Be Afraid, Be Very Afraid... Ransomware

For users or potential users.
Post Reply
bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Mon Sep 16, 2013 9:39 pm

t
Last edited by bcpayne on Thu Feb 07, 2019 3:25 pm, edited 1 time in total.

bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Tue Sep 17, 2013 7:44 am

t
Last edited by bcpayne on Thu Feb 07, 2019 3:25 pm, edited 1 time in total.

docholiday
Posts: 6
Joined: Wed Jul 21, 2010 2:25 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Post by docholiday » Tue Sep 17, 2013 7:57 am

I am truly sorry to hear of your situation - that is horrible what they did.

I would recommend documenting EVERYTHING that happened and then dispute the charge with your credit card company as well as reporting this to the FBI. I can't imagine a CC company allowing the charge to stick for what sounds like extortion.
Just my $0.02

teethdood
Posts: 267
Joined: Sun Jul 29, 2007 12:39 am
Location: Visalia, CA
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by teethdood » Tue Sep 17, 2013 2:58 pm

They don't accept CC that's the thing. They are not stupid :-)
The only thing they accept I think is money transfer via Western Union etc. Can't trace those things.

It's a well known scam. Your computer gets locked up and most likely it says you've been visiting porn sites...they prey on your embarrassment to coerce you to pay up. Some people couldn't care less that their data is encrypted, but they don't know how to reinstall their OS, have to bring it to their kids to get fixed for example...OMG pr0n embarrassing!!!11!!1! ok ok take my $300.
Philip H. Doan, DDS
http://www.kaweahdental.com/

bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Tue Sep 17, 2013 3:49 pm

t
Last edited by bcpayne on Thu Feb 07, 2019 3:26 pm, edited 1 time in total.

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by Jay » Thu Sep 19, 2013 4:30 pm

I am truly sorry to hear what happened to your data. I hope everything is restored to normal soon. Unfortunately you might have to format and re-install the OS on all networked PCs because it might have left a hidden program that continues to do log keystrokes or repeat the same thing in 4 months.

May I ask what you meant when you wrote this? Which service are you referring to?
bcpayne wrote:I plan on changing to central data storage for HIPPA required backup of the OD images folder and mysql data folder since they will sign the HIPPA business partner agreement. On top of that I will have another NAS backup drive doing hourly or q30min backups for quick restore.
This makes me realize that we need a Ghost/Acronis imaging type of solution for true disaster recovery because re-installing OS on so many machines is a nightmare.

1. delete all partitions and format all drives.
2. restore OS on all machines
3. restore Applications unless OS was imaged.
4. restore data.

Once again, I hope all is well soon.

bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Thu Sep 19, 2013 9:25 pm

Jay,
I haven't signed up with them yet, since I have been with crashplan, but the service is Central Data Storage. https://centraldatastorage.com/

For <25gb it is aobut $30/month and it seems pretty closed to crashplan, except they do comply with all hippa requirements including signing a "HIPPA business partner agreement". Most places, including crashplan as far as I know, will not sign it because they know that they would be liable to pay fines in case of a data breach. Obviously more expensive than crashplan pro, since I currently pay about $8 a month for unlimited storage. So I will use CDS for anything with patient data, and crashplan for general office file backup.

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by Jay » Fri Sep 20, 2013 7:38 am

Thanks. Incidentally I am looking at Bart PE for disk cloning and recovery over the network.

bpcomp
Posts: 304
Joined: Mon Feb 27, 2012 7:30 am
Location: Tucson, AZ
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bpcomp » Fri Sep 20, 2013 2:02 pm

If you are looking for disk cloning and wanting to stick with open source, take a look at Clonezilla. It's worked well for me the couple of times I've used it.

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by Jay » Mon Sep 23, 2013 11:18 am

bpcomp wrote:If you are looking for disk cloning and wanting to stick with open source, take a look at Clonezilla. It's worked well for me the couple of times I've used it.
Thanks. While searching Clonezilla, I found Fog. Have you compared them?

User avatar
drtech
Posts: 1647
Joined: Wed Jun 20, 2007 8:44 am
Location: Springfield, MO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by drtech » Mon Sep 23, 2013 11:35 am

http://www.fogproject.org/?q=node/1

Never heard of it before, but looks great!
David Fuchs
Dentist - Springfield, MO
Smile Dental http://www.887-smile.com

bpcomp
Posts: 304
Joined: Mon Feb 27, 2012 7:30 am
Location: Tucson, AZ
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bpcomp » Mon Sep 23, 2013 12:07 pm

Fogproject looks very nice. I haven't done a comparison but from a quick glance through the main thing that I think separates Clonzilla and Fogproject is that to clone a machine with Fogproject, you need a cloning server on your network. With Clonezilla all you need is a burned CD and a USB drive to clone a computer. If you are doing regular clones of computers in your office then Fogproject seems to be the more user friendly option. If you are just doing a one off clone to a USB drive then Clonezilla does not require any installation and configuration.

rhaber123
Posts: 415
Joined: Fri Dec 11, 2009 12:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Post by rhaber123 » Thu Oct 03, 2013 11:05 pm

FROM MALWARE TIPS SECURITY ADVISOR
http://malwaretips.com/blogs/central-se ... ice-virus/

In this step we will need to create a bootable USB drive that contains the HitmanPro Kickstart program.
We will then boot your computer using this bootable USB drive and use it to clean the infection so that you are able to remove this infection.
You will also need a USB drive, which will have all of its data erased and will then be formatted. Therefore, only use a USB drive that does not contain any important data.

1.Using a “clean” (non-infected) computer, please download HitmanPro Kickstart from the below link.
HITMANPRO DOWNLOAD LINK : http://www.surfright.nl/en/downloads
(This link will open a download page in a new web page from where you can download HitmanPro Kickstart)

2.Once HitmanPro has been downloaded, please insert the USB flash drive that you would like to erase and use for the installation of HitmanPro Kickstart. Then double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows).
To create a bootable HitmanPro USB drive, please follow the instructions from this video:
http://www.youtube.com/watch?v=aBS902Qr0oc

3.Now, remove the HitmanPro Kickstart USB drive and insert it into the "infected computer.
4.Once you have inserted the HitmanPro Kickstart USB drive, turn off the infected computer and then turn it on. As soon as you power it on, look for text on the screen that tells you how to access the boot menu.

The keys that are commonly associated with enabling the boot menu are F10, F11 or F12.
5.Once you determine the proper key (usually the F11 key) that you need to press to access the Boot Menu, restart your computer again and start immediately tapping that key. Next, please perform a scan with HitmanPro Kickstart as shown in the video below:
http://www.youtube.com/watch?v=lUNHidkYsDQ#t=124

6.HitmanPro will now reboot your computer and Windows should start normally.
Then please run Malwarebytes Anti-Malware : http://www.malwarebytes.org/products/malwarebytes_free/
and HitmanPro, and scan your computer for any left over infections.
Last edited by rhaber123 on Mon Nov 25, 2013 4:58 pm, edited 1 time in total.

bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Fri Oct 04, 2013 4:08 pm

t
Last edited by bcpayne on Thu Feb 07, 2019 3:26 pm, edited 1 time in total.

rhaber123
Posts: 415
Joined: Fri Dec 11, 2009 12:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Post by rhaber123 » Fri Oct 04, 2013 4:23 pm

read this link
http://www.dotfab.com/resources/how-to- ... val-guide/

from the above link:
"The fake alert says that your personal files like photos, videos, documents, etc. are encrypted. And you must pay 100USD/100EUR /similar amount in another currency to purchase the private key for your computer to decrypt files. Actually, it is a scam to steal your money by scaring you into believing all of your personal files have been encrypted. CryptoLocker virus just blocks your desktop and freezes your windows operating system to create such an illusion. Worse, to avoid being removed and convince more innocent victims to pay for the private key, it threats you that any attempt to remove or damage this software will lead to the immediate destruction of the private key by server and you will never decrypt your files. Ignore this unreal alert, just remove this virus. No matter what the bogus alert says, do not pay for the private key. It is just a scam designed by cybercriminals to steal your money"

bpcomp
Posts: 304
Joined: Mon Feb 27, 2012 7:30 am
Location: Tucson, AZ
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bpcomp » Fri Oct 04, 2013 4:41 pm

No matter what, if your data is encrypted then taking a stand and not paying the criminals for the sake of not paying them is just silly if your office data is encrypted and you have no backup or recent backup. Removing the Trojan is just silly when all your data is still encrypted. The only way it makes sense to not pay them or remove the Trojan is if you have a current backup. If that is the case then I wouldn't bother with removing the Trojan and hoping that I caught every last piece of it and it doesn't resurrect itself, I would completely wipe the affected computer and restore my backup. I would then make another copy of the data only in case the virus was hiding inside the backup. Then if you are still unsure you can recreate that computer from scratch just to be sure there is no virus anywhere on the computer.

rhaber123
Posts: 415
Joined: Fri Dec 11, 2009 12:09 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Post by rhaber123 » Fri Oct 04, 2013 5:13 pm

read this link
http://www.dotfab.com/resources/how-to- ... val-guide/

from the above link:
"Worse, to avoid being removed and convince more innocent victims to pay for the private key, it threats you that any attempt to remove or damage this software will lead to the immediate destruction of the private key by server and you will never decrypt your files. Ignore this unreal alert, just remove this virus"

bpcomp
Posts: 304
Joined: Mon Feb 27, 2012 7:30 am
Location: Tucson, AZ
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bpcomp » Mon Oct 07, 2013 7:35 am

So if I take files that have been encrypted and move them to a separate non-infected computer and I'm unable to access them because they are ENCRYPTED then how is this an "unreal alert". Why would I "just remove this virus"? Why would I take any advice from this website you keep linking to which gives advice which could lead to the permanent loss of all your data? I read the whole tutorial before I posted a response the first time, I just don't agree with it.

Jay
Posts: 272
Joined: Fri Aug 06, 2010 10:01 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by Jay » Mon Oct 07, 2013 11:25 am

I think what you guys are disputing is whether the files are actually encrypted or not. If yes, then it is true ransomware and one has to pay up or lose everything. If no, then it is only hoaxware and you can safely remove the virus. But what if it resembles hoaxware but actually is ransomware? Then you lose everything too. Unfortunately the creators of such things count on this terrible uncertainty.

bcpayne
Posts: 77
Joined: Wed Feb 15, 2012 8:00 am
Location: Pueblo, CO
Contact:

Re: Be Afraid, Be Very Afraid... Ransomware

Post by bcpayne » Sat Nov 16, 2013 6:52 am

t
Last edited by bcpayne on Thu Feb 07, 2019 3:27 pm, edited 1 time in total.

stjames70
Posts: 101
Joined: Fri Dec 18, 2009 3:24 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by stjames70 » Thu Dec 12, 2013 7:14 pm

Hmmm....

Another reason why you should use Microsoft Windows only in a virtual environment and limit the applications which can be accessed in that environment. I only allow staff to use our workstations Windows VM for Open Dental and Dexis. All other operations have to be conducted using the Mac side. I know it sounds smug, but who is going to target an operating system which comprises less than 10% of all running operating systems?

Opening emails is unavoidable. Security software is not always perfect. The only way I see to minimize risk is to run your practice in a virtual environment under MacOS or Linux or whatever OS does not have the word Microsoft in front of it. Windows is a victim of its popularity. To stay ahead of the nasty people who write this malware stuff, you need to be vigilant, and be as creative as these thieves. My advice is running your servers and workstations one step away from the underlying operating system. This way, you can recover your data much more quickly, trash infected VMs, and rebuild your systems much more quickly and efficiently from stored backups. You may lose one day's worth of data depending on your backup frequency, but at least you are not losing all your systems or your data.

You think hardware such as Apple computers is expensive? Then run Linux. But I really think that hardware cost is negligible in the end when you consider how much you lose if you have to spend hours and hours rebuilding all your systems.

Think. It makes sense.

alyosha
Posts: 8
Joined: Mon May 12, 2008 11:46 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by alyosha » Mon Jan 06, 2014 11:39 am

I got the Ransom Ware deal on my computer, the computer was locked up with the screen saying my data was now encrypted, etc. I immediately pulled the plug, disconnected external drives, ethernet cable, printers, everything. After re-boot, I ran a malware and virus scan which found 5 criticals which I removed (using Adaware, then AVG Free Version) The computer was fine after that, and no probs 2 months later. I got this malware after perusing my favorite u-torrent site looking to download vintage Mohamed Ali fights,..I probably shouldn't do that at the practice, but I was stuck there for 10 hours on a Sunday while having a new floor installed.

satishp
Posts: 13
Joined: Thu Nov 10, 2011 10:48 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by satishp » Fri Jul 24, 2015 3:16 pm

stjames70, i like your idea of running Virtual machines.

But remember, one machine needs to be elected as the server in opendental, this will have to expose the hard drive as network drive so other systems can use it.

I can't think of a way to avoid this ransomware as alyosha says other than pay the ransom.

Can't we prevent download of email attachments by any software.

We do not need to use office computers for personal emails since everyone has smart phones these days.

I am wondering how to protect the network in case someone runs any crypto locker kind of virus in the network.

satishp
Posts: 13
Joined: Thu Nov 10, 2011 10:48 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by satishp » Fri Jul 24, 2015 3:21 pm

Found a good article in general to prevent all kind of viruses from running

http://www.computerworld.com/article/24 ... u-are.html

Need to make a group policy so that virus links like this cannot run and infect the system in the first place.

Not a bad idea, just in case all the defences we set up fail and the virus reaches the target/end/client machine.

tgriswold
Posts: 122
Joined: Fri Jun 07, 2013 8:52 am

Re: Be Afraid, Be Very Afraid... Ransomware

Post by tgriswold » Fri Jul 24, 2015 4:03 pm

Another thing that I do not see a lot of mention of here, but is mentioned in that article is that having frequent offline or off-site backups that have been verified is also very key for mitigating the impact of these viruses. That way your worst case scenario is losing the data between your last backup and the time of the incident, not losing everything. Note: This requires your backups to not be on the same network or somehow isolated from the virus. If your backups are on your same machine as your live database, it won't help you at all.

Of course its better to stop the issue before it starts, but it never hurts to have a fallback plan.
Travis Griswold
Open Dental Software
http://www.opendental.com

krewsonia
Posts: 1
Joined: Thu Nov 19, 2015 11:34 pm

Re: Be Afraid, Be Very Afraid... Ransomware

Post by krewsonia » Fri Nov 20, 2015 6:09 am

stakes are getting so much hire. new strain of this deadly ransomware now encrypts our data for nearly USD 500, and there is no gurantee that a victim obtains the decryption upon transferring the ransom. beware of ccc decryption and email attachments http://nabzsoftware.com/types-of-threats/ccc-file!

Post Reply