Be Afraid, Be Very Afraid... Ransomware

For users or potential users.

Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Mon Sep 16, 2013 9:39 pm

I just got taken by ransomware.

MEET WITH YOUR STAFF NOW AND REMIND THEM TO NEVER OPEN EMAIL ATTACHMENTS FROM UNKNOWN SENDERS!

I wish I did this morning, because one of them opened an attachment sent to our main office email... it ran a program called cryptolocker which is ransomware. http://www.geek.com/apps/disk-encryptii ... s-1570402/

This program encrypted, with SERIOUS encryption, most personal / business files on the computer as well as ALL NETWORK DRIVES IT COULD LOCATE ON THE NETWORK! Luckily it did not encrypt the Mysql database files.

In Mid Day today, we started having problems opening some scanned files in our opendentalimages folder. I didn't know what was happening but by the time I found the ransom screen on one of our front desk computers, our entire NAS drive was encrypted. I found this after hours, so I have no idea, which employee did it and what went through their head when they saw what I saw.

So after I did some research I realized that the program does what it says, you have permanently lost your files (unless you can get the NSA to decrypt them for you!). That is unless you pay the ransom $300. This was the perfect storm for me, since I had a problem that required me to rebuild my server, but I hadn't yet got around to re-installing crashplan backup.

I am ashamed to say that I paid the $300, I really don't want to try to find everything from the last 2 weeks and spend hours recreating charts and financial data. Unfortunately every payment they get will make them more motivated.

I'll see what happens, but for now we are crippled. The screen says that the payments are manually entered so it can take 48hours before it starts decrypting. I have almost always done my due diligence, but have never been scared of malware before now.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Tue Sep 17, 2013 7:44 am

Update, some time overnight the ransom was accepted and our files were decrypted. We are back up and running and unfortunately a criminal got what they wanted.

Crashplan would have worked in this situation, but would have taken a LONG time to download our backup. I plan on changing to central data storage for HIPPA required backup of the OD images folder and mysql data folder since they will sign the HIPPA business partner agreement. On top of that I will have another NAS backup drive doing hourly or q30min backups for quick restore. Hopefully I learned my lesson not to take a chance even for a week or two.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby docholiday » Tue Sep 17, 2013 7:57 am

I am truly sorry to hear of your situation - that is horrible what they did.

I would recommend documenting EVERYTHING that happened and then dispute the charge with your credit card company as well as reporting this to the FBI. I can't imagine a CC company allowing the charge to stick for what sounds like extortion.
Just my $0.02
docholiday
 
Posts: 5
Joined: Wed Jul 21, 2010 2:25 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Postby teethdood » Tue Sep 17, 2013 2:58 pm

They don't accept CC that's the thing. They are not stupid :-)
The only thing they accept I think is money transfer via Western Union etc. Can't trace those things.

It's a well known scam. Your computer gets locked up and most likely it says you've been visiting porn sites...they prey on your embarrassment to coerce you to pay up. Some people couldn't care less that their data is encrypted, but they don't know how to reinstall their OS, have to bring it to their kids to get fixed for example...OMG pr0n embarrassing!!!11!!1! ok ok take my $300.
Philip H. Doan, DDS
http://www.kaweahdental.com/
teethdood
 
Posts: 213
Joined: Sun Jul 29, 2007 12:39 am
Location: Visalia, CA

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Tue Sep 17, 2013 3:49 pm

Personally I don't think I would call it a scam. This is pure extortion, theft, vandalism. The only thing deceptive about this was probably the email it came in. It was cold and business like. The screen just said that your files are encrypted and if you want to get them back you must pay $300 via a cash card you can buy at walgreens, bitcoin payments, or some European untraceable payment site. No frills, nothing embarassing, just extortion.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby Jay » Thu Sep 19, 2013 4:30 pm

I am truly sorry to hear what happened to your data. I hope everything is restored to normal soon. Unfortunately you might have to format and re-install the OS on all networked PCs because it might have left a hidden program that continues to do log keystrokes or repeat the same thing in 4 months.

May I ask what you meant when you wrote this? Which service are you referring to?
bcpayne wrote:I plan on changing to central data storage for HIPPA required backup of the OD images folder and mysql data folder since they will sign the HIPPA business partner agreement. On top of that I will have another NAS backup drive doing hourly or q30min backups for quick restore.


This makes me realize that we need a Ghost/Acronis imaging type of solution for true disaster recovery because re-installing OS on so many machines is a nightmare.

1. delete all partitions and format all drives.
2. restore OS on all machines
3. restore Applications unless OS was imaged.
4. restore data.

Once again, I hope all is well soon.
Jay
 
Posts: 233
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Thu Sep 19, 2013 9:25 pm

Jay,
I haven't signed up with them yet, since I have been with crashplan, but the service is Central Data Storage. https://centraldatastorage.com/

For <25gb it is aobut $30/month and it seems pretty closed to crashplan, except they do comply with all hippa requirements including signing a "HIPPA business partner agreement". Most places, including crashplan as far as I know, will not sign it because they know that they would be liable to pay fines in case of a data breach. Obviously more expensive than crashplan pro, since I currently pay about $8 a month for unlimited storage. So I will use CDS for anything with patient data, and crashplan for general office file backup.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby Jay » Fri Sep 20, 2013 7:38 am

Thanks. Incidentally I am looking at Bart PE for disk cloning and recovery over the network.
Jay
 
Posts: 233
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bpcomp » Fri Sep 20, 2013 2:02 pm

If you are looking for disk cloning and wanting to stick with open source, take a look at Clonezilla. It's worked well for me the couple of times I've used it.
bpcomp
 
Posts: 213
Joined: Mon Feb 27, 2012 8:30 am
Location: Tucson, AZ

Re: Be Afraid, Be Very Afraid... Ransomware

Postby Jay » Mon Sep 23, 2013 11:18 am

bpcomp wrote:If you are looking for disk cloning and wanting to stick with open source, take a look at Clonezilla. It's worked well for me the couple of times I've used it.


Thanks. While searching Clonezilla, I found Fog. Have you compared them?
Jay
 
Posts: 233
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Postby drtech » Mon Sep 23, 2013 11:35 am

http://www.fogproject.org/?q=node/1

Never heard of it before, but looks great!
David Fuchs
Dentist - Springfield, MO
Smile Dental http://www.887-smile.com
User avatar
drtech
 
Posts: 1452
Joined: Wed Jun 20, 2007 8:44 am
Location: Springfield, MO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bpcomp » Mon Sep 23, 2013 12:07 pm

Fogproject looks very nice. I haven't done a comparison but from a quick glance through the main thing that I think separates Clonzilla and Fogproject is that to clone a machine with Fogproject, you need a cloning server on your network. With Clonezilla all you need is a burned CD and a USB drive to clone a computer. If you are doing regular clones of computers in your office then Fogproject seems to be the more user friendly option. If you are just doing a one off clone to a USB drive then Clonezilla does not require any installation and configuration.
bpcomp
 
Posts: 213
Joined: Mon Feb 27, 2012 8:30 am
Location: Tucson, AZ

Re: Be Afraid, Be Very Afraid... Ransomware

Postby rhaber123 » Thu Oct 03, 2013 11:05 pm

FROM MALWARE TIPS SECURITY ADVISOR
http://malwaretips.com/blogs/central-se ... ice-virus/

In this step we will need to create a bootable USB drive that contains the HitmanPro Kickstart program.
We will then boot your computer using this bootable USB drive and use it to clean the infection so that you are able to remove this infection.
You will also need a USB drive, which will have all of its data erased and will then be formatted. Therefore, only use a USB drive that does not contain any important data.

1.Using a “clean” (non-infected) computer, please download HitmanPro Kickstart from the below link.
HITMANPRO DOWNLOAD LINK : http://www.surfright.nl/en/downloads
(This link will open a download page in a new web page from where you can download HitmanPro Kickstart)

2.Once HitmanPro has been downloaded, please insert the USB flash drive that you would like to erase and use for the installation of HitmanPro Kickstart. Then double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows).
To create a bootable HitmanPro USB drive, please follow the instructions from this video:
http://www.youtube.com/watch?v=aBS902Qr0oc

3.Now, remove the HitmanPro Kickstart USB drive and insert it into the "infected computer.
4.Once you have inserted the HitmanPro Kickstart USB drive, turn off the infected computer and then turn it on. As soon as you power it on, look for text on the screen that tells you how to access the boot menu.

The keys that are commonly associated with enabling the boot menu are F10, F11 or F12.
5.Once you determine the proper key (usually the F11 key) that you need to press to access the Boot Menu, restart your computer again and start immediately tapping that key. Next, please perform a scan with HitmanPro Kickstart as shown in the video below:
http://www.youtube.com/watch?v=lUNHidkYsDQ#t=124

6.HitmanPro will now reboot your computer and Windows should start normally.
Then please run Malwarebytes Anti-Malware : http://www.malwarebytes.org/products/malwarebytes_free/
and HitmanPro, and scan your computer for any left over infections.
Last edited by rhaber123 on Mon Nov 25, 2013 5:58 pm, edited 1 time in total.
rhaber123
 
Posts: 36
Joined: Fri Dec 11, 2009 1:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Fri Oct 04, 2013 4:08 pm

Good God man... please do not give the advice to remove the ransom ware unless you clearly state that by doing so, you have NO CHANCE of getting your files back. You may be talking about one of the other ransom viruses that just screw your computer up and give you a pop up that says you have to pay a ransom to make it go away. I have read too many stories of people that removed the ransom ware before their files were decrypted and they have lost all of their files. There is no way to re-install it to pay the ransom to decrypt your files. The ransomware itself is EASY to remove, but the encryption is impossible to reverse with current available technology.

THE ONLY WAY TO PREVENT THE SITUATION I WAS IN IS TO HAVE REALLY GOOD AND FREQUENT OFFLINE BACKUPS. Many antivirus programs do not even detect this ransom ware.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby rhaber123 » Fri Oct 04, 2013 4:23 pm

read this link
http://www.dotfab.com/resources/how-to- ... val-guide/

from the above link:
"The fake alert says that your personal files like photos, videos, documents, etc. are encrypted. And you must pay 100USD/100EUR /similar amount in another currency to purchase the private key for your computer to decrypt files. Actually, it is a scam to steal your money by scaring you into believing all of your personal files have been encrypted. CryptoLocker virus just blocks your desktop and freezes your windows operating system to create such an illusion. Worse, to avoid being removed and convince more innocent victims to pay for the private key, it threats you that any attempt to remove or damage this software will lead to the immediate destruction of the private key by server and you will never decrypt your files. Ignore this unreal alert, just remove this virus. No matter what the bogus alert says, do not pay for the private key. It is just a scam designed by cybercriminals to steal your money"
rhaber123
 
Posts: 36
Joined: Fri Dec 11, 2009 1:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bpcomp » Fri Oct 04, 2013 4:41 pm

No matter what, if your data is encrypted then taking a stand and not paying the criminals for the sake of not paying them is just silly if your office data is encrypted and you have no backup or recent backup. Removing the Trojan is just silly when all your data is still encrypted. The only way it makes sense to not pay them or remove the Trojan is if you have a current backup. If that is the case then I wouldn't bother with removing the Trojan and hoping that I caught every last piece of it and it doesn't resurrect itself, I would completely wipe the affected computer and restore my backup. I would then make another copy of the data only in case the virus was hiding inside the backup. Then if you are still unsure you can recreate that computer from scratch just to be sure there is no virus anywhere on the computer.
bpcomp
 
Posts: 213
Joined: Mon Feb 27, 2012 8:30 am
Location: Tucson, AZ

Re: Be Afraid, Be Very Afraid... Ransomware

Postby rhaber123 » Fri Oct 04, 2013 5:13 pm

read this link
http://www.dotfab.com/resources/how-to- ... val-guide/

from the above link:
"Worse, to avoid being removed and convince more innocent victims to pay for the private key, it threats you that any attempt to remove or damage this software will lead to the immediate destruction of the private key by server and you will never decrypt your files. Ignore this unreal alert, just remove this virus"
rhaber123
 
Posts: 36
Joined: Fri Dec 11, 2009 1:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bpcomp » Mon Oct 07, 2013 7:35 am

So if I take files that have been encrypted and move them to a separate non-infected computer and I'm unable to access them because they are ENCRYPTED then how is this an "unreal alert". Why would I "just remove this virus"? Why would I take any advice from this website you keep linking to which gives advice which could lead to the permanent loss of all your data? I read the whole tutorial before I posted a response the first time, I just don't agree with it.
bpcomp
 
Posts: 213
Joined: Mon Feb 27, 2012 8:30 am
Location: Tucson, AZ

Re: Be Afraid, Be Very Afraid... Ransomware

Postby Jay » Mon Oct 07, 2013 11:25 am

I think what you guys are disputing is whether the files are actually encrypted or not. If yes, then it is true ransomware and one has to pay up or lose everything. If no, then it is only hoaxware and you can safely remove the virus. But what if it resembles hoaxware but actually is ransomware? Then you lose everything too. Unfortunately the creators of such things count on this terrible uncertainty.
Jay
 
Posts: 233
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Postby bcpayne » Sat Nov 16, 2013 7:52 am

Do some real research before blowing this off. Here is a recent news story:
http://www.cnbc.com/id/101195861

This ransomware (cryptolocker) has exploded in the news lately. I see that the fee to decrypt your files is now over $800 and if you miss the deadline to pay the ransom, they now have a website you can go to and decrypt your files but the fee for that is over $4000.

It sounds like they are now finding ways to encrypt your backups if they are not offline.

I just found a program that is designed to stop it at FoolishIT.com. It is free, unless you want automatic updates.

This is proving to be the most dangerous "virus" ever made. Don't assume that your current IT practices will keep you safe.

Unfortunately this is spreading like wild fire and someone is making off with MILLIONS.
bcpayne
 
Posts: 68
Joined: Wed Feb 15, 2012 9:00 am
Location: Pueblo, CO

Re: Be Afraid, Be Very Afraid... Ransomware

Postby stjames70 » Thu Dec 12, 2013 8:14 pm

Hmmm....

Another reason why you should use Microsoft Windows only in a virtual environment and limit the applications which can be accessed in that environment. I only allow staff to use our workstations Windows VM for Open Dental and Dexis. All other operations have to be conducted using the Mac side. I know it sounds smug, but who is going to target an operating system which comprises less than 10% of all running operating systems?

Opening emails is unavoidable. Security software is not always perfect. The only way I see to minimize risk is to run your practice in a virtual environment under MacOS or Linux or whatever OS does not have the word Microsoft in front of it. Windows is a victim of its popularity. To stay ahead of the nasty people who write this malware stuff, you need to be vigilant, and be as creative as these thieves. My advice is running your servers and workstations one step away from the underlying operating system. This way, you can recover your data much more quickly, trash infected VMs, and rebuild your systems much more quickly and efficiently from stored backups. You may lose one day's worth of data depending on your backup frequency, but at least you are not losing all your systems or your data.

You think hardware such as Apple computers is expensive? Then run Linux. But I really think that hardware cost is negligible in the end when you consider how much you lose if you have to spend hours and hours rebuilding all your systems.

Think. It makes sense.
stjames70
 
Posts: 76
Joined: Fri Dec 18, 2009 4:24 am

Re: Be Afraid, Be Very Afraid... Ransomware

Postby alyosha » Mon Jan 06, 2014 12:39 pm

I got the Ransom Ware deal on my computer, the computer was locked up with the screen saying my data was now encrypted, etc. I immediately pulled the plug, disconnected external drives, ethernet cable, printers, everything. After re-boot, I ran a malware and virus scan which found 5 criticals which I removed (using Adaware, then AVG Free Version) The computer was fine after that, and no probs 2 months later. I got this malware after perusing my favorite u-torrent site looking to download vintage Mohamed Ali fights,..I probably shouldn't do that at the practice, but I was stuck there for 10 hours on a Sunday while having a new floor installed.
alyosha
 
Posts: 8
Joined: Mon May 12, 2008 11:46 am


Return to Main Forum

Who is online

Users browsing this forum: Bing [Bot] and 5 guests