Topic: Ransom demanded from an attacker (Read 4035 times)

Any tips to prevent this from happening to us, that is, aside from not downloading crap received from emails?

So does this mean they put 3 layers of cryptography around your data??

It's pretty impressive

Why the hell would the guy use the same email to ask for ransom and to register in an exchange?

i`m sorry for your loss, btw

Sure it will be one of their option in the future. they need no bitmixer to simply avoid tracking.
Information the OP's brother trying to cover must be very private, must be worth paying the ransom for it could get him in trouble lol

When Monero becomes popular in the near future, the attackers will demand Monero payment. That is more anonymous than bitcoin.

If this is true, try presenting them with the proof that the funds were acquired after hacking. If you are lucky they will freeze the account and possibly even return the coins to you


Doesn't hurt to try at least.

The AV will not stop a hacker, if he has remote access to your computer or server via a backdoor. They will exploit that and just encrypt your data. We used to do that in a class room environment at school and we used a simply encryption in Pkzip.

It was mostly for fun to get some extra food for lunch. The data was usually homework that was done by the students. We got caught and we got a massive hiding, which ended our hacking extortion scheme and cut off our extra food.   

Install a good antivirus(it cost you up to 60 usd per year) if you really want to be protected and back up your daily/weekly.

Hello,

We were also attacked by this person, the virus was identified and disabled, but is was too late. Did your brother recover his files after paying the ransom?

Reply from BTC-e 

Дoбpый дeнь

Этoгo aдpeca y нac нeт.



good afternoon

It addresses we have.


 

I think there was a Vulnerability  in RDP at that time where the attacker was scanning possible open systems....

Crypto Lockers are definitely easy to remove.

I hope a trend hasn't started where people start demanding bitcoin for all criminal attacks or could that be good for the market price hmmm ? Conclusion, bitcoin is going to change the world.

How did you brother download the scam tool and run it in the first place?
Can he trace the source?

Hi all.

Just to share, we received the reply from the attacker as shown below.

Waiting for my brother to check and decrypt. I don't know if this works or not.



---------- Forwarded message ----------
From: Jack Williams <[email protected]>
Date: 2015-11-07 18:12 GMT+03:00
Subject: Re: Fwd: Email
To:

Hello!

Do you have process in the memory called lsassw86s.exe ? If yes , kill process lsassw86s.exe first.
Also delete c:\windows\system32\lsassw86s.exe file.

Now you can run decrypt tool.

1st Decrypt password: 145C7C3F238B235F36C19125854FC9A77A6K7)CIAu4wCUBc407T2(E3B43vEQ4q8R9I1g5b7kB*9fDzE3EwEa1+8i5N4F8)Dt4v712QB=5d0q8i0k
2st Decrypt password: 21063857F60263D5921FFD2CB9B24E569(C54l6sDI9u1v4d7C2p7dA(BDCICSCv9FCl98744MEy8&BO7p7VASEo2@EXCODQCf619-DU6gCa4q9E0u
3st Decrypt password: quu*A**$$quu*V$uLFquu*V$uLF


Decryption tool (password for the archive: 123 ):

https://www.sendspace.com/file/ex2rs1

Download it and unpack to any folder. Also program require administrative rules (use administrator account).

Run decrypt.exe .

Copy paste 1st Decrypt password, 2st Decrypt password and 3st Decrypt passwords in decrypt tool 3 fields.

If you have not stop our software - use decryption tool, because the tool will stop our software before decrypting the files.

This is very important to stop our software service (and dont delete any files in ProgramData folder before stop) because your decrypted
files may will be encrypted again.

p.s. when you will start decrypt tool it would seem as if the program hanging, but everything is fine, just wait for the message about
successful completion of decrypting and dont touch decrypt window with your mouse.

If you have any questions or troubles in decrypting feel free to contact me .


Thank You!

Google did not reply yet for who or where is the location this person is sending us messages.

Hi all,

thanks for the replies. Unfortunately the backup drive was connected to the server and got encrypted. It is nit a virus but a person who logged using RDP according to hos answer when we asked how did he break in.

If we had time we would not pay and try to use other methods... but the need for accounting data made the decision to pay.
He was wrong and is feeling the mistake.....

I would never have valuable information on a Windows machine. If you do, at least just copy it to an USB and a trusted cloud somewhere on the internet (prior being encrypted with a strong pass of course). I don't understand how people fall for this ransomware crap, it doesn't seem that sophistcated, just keep your stuff updated and don't click on dodgy shit.

As other users have stated before it is ESSENTIAL to back-up anything that is truly important or of value twice in separate mediums.
Never let someone blackmail me you because you forgot to back-up your wallet, or other important files. It just will make you facepalm for ages.

Have you looked at http://support.kaspersky.com/viruses/disinfection/8547 ?
It seems that at least for some crypto locker type trojans, Kaspersky has decryption utilities.

Of course, as others have noted, regular backups rule. Make sure that whatever happens to your computer, you can just continue with a new one (or reformatted one in a case like this.)
Making backups is like brushing your teeth: If you don't do it, you'll only realize that you should have done it when it's too late. Make it a regular exercise to back up your data!

Alas, anti-virus software can't always protect you - some trojans have ever-changing contents and behavior that makes it hard for AV software to recognize them, even with heuristics.
Brain 2.0 is a much better protection against this kind of malware - if something's smelly about an e-mail you got, even when the sender's address is one you recognize, your first suspicion is often correct.

Onkel Paul