A friendly reminder to evaluate, execute, and test your backup procedures. Now is as good a time as any especially if you hadn't done so in a while.
Now for something more dark. This is James Bond and secret-agent material. This is about the CryptoLocker virus kit, or Ransomware. Arguably one of the most hated, feared, and respected malware packages ever made.
This malware arrives on your system when you click on an attachment. It scans your system for popular filetypes and proceeds to encrypt them with RSA-2048, and/or AES-256. This effectively prevents you from using those files. And it then demands you pay a fee to un-encrypt them. You are required to pay something anywhere from $100 USD to $2,000 USD depending on the variant you got infected with. You make payment anonymously through a MoneyPak card or Bitcoin.
You typically get a time limit of around 75 hours to come up with the funds. And if you don't the other half of the encryption key set is permanently deleted off the CnC and thus rendering even the malware decryptor incapable of effecting a restoration.
Ohh yes, it travels across network shares and USB jumpdrives and encrypts files there. The CnC server gets a new IP address every now and then based on time and date. All of the activity and communication between the virus and its home-base server is RSA encrypted. If you delete the virus with anti-malware scanners and similar, you also delete the data necessary to effect restoration. Recently and (sometimes now) anti-virus scanners don't alert you till after the hi-jacking processes has been started of is complete. It operates in safe mode too.
And there's more! But you'll need to read up on your own. But most importantly, if you do pay the ransom, currently averaging $300-600$ USD, this virus will undo the "damage" and restore your system to what it was.
There have been reports that the data is restored, and sometimes not. But mostly it is. Sometimes not because efforts to take down the constantly roaming CnC server interfere with the ability of an infected PC to get the necessary codes. This is malware that does exactly what it promises.
All my pro IT buddies and sysadmins are recommending to pay the fee and move on. That only encourages the authors to crank up the stakes and make better versions.
On the other hand they're scrambling to make sure proper and operating backups are in place. Which is a good thing.
The main infection vector is through social engineering and botnet. You get a fake legal notice or package delivery notice. You click on a .zip file, which either contains or is an executable. This starts the downloader and sometimes a bot net node. Then it downloads the encryptor program. Then when enough of your files are locked, it displays the notice. Sometimes this sits around and works slowly hoping you cycle through daily backups. Some newer variants delete VSS copies too (see #2 below).
So far there are 3 possible ways to recover from this.
1- Restore from an off-line backup. Off-line backups are King in this situation. Restore from image or file differences and away you go!
2- You can try and see what VSS Windows Service has done, it may have made recent copies of your files without you even knowing it - which earlier versions of the virus didn't affect. Simply roll them back. You can use Shadow Explorer to help you out with this.
3- Pay the fee.
What a nightmare, eh? And so far, it has been estimated the progenitors of this virus are going to bank with millions!
You may read more about it here, or just conduct your own research.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
[ame="http://en.wikipedia.org/wiki/Cryptolocker"]CryptoLocker - Wikipedia, the free encyclopedia[/ame]
http://www.fbi.gov/washingtondc/about-us/priorities
Now for something more dark. This is James Bond and secret-agent material. This is about the CryptoLocker virus kit, or Ransomware. Arguably one of the most hated, feared, and respected malware packages ever made.
This malware arrives on your system when you click on an attachment. It scans your system for popular filetypes and proceeds to encrypt them with RSA-2048, and/or AES-256. This effectively prevents you from using those files. And it then demands you pay a fee to un-encrypt them. You are required to pay something anywhere from $100 USD to $2,000 USD depending on the variant you got infected with. You make payment anonymously through a MoneyPak card or Bitcoin.
You typically get a time limit of around 75 hours to come up with the funds. And if you don't the other half of the encryption key set is permanently deleted off the CnC and thus rendering even the malware decryptor incapable of effecting a restoration.
Ohh yes, it travels across network shares and USB jumpdrives and encrypts files there. The CnC server gets a new IP address every now and then based on time and date. All of the activity and communication between the virus and its home-base server is RSA encrypted. If you delete the virus with anti-malware scanners and similar, you also delete the data necessary to effect restoration. Recently and (sometimes now) anti-virus scanners don't alert you till after the hi-jacking processes has been started of is complete. It operates in safe mode too.
And there's more! But you'll need to read up on your own. But most importantly, if you do pay the ransom, currently averaging $300-600$ USD, this virus will undo the "damage" and restore your system to what it was.
There have been reports that the data is restored, and sometimes not. But mostly it is. Sometimes not because efforts to take down the constantly roaming CnC server interfere with the ability of an infected PC to get the necessary codes. This is malware that does exactly what it promises.
All my pro IT buddies and sysadmins are recommending to pay the fee and move on. That only encourages the authors to crank up the stakes and make better versions.
On the other hand they're scrambling to make sure proper and operating backups are in place. Which is a good thing.
The main infection vector is through social engineering and botnet. You get a fake legal notice or package delivery notice. You click on a .zip file, which either contains or is an executable. This starts the downloader and sometimes a bot net node. Then it downloads the encryptor program. Then when enough of your files are locked, it displays the notice. Sometimes this sits around and works slowly hoping you cycle through daily backups. Some newer variants delete VSS copies too (see #2 below).
So far there are 3 possible ways to recover from this.
1- Restore from an off-line backup. Off-line backups are King in this situation. Restore from image or file differences and away you go!
2- You can try and see what VSS Windows Service has done, it may have made recent copies of your files without you even knowing it - which earlier versions of the virus didn't affect. Simply roll them back. You can use Shadow Explorer to help you out with this.
3- Pay the fee.
What a nightmare, eh? And so far, it has been estimated the progenitors of this virus are going to bank with millions!
You may read more about it here, or just conduct your own research.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
[ame="http://en.wikipedia.org/wiki/Cryptolocker"]CryptoLocker - Wikipedia, the free encyclopedia[/ame]
http://www.fbi.gov/washingtondc/about-us/priorities