to get a paid version of WalwareBytes and run it in real time.

Digby
13-01-2015, 12:56 PM
I think I have removed Crpytolocker from my PC.

Now I need to restore from my backups.

But I still have the horrible Cryptolocker message on my desktop which is now black.

Can anyone suggest how I can remove this.

Lawrence
13-01-2015, 01:11 PM
Did you try the fix wainui suggested,Fox-IT and FireEye ,looks like the only one

Story here http://www.bbc.com/news/technology-28661463

looks like you are the only one here to be hit with this and it would be interesting on how you deal with it,helps us all

wainuitech
13-01-2015, 02:07 PM
What did you scan with to remove it ? Malwarebytes should have gotten it, but it may have missed a bit.

Download the Emsisoft Emergency Kit (makers of the new version removal tool) http://www.emsisoft.com/en/software/eek/ once extracted, by default the exe puts it in a folder on the C drive called EEK. Run the scanner in FULL SCAN option, see if it locates anything else.

Other wise it may be a wallpaper type file showing ?

Digby
13-01-2015, 04:08 PM
Did you try the fix wainui suggested,Fox-IT and FireEye ,looks like the only one

Story here http://www.bbc.com/news/technology-28661463

looks like you are the only one here to be hit with this and it would be interesting on how you deal with it,helps us all

Yes I tried that site.

I sent them a simple excel spreadsheet and they said it was not a recognised file.

So I do not think they would be able to decrypt most of my other files.

After reading lots of articles about Crpytolocker and its 1024 bit encryption I think I would need to take my pc to the FBI or CIA to get them unencrypted.

I also tried that Shadow Explorer which some people have reported good luck with.

But in my case it did not find any folders after waiting a while. (It did find the folders on my C drive).

Removing Crpytolocker seems relatively easy.
Getting your files back seems impossible. (without paying the ransom, which I refuse to do.
And there is even talk that they are missing out on money as they require payment in Bitcoins, which most people are not familiar with or able to set up in time to get the key before it expires!!!

So you/we/I/they must do regular external backups.
Which luckily I have, but they are a few weeks old.

I love to know how I got it......

Lawrence
13-01-2015, 05:41 PM
Looks scary,prevention is the best defence through Hitman Pro Alert or Cryptoprevent also Malwarebytes Pro

Does this look familiar http://malwaretips.com/threads/inside-cryptowall-2-0-ransomware-professional-edition.40576/

Lawrence
13-01-2015, 06:17 PM
Been trying to find this post all day which I saw the other day

http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/ ,My bet is on this

Digby
13-01-2015, 06:55 PM
Been trying to find this post all day which I saw the other day

http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/ ,My bet is on this

With 26 pages of posts on that forum it looks like many people have been hit with this malware. (most of them seem fairly computer literate)

But the whole scene is too complicated and changing on a daily basis fro me to attempt it.

Eg some on that forum believe that the creators of the malware are reading the forum and updating their software to combat any fixes!

Why doesn't the Russian government track the guy down and run an exe on him?

Lawrence
13-01-2015, 07:33 PM
Seems like are variants written daily,seems like trying to remove it by other means compromises the outcome with Emsisoft Decryptor

If you have file back up or a image of your system better to use it

See you added a post to the forum,I would use Hitman Pro,Kaspersky Rescue Disk 10,adwcleaner or RKill 2.7.0.0

These worked for the earlier Ransomware virus,try anyone but the first 2 are proven

Digby
15-01-2015, 06:33 AM
I have restored from my backups.
But they are 2 week old.
It will teach me for not doing them more often.
But when you have so much data backup up gets a bit tedious.
I will have a full review of my backup procedures.

blanco
15-01-2015, 10:54 AM
Good to know that you have solved the problems and note what you say
regarding backup frequency. You may be hit again by ransomeware, so
search for, download and install a recommended anti-encryption program.

zqwerty
15-01-2015, 06:51 PM
Is data on a separate partition to the O/S but on the same HDD encrypted as well?

Anyone know?

wainuitech
15-01-2015, 07:21 PM
Is data on a separate partition to the O/S but on the same HDD encrypted as well?

Anyone know? Take it as yes it can, would take a few seconds longer. The infection is capable of spreading over a LAN and encrypting other computers, servers etc, so a drive on the same PC wouldn't be a problem.

Digby
16-01-2015, 04:56 PM
My set up was/is three physical hard drives
C D and E.

C has Windows and Programs
D has data
E has a copy of the data.

The log Cryptolocker created said that it had encrypted all of my data files on C D and E.

But that is not true as I disconnected my E drive before it could get to it. (I have a lot of files on D and E) (It did not get all of the file son D drive either)

Agent_24
18-01-2015, 02:00 PM
What an evil piece of work...

zqwerty
20-01-2015, 10:25 AM
There is this new offering from Kaspersky:

http://www.majorgeeks.com/files/details/kaspersky_scraperdecryptor.html

I think it is offering to decrypt affected files???

Lawrence
20-01-2015, 12:44 PM
Another Tool from Bitdefender looks promising

http://malwaretips.com/threads/bitdefender-anti-cryptowall.40927/




http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-3/ (http://malwaretips.com/threads/bitdefender-anti-cryptowall.40927/)