CryptoLock - wow they really are making some money

AndrewWilliams

full member

Activity: 182

Merit: 100

Fourth richest fictional character

Quote from: Lauda on November 12, 2013, 04:03:51 PM

Quote from: C. Bergmann on November 12, 2013, 01:58:20 PM

Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.

It aims at everyone.
How does one even code such a thing?

C++

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: C. Bergmann on November 12, 2013, 01:58:20 PM

Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.

It aims at everyone.
How does one even code such a thing?

C. Bergmann

hero member

Activity: 803

Merit: 500

Today our system admin sendet out a mail through my companies network: serious warning. Trojan comes through attached fax. This virus doesn't aim on private users, it aims on business networks.

inform

newbie

Activity: 42

Merit: 0

Quote from: D357@RG on November 08, 2013, 09:30:44 PM

Yesterday we had a client call up in hysterics - only 24 hours left before CryptoLock is going to throw away the encryption keys - all data gone!

If interested, here are the screens she sent us http://imgur.com/a/EHBRb

Last night, we had a poke around the blockchain to see where the ransom monies flow. Here is the ransom address we were provided: https://blockchain.info/address/1M83NXYuPpjEjYt8baXYxriQNCDyfWU8i3

Ransom address is cleared out with this transaction:
https://blockchain.info/tx/c20079ca4a978a8b6eea1ba7fc2e3603b91dd73e34b7d381fa527d05ab3be375

The address where ransom is cleared to is interesting, to say the least...
https://blockchain.info/address/1AEoiHY23fbBn8QiJ5y6oAjrhRY1Fb85uc

Total Received 4,691.06798731 BTC and that is from 15-Oct-2013 to now. It's probably just one of a number of clearing/consolidation addresses.

These guys are probably making USD50,000,000 a year or more!

BTW - we calmed her down, eventually solved her problem. As a side note: the CryptoLock people need to dumb down the bitcoin thing - there must be hundreds of victims out there, like this lady, who've never even heard of bitcoin.

Even if you pay, you're only financing the next version.
P.S But if some guys need informations

must pay 100%

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: phillipsjk on November 11, 2013, 04:52:53 PM

The remote hard-drive can be in a system that stays offline until receiving a WOL packet.

I haven't got my routine backups working yet, so can't really tell you what I do.

Was planing to do both DVD-R HDD based backups.

Remote is important too. I suspect if your are using sneakernet, you would want to keep the off-site, off-line backups to weekly frequency.

Do your really have $600 worth of data every 12 hours? If that is the case, I may suggest some kind of version control system out of reach of the compromised Windows Machine.

I'm just asking in theory. No, I currently don't have that much. I like the idea of the WOL packet though.

phillipsjk

legendary

Activity: 1008

Merit: 1001

Let the chips fall where they may.

Quote from: Lauda on November 11, 2013, 04:15:44 PM

Quote from: phillipsjk on November 11, 2013, 04:11:31 PM

If it is not offline, it is not a back-up.

and how would you make 12hr back-ups on a offline(possibly remote) HDD?

The remote hard-drive can be in a system that stays offline until receiving a WOL packet.

I haven't got my routine backups working yet, so can't really tell you what I do.

Was planing to do both DVD-R HDD based backups.

Remote is important too. I suspect if your are using sneakernet, you would want to keep the off-site, off-line backups to weekly frequency.

Do your really have $600 worth of data every 12 hours? If that is the case, I may suggest some kind of version control system out of reach of the compromised Windows Machine.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: phillipsjk on November 11, 2013, 04:11:31 PM

If it is not offline, it is not a back-up.

I think this virus would be vulnerable to the Cold Boot Attack. To encrypt the files, the key has to be in memory. To force the key to be in memory, you may even want to plug in an enticing-looking external drive for it to encrypt.

Edit: forgot about the DMA attack: figure IEEE 1394 connectors are a security risk Tongue

and how would you make 12hr back-ups on a offline(possibly remote) HDD?

justusranvier

legendary

Activity: 1400

Merit: 1013

Even though this should should be more properly thought of as Microsoft's problem, not Bitcoin's problem, there are people gearing up to use it as an excuse to introduce blacklisting.

phillipsjk

legendary

Activity: 1008

Merit: 1001

Let the chips fall where they may.

If it is not offline, it is not a back-up.

I think this virus would be vulnerable to the Cold Boot Attack. To encrypt the files, the key has to be in memory. To force the key to be in memory, you may even want to plug in an enticing-looking external drive for it to encrypt.

Edit: forgot about the DMA attack: figure IEEE 1394 connectors are a security risk Tongue

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Gabi on November 11, 2013, 01:44:30 PM

Quote from: dserrano5 on November 11, 2013, 01:06:25 PM

Quote from: Gabi on November 11, 2013, 11:37:19 AM

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.

If it is physically disconnected from the computer, good luck infecting it.

Well I've pointed out what the issue here is. Some people do regular backups so disconnecting it each time is not worth the trouble and slowly damages the USB.

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

I wonder how does the virus deal with transactions? If it unlocks on send of the coins then after getting the encryption key, you can double-spend the transaction.

birkomester

full member

Activity: 336

Merit: 100

I hate this ransomware

dserrano5

legendary

Activity: 1974

Merit: 1029

Quote from: Gabi on November 11, 2013, 01:44:30 PM

Quote from: dserrano5 on November 11, 2013, 01:06:25 PM

Quote from: Gabi on November 11, 2013, 11:37:19 AM

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.

If it is physically disconnected from the computer, good luck infecting it.

I just gave some emphasis to the critical part in your post

.

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

Quote from: dserrano5 on November 11, 2013, 01:06:25 PM

Quote from: Gabi on November 11, 2013, 11:37:19 AM

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.

If it is physically disconnected from the computer, good luck infecting it.

C. Bergmann

hero member

Activity: 803

Merit: 500

some ideas what we learn from it
- everyone should be educated in computer security. We are in the 21th century. This should be school's lesson. If people learn this, they are ready to adopt bitcoin
- we need some kind of self regulatory Bitcoin-police, high-profile blockchain-forensics. Great work to make the adress of this bastards public! This adress should be tagged in the blockchain-explorer and watched like the fbi-adress. Then the hacker will live in fear he will be catched whenever he tries to spend the coins. Maybe some time miners could be asked: "Do you want to transfer the thief's coins?" - or something like this.

dserrano5

legendary

Activity: 1974

Merit: 1029

Quote from: Gabi on November 11, 2013, 11:37:19 AM

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Unless CL knows about that disk.

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

Quote from: mel2000 on November 09, 2013, 05:35:12 PM

Quote from: Gabi on November 09, 2013, 06:44:19 AM

It is funny:
there is a thread about mainstream adoption of bitcoin
and then there is the thread.

It is clear that the mainstream have no hope to adopt bitcoin, since they are even UNABLE to avoid such idiot virus and are UNABLE to properly backup their data. And they should adopt bitcoin? Ahahah nice joke

Backing up your data to a directory that CryptoLock looks for, even if on an external drive, will result in that directory getting encrypted too.

http://www.foolishit.com/vb6-projects/cryptoprevent/

A proper backup is done by using an external drive wich is not kept connected to the computer. Connect, backup, disconnect. Then if the computer is fucked, you have a backup.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: GenTarkin on November 11, 2013, 10:53:36 AM

yeah, in vista & 7 ... doing a system restore before the infection happened will hopefully get windows rolling again =) ... this uses VSS snapshots to roll files back to that point in time. If that fails, Im gathering .. removing the infection itself, then use VSS(previous versions) to restore encrypted files. Previous versions is accessed via right click on folders in explorer.

But, what would suck is if part of cryptolocker is if it deleted all VSS snapshots, then you would be outta luck. But from what other people have reported, it doesnt do that. Perhaps cryptolocker 2.0? would...lol

Just backup the VSS somewhere (if possible).

GenTarkin

legendary

Activity: 2450

Merit: 1002

yeah, in vista & 7 ... doing a system restore before the infection happened will hopefully get windows rolling again =) ... this uses VSS snapshots to roll files back to that point in time. If that fails, Im gathering .. removing the infection itself, then use VSS(previous versions) to restore encrypted files. Previous versions is accessed via right click on folders in explorer.

But, what would suck is if part of cryptolocker is if it deleted all VSS snapshots, then you would be outta luck. But from what other people have reported, it doesnt do that. Perhaps cryptolocker 2.0? would...lol

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: GenTarkin on November 11, 2013, 10:45:43 AM

VSS - volume shadow copy - aka previous version , available on all windows xp and higher. But turned off by default on many win 8 installs =(
MS castrated VSS in win 8

I've heard only about the name. I'll try it.

Topic: CryptoLock - wow they really are making some money (Read 8927 times)