Encription Virus Help!

If it's that easy, then it's also traceable - for someone willing to put forth the effort.

Sure - they could trace your purchase back to you, because you have the info to provide to do so.

But as to who you're sending it to? Nope.
 
Sure - they could trace your purchase back to you, because you have the info to provide to do so.

But as to who you're sending it to? Nope.

Everything electronic is traceable if someone wants to put for the effort.
 
It encrypts certain types of files on your hard drive, external drive, and any network share you have access to.

More often then not people don't have backups or their backups were on an external hard drive which was connected or a network share.

They've made a lot of money with their scheme.

So I use an external HD and Acronis to back up. But I switch out the HD daily so at worst I lose 24 hours of data.
 
I just had a great idea to make some quick money!!

Do this, but focus on porn history in browsers. Offer to wipe it for money, otherwise it goes to all of your email contacts with full details on when it happened and how long you were looking at it.

Boom - bitcoin blackmail.
Ok, hands off the keyboard,
Stand back
Forget you EVER thought of that!
 
I wonder if business insurance might cover the recover or the ransom. I doubt it will cover the ransom but who knows.
 
I ended up paying the randsom and getting my files decrypted. It sucked , but paying $650 is a hell of a lot cheaper than starting over. I had 17,000 files encrypted. :eek:

Thank to all for your advice.

My advice is pay it.
 
Suddenly, my automatic incremental off-site backups look a lot better.
 
I wonder if business insurance might cover the recover or the ransom. I doubt it will cover the ransom but who knows.

It's worth filing a claim through your agent. I haven't read a homeowner's policy in a while, are there any exclusions on Data?
 
Re: Encryption Virus Help!

Suddenly, my automatic incremental off-site backups look a lot better.

Are those in the cloud? Is there any way that crypto-lockers could be redesigned to get at them?
 
Last edited:
Are those in the cloud? Is there any way that crypto-lockers could be redesigned to get at them?

That's an excellent question. Are our Cloud stored files and back ups safe, or can they get locked down as well?
 
To this point, I've never seen one that affects "cloud" backups, unless the "cloud" was accessible via a Drive letter or network share (which is rare).
 
That's an excellent question. Are our Cloud stored files and back ups safe, or can they get locked down as well?

I suppose it's possible if the backup client is running in a mode in which it automatically backs up files as they are modified, and if the file names remain the same. However, most decent cloud backup solutions feature versioning, so even if the automated backup did upload the encrypted files, the previous versions would still be available and unencrypted.

I know of no malware that is capable of logging in to a cloud backup to delete or encrypt previous versions. (That's not to say that a skilled miscreant couldn't write such malware, but I don't think that anyone's done it -- yet.)

If you're backing up to a mapped drive (that is, it has a drive letter assigned to it), then all bets are off. It doesn't matter whether the mapped drive lives on a computer in your office or one halfway around the world. Connected mapped drives are as vulnerable as local drives.

Rich
 
Am I safe to assume that using Office 365 and their default settings, these documents/files are safe? How about iCloud and Dropbox?
 
Am I safe to assume that using Office 365 and their default settings, these documents/files are safe?

No idea. I don't use it and have no idea how it accesses its storage. Neither is Microsoft's record of malware-resistance so illustrious that I'm willing to make any assumptions.

Rich
 
If the local copy gets encrypted (the local OneDrive or Dropbox folder), the sync may transfer those to the Cloud storage area. But versioning may save you, as the old (unencrypted) versions should be available.

It depends on whether you access the Cloud storage directly, or use it to sync to local computers. And whether you have a drive letter mapped directly to the cloud storage.

Nothing beats a point-in-time backup that is disconnected from the system. I haven't seen any of the Crypto programs attack backups that are in an image file, like what acronis or macrium uses.
 
Last edited:
Re: Encryption Virus Help!

Are those in the cloud? Is there any way that crypto-lockers could be redesigned to get at them?

I am certainly no expert, but what I have been told is.....

The stuff in your cloud is NOT exempt from the encryption virus.

Acronis type backups (as an example) are not affected by encryption viruses at this time.

You should have several backs up. One source is say 2 months old, one source a month old, one source a week or daily. Carbonite type back ups are good for crashes of the hardware, but not for encryption.
 
Last edited:
Re: Encryption Virus Help!

Are those in the cloud? Is there any way that crypto-lockers could be redesigned to get at them?

I would be concerned if the backup location was mapped as an additional network drive; it is not.

Instead, our servers have backup software which, every night, send an incremental-changes back up through the Internet to servers used by our backup/IT vendor (whether it is going into a big honking server at their office 5 miles away, or into least cloud storage, I do not know; I suspect, the latter).

The IT folks also show up periodically (perhaps monthly?) To do a complete backup, on-site, with portable drives they bring with them.

Every now and again, somebody in the office deletes something by accident, and with a phone call, it is restored from the backups. Very handy, when we need it.
 
Re: Encryption Virus Help!

I would be concerned if the backup location was mapped as an additional network drive; it is not.

Instead, our servers have backup software which, every night, send an incremental-changes back up through the Internet to servers used by our backup/IT vendor (whether it is going into a big honking server at their office 5 miles away, or into least cloud storage, I do not know; I suspect, the latter).

The IT folks also show up periodically (perhaps monthly?) To do a complete backup, on-site, with portable drives they bring with them.

Every now and again, somebody in the office deletes something by accident, and with a phone call, it is restored from the backups. Very handy, when we need it.
The big question is whether or not those backups that are happening every night have versioning or if it's just overwriting what they had on their side. There wouldn't be much "increamental" happening..as the data after cryptowhatever encrypts it is completely different. You'd be sending a whole set of your data to them..and likely someone would notice given how long it would take and the bandwidth it may consume.
 
Re: Encryption Virus Help!

The big question is whether or not those backups that are happening every night have versioning or if it's just overwriting what they had on their side. There wouldn't be much "increamental" happening..as the data after cryptowhatever encrypts it is completely different. You'd be sending a whole set of your data to them..and likely someone would notice given how long it would take and the bandwidth it may consume.

That, and some cryptovirii are "delayed action", so they can reside on your system for a few days before taking action. How far back does the backup go?

This is an argument for storing data backups separately from program files...
 
Re: Encryption Virus Help!

That, and some cryptovirii are "delayed action", so they can reside on your system for a few days before taking action. How far back does the backup go?

This is an argument for storing data backups separately from program files...

It's also an argument for not relying on any one kind of backup.

I always consider "cloud" or any other sort of online backup to be secondary or tertiary to local backups. That's partly because where I am the best I can do is 10 Mb down Internet: Restoring everything from an online backup would take days. But it's also because I don't trust any one destination to be my only backup.

My local data backups are primary. My hard drive clones or images are secondary. My online backups are tertiary and are intended mainly for recovery from catastrophic events, like a fire or flood (although I have used them for quickly restores of a file or two from time to time).

I also use multiple backups on servers. The accounts are backed up to the server itself for quick restores when hosting-only clients hose their sites; the entire server is backed up to another server in the DC every night in case the whole node or VM goes down; and everything's backed up to Amazon S3 early every morning in case of a catastrophe affecting Equinix, the hosting company, or all of Chicago.

The one phrase I've never heard in all my years farting around with computers is, "Damn, I wish we didn't have so many backups!" You can never have too many backups.

Rich
 
I once thought about building a dual-drive external enclosure or controller with USB, Firewire, eSata, and Ethernet interfaces and enough intelligence to independently mount and unmount each drive connected to it, alternately, at pre-set times every day.

Companion software on the machine(s) being backed up would then back up to those drives while they were mounted, also on a scheduled basis. Once the backup was complete, the drives on the controller would autonomously unmount again and become inaccessible to the system being backed up.

Once the backup completed, the external controller would email someone with an analysis and summary. It could also be set up to send an email if an expected backup didn't happen, or if its properties fell outside of expected parameters.

The idea would be to completely automate an imaging or cloning solution that would "disconnect" the drives between backups to lessen the chances of their being infected or encrypted along with the drive(s) being backed up. It would be the equivalent of unplugging the drives between backups, but with some additional intelligence.

It would have been a pretty easy thing to do, but I never got around to it. I suppose someone's done it by now, probably with Raspberry Pi. If I were still on that end of the business, I'm pretty sure I would have done it and monetized it already.

Rich
 
Re: Encryption Virus Help!

The big question is whether or not those backups that are happening every night have versioning or if it's just overwriting what they had on their side. There wouldn't be much "increamental" happening..as the data after cryptowhatever encrypts it is completely different. You'd be sending a whole set of your data to them..and likely someone would notice given how long it would take and the bandwidth it may consume.

My understanding is that they work off of two "leapfrogging" datasets.

If the server had gotten crypto-locked, such that an "incremental" backup would in effect be a total backup, I rather doubt that it could be anything close to complete overnight, and I'd hope they'd notice odd activity.

But I am going to ask.
 
Suddenly, my automatic incremental off-site backups look a lot better.

It is not a defense against the encryption virus. As the files are encrypted they are sent to the cloud. Incremental back up is good for a system failure or crash, but not an encryption virus
 
Last edited:
Re: Encryption Virus Help!

That, and some cryptovirii are "delayed action", so they can reside on your system for a few days before taking action. How far back does the backup go?

This is an argument for storing data backups separately from program files...

Exactly. It took 3 days from infection to full blown encryption with little indication of anything wrong. My wife did notice the computer was "running" something at night leaving a lot of temp files that needed to be cleaned up.
 
I'm not sure about "delayed action" infections, as opposed to a delayed reaction noticing that it was happening. We've had many clients get this infection. Most of them didn't realize it had happened for at least one day, some two. The process of encrypting hundreds of thousands of files can take a LONG TIME, especially on a slow computer, or over a network connection. There is no advantage for the bad guy to delay the infection, since the longer it hangs around, the more likely it will be detected and stopped.

We've had savvy users click an email link and immediately feel like something was wrong. They shut the computer off and called us. We were able to determine the virus was in the process of systematically going through their hard drive, alphabetically, encrypting files. In one case, it only made it to the letter "M". In another case, the encryption went through the infected computer fully, and it was shutdown as the encryption was working on the files on the server. That time it made it through the letter "O".
We've had some clients attempt to work with infected computers for a couple of days, before they reported the problem to us. After all, they could create new documents, do their web surfing and web email without a problem. Eventually, they realize that they cannot open old documents.
 
I'm not sure about "delayed action" infections, as opposed to a delayed reaction noticing that it was happening. We've had many clients get this infection. Most of them didn't realize it had happened for at least one day, some two. The process of encrypting hundreds of thousands of files can take a LONG TIME, especially on a slow computer, or over a network connection. There is no advantage for the bad guy to delay the infection, since the longer it hangs around, the more likely it will be detected and stopped.

We've had savvy users click an email link and immediately feel like something was wrong. They shut the computer off and called us. We were able to determine the virus was in the process of systematically going through their hard drive, alphabetically, encrypting files. In one case, it only made it to the letter "M". In another case, the encryption went through the infected computer fully, and it was shutdown as the encryption was working on the files on the server. That time it made it through the letter "O".
We've had some clients attempt to work with infected computers for a couple of days, before they reported the problem to us. After all, they could create new documents, do their web surfing and web email without a problem. Eventually, they realize that they cannot open old documents.

What back up solutions do you suggest?

Where you able to restore the files without paying the randsom?
 
I ended up paying the randsom and getting my files decrypted. It sucked , but paying $650 is a hell of a lot cheaper than starting over. I had 17,000 files encrypted. :eek:

Thank to all for your advice.

My advice is pay it.
Does it come with a warranty? It sounds to me like previous good customers would be a hot target for future contact.
 
We've never paid ransom, yet, but have felt bad when cost to recover (plus down-time) easily exceeded the price of ransom. 'Just don't want to feed the monster.
It's worth noting that it's not always possible to pay the ransom. Sometimes your antivirus solution or IT guys will cripple the virus to the point that it interferes with the ability to pay. Or the government or Internet provider may have taken the bad guy down.
So, we assume paying is not an option and plan on backups for recovery.

We personally like using at least 3 types of backup. But it depends greatly on the nature and amount of data. I personally don't like incremental or differential backups, since I like each backup to represent an opportunity to fully recover. Incremental and differential require a string of different backups be put back together to fully recover. It gets complicated, and if part of the string is corrupt, you might have problems. But if you have a LOT of data, a full backup each time is not possible (not enough time).

Like Rich, I consider cloud backup to be a last choice, but probably necessary. It turns out that time-to-recover may be the most important thing (once you know that you can recover). Because of Internet speeds and the amount of data, time-to-recover can be days with many cloud backup services. Others may have a provision for sending you a hard drive (usually $$$ premium services). Cloud based backups usually satisfy the need for an off-site backup (required by some business insurances and malpractice).

On smaller systems, we usually use an imaging product, like Aconis TrueImage or Macrium Reflect, to an internal or external hard drive. This way, we not only get a FULL copy of the data, but also Windows, settings, and all programs. Time-to-recover is usually less than an hour! Windows 7 or Server built-in backup will also do a pretty good job, and gives an opportunity to recover OS/Programs/Data, but it does do a kind of complicated incremental/differential thing. You can rotate drives if you want to get off-site backups or make sure a least one backup is not connected to the system. As mentioned above, so far, the ransomware programs have not attacked image backup files.

We also like to use programs that do a simple copy of data to external drives (USB or eSata) or workstations, using programs like 2nd Copy, or SyncBack. So, for instance, a workstation could backup all of the docs/sheets/pics/pdf/music from the server to workstation(s). The advantage is simplicity, since users can recover data with a simple copy/paste and don't need to go into some complicated "restore" program. But there could be security issues, and it won't work for some databases. Of course, if that particular workstation gets infected, you're screwed, unless the backup is not left connected to the system.

For big systems, or companies with lots of data... the sky's the limit. It is assumed they'll have an IT staff and enough budget to do what is needed.
 
Last edited:
I once thought about building a dual-drive external enclosure or controller with USB, Firewire, eSata, and Ethernet interfaces and enough intelligence to independently mount and unmount each drive connected to it, alternately, at pre-set times every day.

Companion software on the machine(s) being backed up would then back up to those drives while they were mounted, also on a scheduled basis. Once the backup was complete, the drives on the controller would autonomously unmount again and become inaccessible to the system being backed up.

Once the backup completed, the external controller would email someone with an analysis and summary. It could also be set up to send an email if an expected backup didn't happen, or if its properties fell outside of expected parameters.

The idea would be to completely automate an imaging or cloning solution that would "disconnect" the drives between backups to lessen the chances of their being infected or encrypted along with the drive(s) being backed up. It would be the equivalent of unplugging the drives between backups, but with some additional intelligence.

It would have been a pretty easy thing to do, but I never got around to it. I suppose someone's done it by now, probably with Raspberry Pi. If I were still on that end of the business, I'm pretty sure I would have done it and monetized it already.

Rich

Sounds good. I would add to it with the option of multiple external drives that rotate through. So, Monday it mounts and backs up to drive 1, Tuesday drive 2, etc.
 
It would seem that it would be relatively easy* to program a multi-drive NAS (like a Synology) to create a schedule that would take drives offline/online. I've asked and, at least for now, there is no package that does this for Synology.

*relatively easy for someone who programs Synology "packages"
https://www.synology.com/en-us/dsm/app_packages
 
Last edited:
Back
Top