Help needed with major ransomware problem...

I'm hoping someone here can help me solve a massive problem I'm currently facing...

My main work laptop was attacked recently with what appears to be a generic strain of the ransomware known by various names including CryptoLocker, CryptoWall, Alpha Crypt and TeslaCrypt that is yet to be identified in Bleeping Computer's ongoing crusade against this particular threat.

Apart from encrypting all of my documents (and renaming their file extensions to .abc), it's placed the same message in every single folder, plus another that appears on boot-up. I've followed the links provided to find that my data is being held to ransom for the equivalent of $500 in Bitcoins.

If I don't pay by a certain date, those responsible will double this figure, and if I still refuse to comply they'll delete the affected contents off my hard drive. Being the kind who isn't exactly your typical less knowledgeable computer user, I did a little digging and found a few optimistic clues.

First of all, despite claiming to be RSA-2048 encryption, a quick comparison of a sample file with a backup copy in a hex editor reveals that only the header is modified. I'd already suspected this, since encrypting nearly 250GB of data would take a significant amount of time and not five minutes!

I've read that it's possibly using AES, but I don't want to take up the offer of uploading a single file to be decrypted just yet. According to others who've done this and even paid the ransom, their documents can be saved with the receipt of a custom key, though I've got an idea up my sleeve.

Could someone familiar with such methods of security perhaps take a look at an encrypted file and its decrypted version to determine what - if anything - can be done? I'd be more than willing to do this for trusted fellow members of this forum as opposed to "trusting" cyber extortionists.

Yes, it's clear there is indeed some honour among thieves as there are countless stories of happy endings, with victims promised their systems will be placed on a list preventing them from being targeted again, but on the other hand, I've also seen reports of several people committing suicide.

Over the last three years or so that ransomware has been a major issue online, it's been the focus of several investigations, and last year keys were obtained then released for nothing. Unfortunately, these are no longer available, and none of the current solutions seem to work, either.

I'd not wanted to disclose this until the project I've been mentioning for quite some time was much closer to completion, but with Shenmue III finally becoming a reality, I was developing a book about Yu Suzuki and AM2, provisionally entitled Second To None, which is now sadly jeopardised.

In addition to requesting a significant extension on my deadline from my publishers so I can recompile most of the research notes I've thankfully got about 75% of on backup discs, I'm also in the process of having to write an explanation to superiors in my day job for losing financial data.

As someone who is partly in charge of liasing with local organisations, including the council, several charities and private benefactors, I'm required to produce spending reports on a regular basis. While losing past time projects is bad enough, my greatest concern is for my livelihood.

Thank you in advance for your time, and if you need any further information then please don't hestate to contact me,

Anthaemia.

P.S. Even though I'm a British citizen, does anyone think would it be worth my time contacting the FBI, as their Operation Tovar was set up to investigate CryptoLocker? At least I've removed my hard drive rather than reformatting it in the hope a solution to this particular strain can be found one day.

 

Go ahead and contact the FBI then take your laptop to a tech.

 

How did you even get infected with something like this to begin with? :\

Most of the ransomware I've heard of end up being fake and not actually encrypted. Even if you did end up paying the ransom your files won't get unlocked...

For such sensitive data, you should always have an off-site backup.

Hopefully this all gets sorted out for you, if I had the know how I would help though without a doubt.

 

Just pay the money.

FBI won't care about anything less than $500,000 in Damages , you had better know someone in politics like your local senator or congressman.

Most likely you were gotten by an email sent from a compromised account.

1. These guys will negotiate for the money. Tell them you are only a student. Offer $150.

2. Don't use the same pc for mail and external communication as you do for work. Air gap it. Use a pc with no networking at all. Transfer files via a hdd or flash drive. Keep backups of your data!

Honestly this is a lesson to keep backups.

 

Moving forward, whether you pay the ransom or not, then maintain an external USB drive backup, or two; and probably best to reformat and reinstall your OS and programs - will be a pain however from scratch however will get rid of hidden trojans, etc. Then reconsider the anti-virus, anti spam software you use as it clearly isn't working well.

 

the key is usually stored on the hard drive, with a google search you should have problem finding it

 

Can't offer any help or advice, but I hope you get it sorted.

 

These articles might be interesting reading.

http://www.pcworld.com/article/2084002/how-to-rescue-your-pc-from-ransomware.html

https://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

http://www.theguardian.com/money/2013/oct/19/cryptolocker-attacks-computer-ransomeware

 

Thanks so very much for the help, everyone.

From what I can tell, this attack happened due to me opening what appeared to be a perfectly legitimate e-mail from a trusted source (based on the accounts of other victims). Unfortunately, due to the nature of my work, I'm not in a position to ask my superiors to help with paying the ransom, and I certainly can't afford this myself right now - my partner's just recently started a course at university, so naturally a lot of our disposable income is now going on tuition fees and study materials. Besides, I'd rather not give these people what hard-earned money I have left at the moment. As someone whose line of work includes helping vulnerable people in my community and liaising with various local organisations, it would be a little hypocritical if I was suddenly seen to be financially supporting cyber criminals.

Anyway, upon researching the problem further, I'm satisfied that nothing will really happen once the initial deadline expires apart from the demand being raised from $500 to $1,000. Despite making such threats, those responsible certainly haven't got any track record from what I can tell of actually deleting files, and it seems once the error message appears their program has removed itself or at least become inactive. The best advice I've been given is to simply remove the affected hard drive and wait for a solution to appear, though it's painful to accept this could be months, if not years, from becoming a reality. Still, not all is lost, as my coordinator is fine with knowing my work computer was struck down, and thankfully my publishers have agreed to an extension until next year.

Regarding the book* on AM2 I mentioned that I'm working on before, this was still very much in the research stage. While I had started writing a few parts, since everything's based on hard facts it's not as if a lot has really been compromised. If anything, I'm using the whole experience as an opportunity to review my archived notes, which comprise a large portion of what I've done so far, and start from scratch with the intention of creating a better end product. Being the kind of person who likes to find the silver lining in even the darkest of clouds, I see this as a blessing in disguise, as it's unlikely my first draft work is ever going to be approved for release. I should have learned this from the other projects I'm simultaneously working on, anyway.

To conclude for now, I genuinely wouldn't wish ransomware of this nature on my worst enemy. The saddest part is that it seems to becoming more of an issue, and as always the so-called experts are providing to be two steps behind when it comes to chasing those responsible down and making a solution widely available. Again, I'm grateful for all the suggestions. I'll keep you all informed on any progress...

P.S. Having recently looked through my archive of old CDRs and DVD-Rs, I'm stunned to find that discs I burned over 15 years ago still read perfectly, confirming that my storage method works!

*If all goes to plan, this should be hitting virtual shelves to coincide with the release of Shenmue III, which is a great final chapter in the career of Yu Suzuki to date.

 

It's a shame that you were so unlucky. I haven't had any antivirus software for over 3 years and I've gotten a virus only once. It made my computer almost unusable because of adware and I had to reinstall.
I think that Windows 8.1 and Windows 10 are both more or less safe, even without antivirus software.

 

This is why you use an attachment scanner, or virustotal.com

 

I work in tech repair, I've seen this issue multiple times and have never been able to reverse the encryption. Aside from paying them I don't know of a way to undo what has been done. Ive even heard of a police station that got their server encrypted in the same way, they even paid them to get it undone. I've considered any computer to have crypto-wall on it to be a complete loss, reformat and make sure anything important is backed up and kept offline in some way =/

 

As I said before, I've decided to keep the hard drive of my affected computer just in case a solution is finally released one day. There was actually a site briefly made available last year designed to help users decrypt files attacked by CryptoLocker (made possible because of the original keys being obtained by the FBI during Operation Tovar), only it didn't last long, supposedly because of fears that by providing a free answer to the problem, they were ultimately helping cyber criminals to develop an even more aggressive version of the same basic idea, which has now since happened, much to my frustration.

For now, I'm able to continue using the laptop meant for my partner's studies, switching to my phone when she needs this. However, I'm fortunate to have quite the "graveyard" of old systems that either don't work at the moment or have been retired to a spare room in our house because they're no longer able to keep up with the demands of my work... Alright, I'll admit it - I've still got an outdated desktop and a similarly obsolete laptop that are good for basic tasks like browsing or writing my various books, yet not that great for running games on! Is it so wrong that I want the best performance from my emulators?

Sadly, not everyone who has been attacked by these "Crypto" variants has this luxury, and there's no denying that it's caused me a major inconvenience because I'd not done a backup of everything in a few months, which is actually quite unusual for me. Although another project I've spent the last three years working on is almost possible to fully restore without the need for decryption, it pains me to admit that my planned book on AM2 has been set right back, plus I fear that I've lost all my notes for something else that I'd spent quite a while researching, though I'm in the process of restarting this one from scratch.

 

It's possible that it's RSA-2048. You can't tell what cryptographic algorithm used was, just by looking at the encrypted data.
It happens to have happened quickly, as only a portion of your files are encrypted as you have observed.

The nature of cryptography, is that it's made to be very difficult to decrypt encrypted data. I wouldn't hold my breath on this matter, if I were you.
I'm not saying that you can't hope for a solution to your problem, but perhaps you should be prepared for the worst possible circumstances.

Perhaps you could try to approach the companies that offered such a service before?

 

Sorry to hear about your situation, @Anthaemia.. I will be eagerly awaiting your book, it sounds rather interesting. You can count me in for a purchase.

 

As a member of a anti-malware group, I can tell you that cryptolocker is some nasty stuff. Due to the way that ransomeware works, it unlikely it will ever be decrypted. (Keys are randomized) Second, don't pay them squat. They wont do anything. Its a scam.

 

Sorry to hear about your troubles, Anthaemia. This type of thing seems to spiraling out of control faster than ever.

I can think of at least 10 people I know who have been hit in the past 2-3 months alone.

In most of these cases, it was larger businesses (can think of a publishing company and an entertainment arena off hand) being targeted with skillful attacks like high-end encryption. Of the two I mentioned, one had poor security and good backups, the other had terrible security, no backups, and ended up paying out a disgusting sum of money (>$5000) to fix the problem.

The attacks on the home-front were more amateurish and tended to exploit gullibility more than anything else... The lightest instance I've seen recently involved an old-timer with a Vista-era desktop and the old Indian phone scam bit ("hello, this is Microsoft, your computer is in critical condition and we need to fix it now!!"). Sadly, he bought it, played into the scammer's hands, and gave him remote access. I took a look at his tower for him, honestly thinking it was going to be something nightmarish that I could not possibly restore. Here, the scammer just turned off every service he could in msconfig. 15 minutes later, the remote software was torn out by the roots (along with some bloatware from 2007) and the computer was back to normal. I told him to warn as many of his friends as he could ASAP because these bastards love to target the elderly and they do not deserve it.

 

My mother got the crypto lock ransom virus before.. I disconnected her computer from the Internet asap, which stopped the encryption process and saved a lot of her important files. I had to sit her down and explain to her that people are not your friends on the Internet. If there's a link that says "FREE IPADS!!!" don't click it... "YOUR SOFTWARE IS OUT OF DATE" etc.. DON'T CLICK IT!!!!

I ended up saving her documents that weren't encrypted and did a fresh windows install on her computer. Thankfully hasn't happened again, because it sure is an awful situation to deal with.

Those dirtbag Indians used to call the house every week saying they were from Microsoft, too. Telling them to fu** off didn't stop them from calling, but one day I decided to kill them with kindness. I told the guy "OH HEY!!! YOU GUYS FIXED MY COMPUTER LAST TIME!! IT'S RUNNING GREAT! BEST $300 I EVER SPENT IN MY WHOLE LIFE! I CAN'T THANK YOU ENOUGH! WHAT GREAT SERVICE YOU PROVIDE TO BE CALLING ME BACK AND CHECKING UP ON ME!" The guy sounded really confused and told me "YOU'RE WELCOME SIR" and I've never gotten a call back from them since. They must have put my number on the 'Already Scammed' list.

 

There is some fun in messing with the scammers.

When they tell you there is something wrong:

1.) Panic and comply
2.) Ask them what they enjoy most about working at Microsoft, make small talk while you are pretending to follow the instructions
3.) Take note of the techniques and software they are using
4.) Tell them that it's not working to see if they can actually give some tech support
5.) Once bored with it all, say nice try, and hang up.

 

Ransom ware and viruses and malware are exactly why I use Adblock.