Cryptowall and why you need to check your backups today

Discussion in 'Tech Talk' started by MajJamesMcFarlane, Oct 5, 2015.

  1. MajJamesMcFarlane

    MajJamesMcFarlane

    Messages:
    3,531
    Likes Received:
    1,083
    Joined:
    Jun 18, 2015
    http://www.radiolab.org/story/darkode/

    That is a good audio overview of what Cryptowall is. Basically it's a virus that silently installs and then starts encrypting your files with technology so advanced that it would take all the computers in all of the world working together for decades to crack it. Once it's done locking pictures, documents, movies, music and basically anything that would be of value to you, it pops up a message informing you that your files are all locked and if you want to get them back, you need to go get $500-$1000 worth of bitcoins and send it to them. There is literally no way to brute force this virus, your only options are to pay up, restore files from backups or just deal with the fact that all your stuff is gone and reformat your computer. It's bad enough that law enforcement agencies have paid the ransom, knowing it goes to Russian and Ukrainian cyber criminals but unwilling to lose tens or hundreds of thousands of case files.

    I had this happen to a client on my first day of vacation in a different country. All her files were locked so that when you clicked them they would attempt to open and say they were corrupted. She got the message early in the morning and since I am an amazing IT guy, the backups that are done automatically were able to get the files at 2am, before they were encrypted. She lost a day of work but she almost lost literally millions of dollars worth of bids and job information.

    Tip from a pro, make sure you keep your computer's operating system updated, active protection anti-virus running and a very progressive backup plan is in place. Bandwidth is cheap these days and you can setup your backup software to upload stuff at 2am. I use Mozy and I am able to go back to specific dates and time and get versions of files from those time periods vs the current one that might be infected.

    Just a friendly piece of advice from a guy who deals with this stuff on a daily basis.
     
  2. shotgunred

    shotgunred local trouble maker

    Messages:
    9,125
    Likes Received:
    1,413
    Joined:
    Mar 1, 2008
    Location:
    Washington (the state)
    Never head of this one.
     

  3. Detectorist

    Detectorist

    Messages:
    25,941
    Likes Received:
    17,541
    Joined:
    Jul 16, 2008
    Location:
    Missouri
  4. harrygunner

    harrygunner

    Messages:
    578
    Likes Received:
    28
    Joined:
    Sep 4, 2010
    A screwed up Cryptowall variant

    http://www.bleepingcomputer.com/new...g-causes-new-ransomware-to-destroy-your-data/

    Whoever did this likely did what most miscreants do, steal code that was written by someone else. They then, made a mistake that led to unrecoverable files.

    To help understanding the article, "Base 64" can encode binary data with alphanumeric characters. Helps when non-printable characters could cause problems.

    For example, "Glock Talk" encodes to R2xvY2sgVGFsaw== The equal signs at the end are padding. Padding lengths vary and not always needed. e.g. "Glock Talk Tech" encodes to R2xvY2sgVGFsayBUZWNo No padding needed.

    If padding was required, but not provided during the decoding phase, decoding fails. i.e. R2xvY2sgVGFsaw won't decode.

    I tend to judge intelligence by what one does with their mind, so holding others property for ransom has me using the word idiot. This idiot left the '=' off the encoded encryption key causing Windows to replace the failed decoding with randomly generated keys. Since the random keys were discarded, the Windows users' files can't be decrypted.

    The article warns victims not to pay a ransom.
     
  5. MajJamesMcFarlane

    MajJamesMcFarlane

    Messages:
    3,531
    Likes Received:
    1,083
    Joined:
    Jun 18, 2015
    Which is exactly why backups on backups on backups is a good idea. I just saw an article this morning talking about a Linux ransomware bug just found in the wild.