Pages:
Author

Topic: CryptoLock - wow they really are making some money (Read 8950 times)

full member
Activity: 182
Merit: 100
Fourth richest fictional character
Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.
It aims at everyone.
How does one even code such a thing?


C++
legendary
Activity: 2674
Merit: 3000
Terminated.
Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.
It aims at everyone.
How does one even code such a thing?
hero member
Activity: 803
Merit: 500
Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.
newbie
Activity: 42
Merit: 0
Yesterday we had a client call up in hysterics - only 24 hours left before CryptoLock is going to throw away the encryption keys - all data gone!

If interested, here are the screens she sent us http://imgur.com/a/EHBRb


Last night, we had a poke around the blockchain to see where the ransom monies flow.  Here is the ransom address we were provided: https://blockchain.info/address/1M83NXYuPpjEjYt8baXYxriQNCDyfWU8i3

Ransom address is cleared out with this transaction:
https://blockchain.info/tx/c20079ca4a978a8b6eea1ba7fc2e3603b91dd73e34b7d381fa527d05ab3be375

The address where ransom is cleared to is interesting, to say the least...
https://blockchain.info/address/1AEoiHY23fbBn8QiJ5y6oAjrhRY1Fb85uc

Total Received   4,691.06798731 BTC  and that is from 15-Oct-2013 to now.  It's probably just one of a number of clearing/consolidation addresses.

These guys are probably making USD50,000,000 a year or more!


BTW - we calmed her down, eventually solved her problem.  As a side note: the CryptoLock people need to dumb down the bitcoin thing - there must be hundreds of victims out there, like this lady, who've never even heard of bitcoin.




Even if you pay, you're only financing the next version.
P.S But if some guys need informations

must pay 100%
legendary
Activity: 2674
Merit: 3000
Terminated.
The remote hard-drive can be in a system that stays offline until receiving a WOL packet.

I haven't got my routine backups working yet, so can't really tell you what I do.

Was planing to do both DVD-R HDD based backups.

Remote is important too. I suspect if your are using sneakernet, you would want to keep the off-site, off-line backups to weekly frequency.

Do your really have $600 worth of data every 12 hours? If that is the case, I may suggest some kind of version control system out of reach of the compromised Windows Machine.

I'm just asking in theory. No, I currently don't have that much. I like the idea of the WOL packet though.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
If it is not offline, it is not a back-up.
and how would you make 12hr back-ups on a offline(possibly remote) HDD?

The remote hard-drive can be in a system that stays offline until receiving a WOL packet.

I haven't got my routine backups working yet, so can't really tell you what I do.

Was planing to do both DVD-R HDD based backups.

Remote is important too. I suspect if your are using sneakernet, you would want to keep the off-site, off-line backups to weekly frequency.

Do your really have $600 worth of data every 12 hours? If that is the case, I may suggest some kind of version control system out of reach of the compromised Windows Machine.
legendary
Activity: 2674
Merit: 3000
Terminated.
If it is not offline, it is not a back-up.

I think this virus would be vulnerable to the Cold Boot Attack. To encrypt the files, the key has to be in memory. To force the key to be in memory, you may even want to plug in an enticing-looking external drive for it to encrypt.

Edit: forgot about the DMA attack: figure IEEE 1394 connectors are a security risk Tongue
and how would you make 12hr back-ups on a offline(possibly remote) HDD?
legendary
Activity: 1400
Merit: 1013
Even though this should should be more properly thought of as Microsoft's problem, not Bitcoin's problem, there are people gearing up to use it as an excuse to introduce blacklisting.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
If it is not offline, it is not a back-up.

I think this virus would be vulnerable to the Cold Boot Attack. To encrypt the files, the key has to be in memory. To force the key to be in memory, you may even want to plug in an enticing-looking external drive for it to encrypt.

Edit: forgot about the DMA attack: figure IEEE 1394 connectors are a security risk Tongue
legendary
Activity: 2674
Merit: 3000
Terminated.
A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.
If it is physically disconnected from the computer, good luck infecting it.
Well I've pointed out what the issue here is. Some people do regular backups so disconnecting it each time is not worth the trouble and slowly damages the USB.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
I wonder how does the virus deal with transactions? If it unlocks on send of the coins then after getting the encryption key, you can double-spend the transaction.
full member
Activity: 336
Merit: 100
I hate this ransomware
legendary
Activity: 1974
Merit: 1030
A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.
If it is physically disconnected from the computer, good luck infecting it.

I just gave some emphasis to the critical part in your post Smiley.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.
If it is physically disconnected from the computer, good luck infecting it.
hero member
Activity: 803
Merit: 500
some ideas what we learn from it
- everyone should be educated in computer security. We are in the 21th century. This should be school's lesson. If people learn this, they are ready to adopt bitcoin
- we need some kind of self regulatory Bitcoin-police, high-profile blockchain-forensics. Great work to make the adress of this bastards public! This adress should be tagged in the blockchain-explorer and watched like the fbi-adress. Then the hacker will live in fear he will be catched whenever he tries to spend the coins. Maybe some time miners could be asked: "Do you want to transfer the thief's coins?" - or something like this.
legendary
Activity: 1974
Merit: 1030
A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
It is funny:
there is a thread about mainstream adoption of bitcoin
and then there is the thread.

It is clear that the mainstream have no hope to adopt bitcoin, since they are even UNABLE to avoid such idiot virus and are UNABLE to properly backup their data. And they should adopt bitcoin? Ahahah nice joke

Backing up your data to a directory that CryptoLock looks for, even if on an external drive, will result in that directory getting encrypted too.

http://www.foolishit.com/vb6-projects/cryptoprevent/

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.
legendary
Activity: 2674
Merit: 3000
Terminated.
yeah, in vista & 7 ... doing a system restore before the infection happened will hopefully get windows rolling again =) ... this uses VSS snapshots to roll files back to that point in time. If that fails, Im gathering .. removing the infection itself, then use VSS(previous versions) to restore encrypted files. Previous versions is accessed via right click on folders in explorer.

But, what would suck is if part of cryptolocker is if it deleted all VSS snapshots, then you would be outta luck. But from what other people have reported, it doesnt do that. Perhaps cryptolocker 2.0? would...lol
Just backup the VSS somewhere (if possible).
legendary
Activity: 2450
Merit: 1002
yeah, in vista & 7 ... doing a system restore before the infection happened will hopefully get windows rolling again =) ... this uses VSS snapshots to roll files back to that point in time. If that fails, Im gathering .. removing the infection itself, then use VSS(previous versions) to restore encrypted files. Previous versions is accessed via right click on folders in explorer.

But, what would suck is if part of cryptolocker is if it deleted all VSS snapshots, then you would be outta luck. But from what other people have reported, it doesnt do that. Perhaps cryptolocker 2.0? would...lol
legendary
Activity: 2674
Merit: 3000
Terminated.
VSS - volume shadow copy - aka previous version , available on all windows xp and higher. But turned off by default on many win 8 installs =(
MS castrated VSS in win 8
I've heard only about the name. I'll try it.
Pages:
Jump to: