cryptolocker malware trashes your windows machine...

[Guest tx2sturgis]

Windows Users:

 

 

Watch out for this nasty new piece of malware:

 

https://en.wikipedia.org/wiki/CryptoLocker

 

https://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_?taxonomyId=154

 

http://www.snopes.com/computer/virus/cryptolocker.asp

 

 

Basically, it encrypts your files and then asks for a ransom to recover your system.

 

This is a bad one, just be VERY careful opening ANY email attachment from a corporation that looks otherwise legitimate.

 

(i'm safe on Linux and Mac...at least...so far...)

 

 

Edited October 27, 2013 by tx2sturgis

[Venturous Randy]

Yep, I am fighting a Homeland Security ransom virus right now that I picked up somewhere. There should be a special place in hell for those that put these viruses together.

RandyA

[RIB III]

Venturous download Hitman Pro it will take care of the Homeland Security Virus. Yes they are bad people..

[etcswjoe]

Had not heard about this one yet, thanks for post!!

[Wizard765]

Thank you for the warning.. this appears to be a very real threat and once infected you will HAVE to pay the ransom to recover your data..

 

Now I think that if someone is paying these a$$h0les then there should be a way to trace who is getting the money.. Then they should be strung up by their Thumbs and let the rest of us take off pieces...

[Guest tx2sturgis]

Thank you for the warning.. this appears to be a very real threat and once infected you will HAVE to pay the ransom to recover your data..

 

 

If you keep a good backup system, then you should be able to recover without paying a ransom.

 

Trouble is, that if you have a network or backup drive plugged in, it might become encrypted also...rendering it useless.

 

It's not that expensive to buy a hard drive and make a 'clone' of your main drive, but you need to keep it seperate from your computer, and update it at least a couple of times per month. Most of us simply dont do this very often...if at all.

 

I didnt post this notice to boast about other operating systems, but in my opinion, its a good idea to have at least one other computer running another operating system, either Linux or Mac, and load all those documents, photos and music and video files on that other machine.

 

If your windows machine gets sick, you will still have access to the files.

 

Just sayin....

 

 

 

 

[Seventh]

For those in need, here is an instruction on ho to remove the cryptolocker virus with the help of Malwarebytes: http://privacy-pc.com/how-to/remove-cryptolocker-virus.html

 

After that you will need to deal with encrypted files. I it is written in the article, one can try Windows feature Restore-previous-versions but seems like it is not always possible. I understand that it is not possible to decrypt files without private key but it is possible to restore deleted files using special tools law enforcement use - forensic tools. I've heard some computer repair service successfully use them too.

[AKRefugee]

I have been reading and studying up a lot on this virus for several of my clients. What this does is encrypt your data files with an in breakable encryption. Removing the virus is actually quite easy but your files are still encrypted. If you do not have a reliable backup fie The ONLY way to get them decrypted is to pay the ransom. Fortunately the hacker has been honest about actually decrypting the files. If you must pay the ransom there are a few things you should NOT do. Do Not delete or move the files or the decryption will not be able to find them and fix them. Do Not remove the virus before paying the ransom, you will not be able to access the ransom instructions if you do.

 

Once you have paid the ransom and recovered the files immediately cleanse the computer. So far no one has found any additional insertion of a virus during the decryption and use of the decrypted files appear to be ok bit only you can decide that.

 

This virus goes after EVERY drive attached to the computer so if you are using an external drive for your backup and it was attached at the time of infection the files on that drive have been hit as well. If you are using a cloud backup and you have not run a backup to it since the infection you should be okay to recover with the cloud backup. Regardless before recovering from your cloud backup you should contact the provider and get specific instructions from them.

 

If you are sharing files on a network drive those files will also be hit however this virus is not jumping from computer to computer yet so anyone attached to the network drive will not be infected by accessing the encrypted files, however the files will not be usable by them either.

 

Bottom line is do NOT open ANY attachment from an unknown source. If unsure contact the party that sent the file and confirm that they really sent it. If unable to verify DO NOT open it.

 

Back up your data. Make sure it is NOT a drive that is always attached to your computer. I personally use an external drive and a cloud service. Before I backup to the external drive I always run a full scan of my computer. Only then do I attach the external drive to the computer and do my backup. The cloud back up is run daily and is automatically set up. I set my virus program to run every other day before the scheduled cloud backup time. I back up to the external drive once a week. OCD? Well yeah, but then again my data is my livelihood. Even if it isn't your income source you have to ask yourself what do YOU have on your computer?

 

 

Ride Happy Ride Safe

[frankd]

Seeing that there is a way for people to pay the ransom, couldn't some agency just use the path of the payment to find this guy and arrest him?

[mraf]

Seeing that there is a way for people to pay the ransom, couldn't some agency just use the path of the payment to find this guy and arrest him?

 

Not just arrest him. BREAK his fingers first!

[JohnT]

I have always been a proponent of back up and restore. If you ever have to do a clean install get yourself back to your own "base install" with your programs of choice and such. Then clone it. And then back up your files.

P. I. T. A. but it saves time, money and aggravation.

Also for Windows users you can do a LOT worse than aVast free antivirus. It's all I use on Windows boxes and have not had a serious issue, actually no issues, in years.

And I may from time to time end up in ner do well web sites.

Accidentally of course.

[ragtop69gs]

After reading this thread and some online info I got to thinking that I need to backup some of our data, here is a question I have for y'all in the know.

 

Both my home PC's run Win 7 64bit. I have another PC running Vista home premium 32 bit, with a 500GB HD, that does not get hooked online. Can I pull the files from the Win 7 machines and store them on the Vista box without having problems because of the different OS's ?

 

My plan is to put files on flash drive sticks and then load to the vista machine. I'll be saving pictures, docs, quicken data, address and bookmark folders.

[Peder_y2k]

I installed cryptoBlocker (free) to hopefully stop cryptoLocker sneaking into my pc. Updates cost $

-Pete, in Tacoma WA USA

[ragtop69gs]

I installed cryptoBlocker (free) to hopefully stop cryptoLocker sneaking into my pc. Updates cost $

-Pete, in Tacoma WA USA

 

I'd rather spend the $$ being proactive than to pay some scumbag to recover my data.

[jonesy]

http://www.ebay.com/itm/WEBROOT-SecureAnywhere-Internet-Security-PLUS-2013-3-Devices-PC-MAC-USER-New-/291000405999?pt=US_Antivirus_Security_Software&hash=item43c0f9cfef#ht_1068wt_991

use something like this for $20 ish a year good for 3 pcs, and they have a 5 pcs. edition, I've been using it for years now. never a problem at all.

[First_N_Last]

This is a bump for the thread...

 

DON'T TRUST YOUR AV SOFTWARE TO STOP THIS!

 

Now is a particular dangerous time to get this virus. The company where I am assigned, had one workstation get infected. The person was using web mail. The delivery of the Malware was disguised as...

 

UPS Tracking information EMail about a package delivery.

Clicking on the tracking number started the infection process.

1st step was immediate disable of Symantec EndPoint AV at 4:30PM.

By 11:PM it had completed setup to start encrypting all local MS Office files.

Around 2:00AM it started to encrypt all files on every network mapped drive it was attached to.

At 8:00AM, my work started & the company was unable to do much of anything.

Luckily this company had multiple backup solutions operating & I had everything restored within hours. Here is some more info:

 

The malware is sophisticated in getting past antivirus programs, infecting computers via several surreptitious steps: after victims get the first spam email, the attachment that a victim opens downloads a separate application, which downloads malware that finally downloads Cryptolocker.

The takeaway advice... is to make regular backups of all key files, be careful about opening email attachments, particularly from unknown senders, and don’t follow unsolicited web links!!!!

[Mike G in SC]

http://www.ebay.com/itm/WEBROOT-SecureAnywhere-Internet-Security-PLUS-2013-3-Devices-PC-MAC-USER-New-/291000405999?pt=US_Antivirus_Security_Software&hash=item43c0f9cfef#ht_1068wt_991

 

 

use something like this for $20 ish a year good for 3 pcs, and they have a 5 pcs. edition, I've been using it for years now. never a problem at all.

 

I've been using Webroot on my home PC's for 1 1/2 years and at work on the 20 boxes I manage for a year. Good product, nice for older boxes due to small foot print.

 

Can't say perfect as I got hit on my home PC early on (all data "lost").

 

 

I did just query their support database on CRIPTOLOCKER, found this:

Guest: Yes Webroot: You've told me that:

• Webroot SecureAnywhere for PC
  
• You want help with infections
  
• You want to know about malware
  
• You want to know about Cryptolocker
  

Webroot: This solution addresses Webroot SecureAnywhere http://sw.nohold.net/Webroot/Images/wsa_icon.png

 

Cryptolocker is a very difficult infection to remediate because it uses the RSA public-key encryption algorithm to encrypt user files using unique encryption keys for each computer. Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware author(s). There are no tools we are aware of that are capable of decrypting these files without the private key.

 

As long as SecureAnywhere is installed prior to infection, Cryptolocker should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place already to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and we cannot guarantee that we will initially detect all new variants.

 

Fortunately, even if a new variant of Cryptolocker is not initially detected, WSA will journal all attempted changes and will store backup copies of user files before they are encrypted. Once the new Cryptolocker variant is detected as malicious (usually within a matter of hours), those changes will then be rolled back and the backup copies of the unencrypted files should be restored. Threat Research is not aware of any other vendor with this capability.

 

It is important to note that the journaling that WSA performs will only cover changes made on the local drives. Attempted changes on network shares will not be journaled and, as a result, those files cannot be restored. Users can help to prevent this by making sure that all machines on the network have WSA installed and that network shares are set to read-only wherever possible.

Webroot: Was this solution helpful?

Edited December 8, 2013 by Mike G in SC

[ragtop69gs]

This is a bump for the thread...

 

DON'T TRUST YOUR AV SOFTWARE TO STOP THIS!

 

Now is a particular dangerous time to get this virus. The company where I am assigned, had one workstation get infected. The person was using web mail. The delivery of the Malware was disguised as...

 

UPS Tracking information EMail about a package delivery.

Clicking on the tracking number started the infection process.

1st step was immediate disable of Symantec EndPoint AV at 4:30PM.

By 11:PM it had completed setup to start encrypting all local MS Office files.

Around 2:00AM it started to encrypt all files on every network mapped drive it was attached to.

At 8:00AM, my work started & the company was unable to do much of anything.

Luckily this company had multiple backup solutions operating & I had everything restored within hours. Here is some more info:

 

The malware is sophisticated in getting past antivirus programs, infecting computers via several surreptitious steps: after victims get the first spam email, the attachment that a victim opens downloads a separate application, which downloads malware that finally downloads Cryptolocker.

The takeaway advice... is to make regular backups of all key files, be careful about opening email attachments, particularly from unknown senders, and don’t follow unsolicited web links!!!!

 

Hi John, long time no see! How's the trike doing?

 

I took the precautions of cloning the drives on both my PC's and storing them in a secure location after learning of cryptolocker, all new, important files are now backed up to another pc so recovery is possible if we get hit. An external drive gets hooked up once a week to backup new data. The up side is both pc's now have new WD Black 2TB drives that have lot's of space and run much better now. We feel better knowing our pictures and data is protected.

[First_N_Last]

Hi Jay;

 

The Trike is doing fine after swapping out a bad Dynatek 3000 (another post).

 

Don't forget to disconnect your backup drive from the network afterwards.

My wife got hit with something 3 days ago.

 

Our AVAST! software immediately caught it - rebooted - started a low level virus scan.

The scan took 3 hours to complete on an 8GB I7 system with a 256gb SSD & 1TB SATA.

 

We were lucky!

[saddlebum]

There should be a special place in hell for those that put these viruses together.

RandyA

 

A back ally with no way out would be even better. If these jerks had their backs against the wall and had to face even a few of the people they PO'd, they might just think twice. But the biggest wimp alive can hide behind the internet and disrupt so many people.