# Hit by RansomWare



## BumbleBee (14/11/15)

I thought I'd create a new thread for this, I didn't intend on derailing @kimbo's thread.

Somehow my laptop picked up some malware, not the tracking stuff or the advertising stuff but rather something called Ransomware. What this stuff does is encrypt your files and then demand payment in Bitcoins for the key to unlock or decrypt them. Some variations can be removed with anti-malware/antivirus software and decrypters are available for some variants for you to unlock your files, but the one I picked up is known as CryptoWall, there is no cure for this sonofabitch and even the FBI recommends paying the ransom if you want your files back.

People, *don't think this can't happen to you*, make sure you have a good antivirus application as well as a good anti-malware app running at all times and make sure it's updated and your subscription is also paid up. This sh!t is real!



kimbo said:


> I am thank you .. alone at home .. Metallica doing what they do best and i am enjoying good music and a long lost passion


You're definitely having more fun than me right now, my pc was hit with ransomware


----------



## kimbo (14/11/15)

BumbleBee said:


> You're definitely having more fun than me right now, my pc was hit with ransomware


Eina

Reactions: Agree 1


----------



## Eequinox (14/11/15)

BumbleBee said:


> You're definitely having more fun than me right now, my pc was hit with ransomware


holly crap i thought that was a myth can you do anything about it ? suppose format is outta the question there are plenty pc fundies on here


----------



## BumbleBee (15/11/15)

Eequinox said:


> holly crap i thought that was a myth can you do anything about it ? suppose format is outta the question there are plenty pc fundies on here


Definitely not a myth, it was one called CyrptoWall, there is no fix other than to pay the ransom which starts at $500 and doubles every 48 hours. Oh and it got my backup drive too. I'm still busy reinstalling everything on a freshly formatted hard drive. So much data lost


----------



## Christos (15/11/15)

BumbleBee said:


> Definitely not a myth, it was one called CyrptoWall, there is no fix other than to pay the ransom which starts at $500 and doubles every 48 hours. Oh and it got my backup drive too. I'm still busy reinstalling everything on a freshly formatted hard drive. So much data lost


You could have tried booting from a Linux live cd, mounting your drives and copying your data. 
Try clean the drives later after your workhorse is secured. 
What or where do you suspect the randsomware came from?

Reactions: Agree 1


----------



## Eequinox (15/11/15)

BumbleBee said:


> Definitely not a myth, it was one called CyrptoWall, there is no fix other than to pay the ransom which starts at $500 and doubles every 48 hours. Oh and it got my backup drive too. I'm still busy reinstalling everything on a freshly formatted hard drive. So much data lost


so formatting is possible at least i heard it locked everything drives ssd drives etc


----------



## blujeenz (15/11/15)

You pretty much need a shadow copy of your HD that is not permanently connected to your pc.
I also have Hiren's boot disc on a 4g flashdrive that only gets inserted once the pc is unbootable, ie I dont plug it in daily for file storage etc

A quick google turned up this howto


----------



## Wyvern (15/11/15)

*huge hugs* - Do me a favour and message @Nimatek - he has dealth with this a lot.


----------



## BumbleBee (15/11/15)

Christos said:


> You could have tried booting from a Linux live cd, mounting your drives and copying your data.
> Try clean the drives later after your workhorse is secured.
> What or where do you suspect the randsomware came from?


That wouldn't have worked as all my files have already been encrypted. Each file is individually copied and encryped with 2048 encription and the extention .ccc is added. Instructions for getting your data back is included in each and every folder on your system in the form of txt, bmp and html files.

As to where it came from I have no idea, I never put alien usb devices in my pc and am very careful when it comes to email, but I suspect email would be the most likely method of infection.


----------



## BumbleBee (15/11/15)

Eequinox said:


> so formatting is possible at least i heard it locked everything drives ssd drives etc


It doesn't lock everything up, just your user files. They still want you to be able to use your computer to pay them.


----------



## Eequinox (15/11/15)

BumbleBee said:


> That wouldn't have worked as all my files have already been encrypted. Each file is individually copied and encryped with 2048 encription and the extention .ccc is added. Instructions for getting your data back is included in each and every folder on your system in the form of txt, bmp and html files.
> 
> As to where it came from I have no idea, I never put alien usb devices in my pc and am very careful when it comes to email, but I suspect email would be the most likely method of infection.


thats is a serious mind @##$ just there thats for sure

Reactions: Agree 1


----------



## BumbleBee (15/11/15)

Wyvern said:


> *huge hugs* - Do me a favour and message @Nimatek - he has dealth with this a lot.


Thanks, but I've already cut my losses and wiped everything. All my artwork, years of drawings, recipes, labels, countless spreadsheets etc all moertoe. It's like having your laptop stolen but they leave you the laptop, so at least I still have my hardware.


----------



## kimbo (15/11/15)

No Problem and thx @BumbleBee ,hope you sort your stuff out

Reactions: Thanks 1


----------



## TheLongTwitch (16/11/15)

Sorry to hear about your predicament @BumbleBee 

2-3 months ago when I was away in Zimbabwe the company I work for got hit with a ransom too!!!
To make it so much worse; Our entire admin system and all documents (Quotes, invoices, price lists etc.) were locked up with a 4096-bit military grade encryption 
..."just" 5 bitcoins for the ransom/decryption 

Needless to say: We didn't bother but our poor admin/HR guy got stuck with recreating EVERYTHING that we had lost! 
(I think he only managed to finish up a few days ago)

We are living in a digital age and this is the new gunpoint!
As BumbleBee said: *DO NOT, FOR A SINGLE SECOND THINK THIS CAN'T AND WON'T HAPPEN TO YOU!!!!!*

In closing I'll leave some wisdom that one of my lecturers preached daily:
"There are so many storage mediums available; If you *DO NOT* have *3 backups*, then you *DO NOT* have a backup!"
(I typically use a RAID 2 external (Double backup), a ghost gmail account with google drive(Cloud), a 2nd HDD on another PC and CD's if need be)

....Can never be too cautious!


----------



## BumbleBee (16/11/15)

TheLongTwitch said:


> Sorry to hear about your predicament @BumbleBee
> 
> 2-3 months ago when I was away in Zimbabwe the company I work for got hit with a ransom too!!!
> To make it so much worse; Our entire admin system and all documents (Quotes, invoices, price lists etc.) were locked up with a 4096-bit military grade encryption
> ...


Yeah man, this stuff is no joke. But I was careless as far as protection and backups go. I would do the occasional backup of important stuff to a usb flash disk every few months, and I was somehow convinced that Windows 7 built in security measures would be enough if I was careful about handling emails and external media, boy was I wrong.

I hear you on the multiple backups, but so much moola 

I need to find a way to do backups of important files and folders automatically, maybe a wireless drive, and on a very very tight budget. Will an external WiFi hard drive be secure?


----------



## Silver (16/11/15)

BumbleBee said:


> Yeah man, this stuff is no joke. But I was careless as far as protection and backups go. I would do the occasional backup of important stuff to a usb flash disk every few months, and I was somehow convinced that Windows 7 built in security measures would be enough if I was careful about handling emails and external media, boy was I wrong.
> 
> I hear you on the multiple backups, but so much moola
> 
> I need to find a way to do backups of important files and folders automatically, maybe a wireless drive, and on a very very tight budget. Will an external WiFi hard drive be secure?



Hi @BumbleBee

I tried a WD Wifi external drive and it was way too slow for backing up large files over the Wifi
I may not have configured it correctly, but I followed all the instructions and it worked - but jeepers, it was so slow.
So I connected it via USB and it went super fast. 

So before you invest in a Wifi drive, just check out the speeds or better still, test it out before you buy somehow.

Reactions: Like 1


----------



## Eequinox (16/11/15)

Silver said:


> Hi @BumbleBee
> 
> I tried a WD Wifi external drive and it was way too slow for backing up large files over the Wifi
> I may not have configured it correctly, but I followed all the instructions and it worked - but jeepers, it was so slow.
> ...


surely it cant be slower than my current storage

Reactions: Agree 1 | Funny 1


----------



## TheLongTwitch (16/11/15)

Not if it is connected to the same network 24/7.
....not saying that it is definitely @ risk, but if your PC is constantly syncing to it then there is possibility that it could be infected/locked as well.
Networks are NOT safe unless you KNOW exactly what is coming in and out, with control of it.
(And Windows safety is definitely NOT safe)
As a gamer and IT Audio specialist; Once I have a stable system I don't ever allow windows to update!
I also typically turn off all windows safety & go with much heavier Anti-Virus control (Kaspersky, Full Avast, E-Secure etc.)
You shouldn't ever run 2 sets of defence, as they confuse and fight eachother.

And you don't need much moola in order to be savvy 

If you have a spare HDD; Partition it exactly in half and create a RAID-1 drive.
Have this drive secured in your PC box, but not actually connected with power or SATA etc.
...Then once a week shedule a boot-time virus scan, disconnect from all networks & interwebs, shut down your PC and hook up the cables to the drive before powering your PC back on (Which will then trigger the boot time scan).
The boot time scan will check everything that gets loaded into your RAM before Windows is up, ruling out any root-kit viruses or auto startup infections etc.
WARNING: Depending on how much space you have, this can take 6+ hours!!! 
(But I do have 5 Terabytes on my machine....hence the excruciating time) 

Once you're through the scan and safely in windows, do your backup onto the RAID-1 drive.
Shut down after, disconnect the cables from the drive again and resume life knowing you have a double backup 
P.S. You can also set your windows restore to that drive for safety. (and recover your last working system from there if ever need be)

That is just 1 example off the top of my head...but seriously there are loads of simple and cheap/free options you can utilize.
I'm also happy to chat or help with idea's or brainstorming etc. 
(Sure the more hardcore I.T. guys can also give great advice)

Reactions: Informative 1


----------



## TheLongTwitch (16/11/15)

@Eequinox ....That's some ancient backup you got there!

@Silver The wifi thing is VERY dependent! 
As you would need your PC's connection, router, ethernet connection and/or ports and the drive to all be 1 gigabit (for example)
And this is also risky in cases of dropout, electricity (Thanks Eskom) as well as trustworthy copy. (Windows copy is NOT trustworthy!!!!)
...Many a time I have thought I had files that I had copied, only to encounter them broken or corrupted 
I personally love "TeraCopy" as I can check every files success, recopy single or multiple files and it has accurate transfer times.

"Oh....windows says only 5minutes to copy"
1 HOUR LATER
"How do I still have 5 minutes to copy!?!?!?!?"


P.S. For interest: Most secure and longevity-proof storage to this date is old magnetic tape, because it can be stored for 100years + without degradation (As long as stored correctly)

Reactions: Like 1


----------



## Eequinox (16/11/15)

TheLongTwitch said:


> @Eequinox ....That's some ancient backup you got there!
> 
> @Silver The wifi thing is VERY dependent!
> As you would need your PC's connection, router, ethernet connection and/or ports and the drive to all be 1 gigabit (for example)
> ...


yup all 4 megs of it so i cant get no nasty bugs

Reactions: Funny 1


----------



## BumbleBee (16/11/15)

TheLongTwitch said:


> Not if it is connected to the same network 24/7.
> ....not saying that it is definitely @ risk, but if your PC is constantly syncing to it then there is possibility that it could be infected/locked as well.
> Networks are NOT safe unless you KNOW exactly what is coming in and out, with control of it.
> (And Windows safety is definitely NOT safe)
> ...


This sounds solid but way too technical for my little brain, and to be honest if I actually got this running I would probably only do it once. I need something automated because I will forget to do it or just put it off till later because I can't spare the time, then life happens and you realise that you haven't done a backup in the last year....


----------



## Ravynheart (16/11/15)

Just wanting to add my 2 cents. I believe in ye olde backing up to CDs. (yes, I have bags full of the stuff and don't mind the time it takes) and its still serving me the best as I've had my computer and laptop repeatedly stolen. I don't even bother with USB flash disks because they get stolen and corrupted too. Hearing about this Ransomware just proves that someone will always find a new way of creating evil and chaos for those of us that are just minding our own business.

Reactions: Like 2 | Agree 1


----------



## TheLongTwitch (16/11/15)

hmm...I think your best bet would then be to clone your system drive. 
Either onto an external or another hard drive secured within your PC box (Which you can unplug and just leave until you need it)
and then make use of a free cloud storage solution for the stuff that is really important to you.

This way you have a folder that is sync'd to cloud storage and anything you place within that folder has an automatic cloud backup and therefore easy retrieval (though you need constant net and big files may be tedious) and if anything happens to your system drive, you just unplug and boot from your clone.

If you can remember to update the clone once every 2 months or so, you have a relatively sure system drive with all programs, settings etc.
and the important stuff would always be in the cloud. (by "Cloud" you can also use your own "Cloud-drive" like the wifi one Silver mentioned)
***I would just advise that it doesn't stay on 24/7 for safety sake.
Turning it on once a week would sync and backup everything and afterwards you can turn it off 
...and then you could even do a backup of your cloud drive should you need or want to 

P.S. If you go with the personal cloud drive....IT MUST HAVE A SURGE PROTECTION PLUG!!!! 
or honestly it would be futile to rely on and trust that it is fullproof.

Reactions: Agree 1 | Informative 1


----------



## TheLongTwitch (16/11/15)

Agree with @Ravynheart CD's and DVD's are chips cheap and relatively great, as long as they are stored correctly.

*P.S. Always protect the TOP of your disc's!*
If the top gets scratched, the data is useless...if the plastic gets scratched you can easily polish thousands of scratches out of the plastic 

Another note: Keep an eye out for small "water-droplet" type spots that may occur.
They look like tiny round air bubbles or droplets but are in fact a living organism that eats the storage coating of discs 
...and no I am not joking!!! 
If you have 1 disc that gets this then immediately remove it from close quarters of any other discs or it will slowly spread through a whole spindle or CD-case of discs


----------



## BumbleBee (16/11/15)

TheLongTwitch said:


> hmm...I think your best bet would then be to clone your system drive.
> Either onto an external or another hard drive secured within your PC box (Which you can unplug and just leave until you need it)
> and then make use of a free cloud storage solution for the stuff that is really important to you.
> 
> ...


I like the idea of a clone drive, my main pc is a laptop so an external would be the way to go. Maybe one of those 2.5 drives that doesn't need external power. I will bolt it to the underside of my desk and just plug it in every time I think of it. I will also look into this cloud thing, I'm way out of touch with technology these days.

What I have noticed though is downloading all your photos off your cell phone is bad mojo. A few months ago my wife put all her photos on her laptop, soon after it was stolen, all photos lost. Just last week I did the same, the last 6 years worth of photos moved to my laptop and kerpow. So, won't be doing that sh!t again


----------



## BumbleBee (16/11/15)

TheLongTwitch said:


> Agree with @Ravynheart CD's and DVD's are chips cheap and relatively great, as long as they are stored correctly.
> 
> *P.S. Always protect the TOP of your disc's!*
> If the top gets scratched, the data is useless...if the plastic gets scratched you can easily polish thousands of scratches out of the plastic
> ...


I've lost a few cds already due to that. If I remember correctly (it was many years ago) the layer that the data is recorded on is made of an organic material and it can develop a bacterial infection. I've had CDRs that look like wood after the worms have gotten to it, little trails all over the surface, very cool patterns but no good for your data.


----------



## TheLongTwitch (16/11/15)

That's the one!!!! 
Them little buggers are a pain in the ass!

Depending on what phone you have and/or the backup setting of it, you may/should actually be able to retrieve those lost photos.
I know that most phones nowadays have automatic backups, but I turn it off to reduce the irritation of constantly using data and resources.
However if you check out the device setting you may find that there is a stored backup from a month ago etc.
(unless, like me you disabled it)

P.S. Came across an article with some useful info:

*It’s kind of interesting to know that CryptoWall erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.*

_*Shadow Volume Copies

This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
*

Use Previous Versions feature
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.







Apply ShadowExplorer
The above process can be automated with a tool called ShadowExplorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.





D_on't know if it will be of much help to you...depending on what you have already done, but thought I'd share.

*P.P.S. If you want to attempt any of the above, make sure that you do/have removed all traces of CryptoWall.*


----------



## acorn (16/11/15)

@BumbleBee , seems you are not alone:

http://www.fin24.com/Tech/News/sa-firms-face-ransomware-spike-20151116

_"Security company Kaspersky Lab announced recently that it was sharing a website to decryption keys obtained from busted cyber criminal rings."_

Reactions: Informative 1


----------



## MorneW (16/11/15)

I use one drive to sync all import items like photos etc. The first sync will be painfull to get all the data there but subsequent syncs is only new or changed items. It only costs like R10 for 50GB p/m. You also get 1tb if you have an O365 subscription. Using a USB backup drive can still put you at risk to the ransom ware. Ideally your backup should be to a different PC or NAS box that does not use the same credentials as your pc you login too. So when you configure your back software the un and pw is specifically just for that. Just my 2c's


----------



## MorneW (16/11/15)

You can also use synctoy as as simple "backup" It basically syncs a folder from A to B, with options to only add in one direction. ie deletes on the source side does not happen to the destination.

Reactions: Informative 1


----------



## Redeemer (17/11/15)

Well... Seems its not exactly Rocket Science...

https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/

Reactions: Like 1


----------



## BumbleBee (17/11/15)

Redeemer said:


> Well... Seems its not exactly Rocket Science...
> 
> https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us/


Sonofabiatch!


----------



## Eequinox (17/11/15)

BumbleBee said:


> Sonofabiatch!


uhhh what's your email addy again


----------



## BumbleBee (17/11/15)

Eequinox said:


> uhhh what's your email addy again


return@sender.com


----------



## Eequinox (17/11/15)

BumbleBee said:


> return@sender.com


lol gotta love it


----------

