Welcome, Guest. Please login or register.

Author Topic: Hands-on Experience With Ransomware!!!!!  (Read 6054 times)

0 Members and 1 Guest are viewing this topic.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Hands-on Experience With Ransomware!!!!!
« on: May 15, 2016, 02:46:01 PM »
Well it happened........despite all my preaching, Dana's PC was hit!   :002:

Malwarebytes did not stop it!   All .doc, .xls, and .pdf files have been encrypted.

We do have backups which I insisted on days before!
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Offline RATHER BE FISHING

  • Moderator
  • Location: South Texas
  • Posts: 971
Re: Hands-on Experience With Ransomware!!!!!
« Reply #1 on: May 15, 2016, 02:49:38 PM »
How did it happen Larry?

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4631
Re: Hands-on Experience With Ransomware!!!!!
« Reply #2 on: May 15, 2016, 03:13:06 PM »
Hitman Pro running from a USB drive will likely rid you of the malware, but the docs will still ben encrypted. I hope the back ups are clean.   
-I'm only here because my flux capacitor is broken.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #3 on: May 15, 2016, 05:04:56 PM »
How did it happen Larry?

Not sure yet, but I believe it was from a Facebook feed.

@Trace.....backups are clean!   :054:

First step was to build a new machine and get her going.
Now that we have a new machine I set off to decrypt the old one.
Kaspersky has a tool for this and it appears to be working.
 
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4631
Re: Hands-on Experience With Ransomware!!!!!
« Reply #4 on: May 15, 2016, 06:01:31 PM »
How did it happen Larry?

Not sure yet, but I believe it was from a Facebook feed.

Larry have you found a precedent for it being spread via FB?  If so I really need to look at how it's being spread via the feed.
-I'm only here because my flux capacitor is broken.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #5 on: May 15, 2016, 06:42:44 PM »
While I do participate on Facebook, I DO NOT run Facebook on the same PC's as I use for business. With that said I've noticed (in the FB feed) "unusual" stories (linked to a friend) which I believe are designed to attract you to a website that may be the culprit. I have clicked on those type links before and immediately backed away due to obvious danger.  Dana clicked on one of those FB feeds and everything went south when she connected to the URL. Dana continued to poke around on that site. In my opinion that is pretty strong circumstantial evidence!

Facebook gets run on PC's which I'm experimenting with.  :066: 

Again....this is just my opinion and has no solid basis yet.
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Offline RATHER BE FISHING

  • Moderator
  • Location: South Texas
  • Posts: 971
Re: Hands-on Experience With Ransomware!!!!!
« Reply #6 on: May 15, 2016, 06:57:52 PM »
"Again....this is just my opinion and has no solid basis yet."

So you have turned to politics huh? :011:

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #7 on: May 15, 2016, 07:01:22 PM »
"Again....this is just my opinion and has no solid basis yet."

So you have turned to politics huh? :011:

I don't want Zuckerberg suing me!   :011:
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #8 on: May 17, 2016, 06:16:13 AM »
I thought the infected PC would need to be wiped with a new insrtall of Win7, not so........thank you Kaspersky!   :003:
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4631
Re: Hands-on Experience With Ransomware!!!!!
« Reply #9 on: May 17, 2016, 10:28:10 AM »
Hitman Pro will kill it quickly too.  You boot from a USB drive that boots to a Linux/Sidekick environment.  Then it runs Hitman and usually will fix you right away.
-I'm only here because my flux capacitor is broken.

Offline tonyburkhart

  • Moderator
  • Location: Reynoldsburg Ohio USA
  • Posts: 1022
    • www.teamburkhart.com
Re: Hands-on Experience With Ransomware!!!!!
« Reply #10 on: May 17, 2016, 11:57:23 AM »
#buyamac


You know I have to get my jabs in where I can :)

What backup/recovery plan do you have in place? Most consumer grade softwares don't stop the backup up files from being encrypted, is why I ask.
Thanks,
Tony Burkhart
Team Burkhart
www.teamburkhart.com

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #11 on: May 17, 2016, 03:29:40 PM »
Tony
I have two PC's running the same programs at two different locations.   One is a primary work PC and gets backed up every time I use it, then the back is used to update the other.

I've done this for years and now Dana sees the value in this.   :066:
 
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4631
Re: Hands-on Experience With Ransomware!!!!!
« Reply #12 on: May 17, 2016, 09:12:57 PM »
Now that we have a new machine I set off to decrypt the old one.
Kaspersky has a tool for this and it appears to be working.

Larry, when you say "decrypt the old one," you meant Kaspersky has a tool to remove CryptoLocker, not decrypt the encrypted files, correct?
-I'm only here because my flux capacitor is broken.

Online hbiss

  • Administrator
  • Location: Westchester County, NY
  • Posts: 3309
Re: Hands-on Experience With Ransomware!!!!!
« Reply #13 on: May 17, 2016, 10:22:32 PM »
Yeah, I don't think decrypting  is possible.

Funny story. I have a customer, a locksmith, who has an old Win XP machine in the front office. It too got hit with Cryptolocker. All they use it for is to look up key codes via an online service, email via AOL and surfing the web for product information. (The Saturday guy with little to do likely was looking for more than product information.)

They did have a few .pdf files that no longer worked and that's how I got involved and noticed the encrypted files. The thing stays on all the time and when I rebooted it there was the ransom demand. Guess the Saturday guy got rid of it when it popped up. They laugh at the $500 those jokers wanted- "we can get a new computer for that but this thing works fine". Which it does for what they do, been that way for over 6 months now.

Ha! we don't use those encrypted files anyway.

-Hal
I gotta get out of this business...

COMSYSTEC- Phone Systems | paging systems | background music systems | foreground music systems | retail music | restaurant music

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #14 on: May 18, 2016, 06:07:41 AM »
But it is possible and it did work!   Now I know why no one was immpressed!  :011:

I have all files back along with the encrypted files.  The encrypted files are benign  but can't be removed. I'm hoping it is nothing more than changing the file attributes

Kaspersky can and did de-crypt my files!   :003: 
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #16 on: May 18, 2016, 06:19:51 AM »
Here is a link to Kasperky for the decrypting tool;

https://noransom.kaspersky.com/


Hal you might want to try this!   :066:
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online Keighlar

  • Moderator
  • Location: New Hampshire
  • Posts: 1604
Re: Hands-on Experience With Ransomware!!!!!
« Reply #17 on: May 18, 2016, 07:13:36 AM »
Huh.  Look at that.  Kapersky does say they can decrypt:
https://noransom.kaspersky.com/

Received this  notice today:

New form of Ransomware.  The Trojan now deletes the files if you don't pay. 

Jigsaw Ransomware spotted in the wild (April 22, 2016)
Cisco has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.

https://www.mysonicwall.com/sonicalert/searchresults.aspx?utm_campaign=48798-43691-NS-NA-SonStarNewsletter_May16&utm_medium=email&utm_source=Eloqua&ev=article&id=922
“You know you’re in love when you can’t fall asleep because reality is finally better than your dreams.”
Dr Seuss

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #18 on: May 18, 2016, 07:29:48 AM »
I'll bet the "pay on time" is due to victims finding out what I did.  The pressure of time will get victims to react more quickly to paying instead of look for alternatives.

I say; Just keep setting your clock back and keep looking for a solution!   :066:
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4631
Re: Hands-on Experience With Ransomware!!!!!
« Reply #19 on: May 18, 2016, 10:01:25 AM »
Kaspersky can and did de-crypt my files!   :003:

Interesting.  Did Kaspersky identify which variant infectedthe system?
-I'm only here because my flux capacitor is broken.

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #20 on: May 18, 2016, 01:33:25 PM »
They list about 5 different types and claim if it is one of them they will have success.

If you are real heavy with files and not a lot of disk space it could be a problem.  It creates a new file for every infected file and does not remove the encrypted file.
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online hbiss

  • Administrator
  • Location: Westchester County, NY
  • Posts: 3309
Re: Hands-on Experience With Ransomware!!!!!
« Reply #21 on: May 18, 2016, 07:02:00 PM »
Quote
The encrypted files are benign but can't be removed.

Do you mean that they are system or other files that now are now back to normal that Win won't let you remove or that for some reason you cannot delete the encrypted files?

If you want to see if they really weren't encrypted and just the extension was changed just take an encrypted Word, ,pdf or .jpg file and change the extension to what it should be.

-Hal
I gotta get out of this business...

COMSYSTEC- Phone Systems | paging systems | background music systems | foreground music systems | retail music | restaurant music

Online CMDL_GUY

  • Administrator
  • Location: Mt. Sidney Virginia
  • Posts: 8182
    • www.lscg.net
Re: Hands-on Experience With Ransomware!!!!!
« Reply #22 on: May 18, 2016, 07:06:55 PM »
Quote
The encrypted files are benign but can't be removed.

Do you mean that they are system or other files that now are now back to normal that Win won't let you remove or that for some reason you cannot delete the encrypted files?

If you want to see if they really weren't encrypted and just the extension was changed just take an encrypted Word, ,pdf or .jpg file and change the extension to what it should be.

-Hal

The files, docs, pdfs, xls, and others are converted, you cannot change the file extension because the file becomes read only
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." - George Washington

“Remember democracy never lasts long. It soon wastes, exhausts, and murders itself. There never was a democracy yet, that did not commit suicide.”   -John Adams

K4LRM

www.lscg.net

Faster horses, younger women, older whiskey, more money.

Online hbiss

  • Administrator
  • Location: Westchester County, NY
  • Posts: 3309
Re: Hands-on Experience With Ransomware!!!!!
« Reply #23 on: May 18, 2016, 07:28:20 PM »
Well, it looks like they really were encrypted anyway so changing the extension won't help if you could. It's a different story now. Sounds like the purps were busted and Kasperkey obtained the decryption keys. Without those keys one would have to use brute force and if strong keys were used it would be nearly impossible to crack the encryption.

-Hal
I gotta get out of this business...

COMSYSTEC- Phone Systems | paging systems | background music systems | foreground music systems | retail music | restaurant music