Approve the Cookies
This website uses cookies to improve your user experience. By using this site, you agree to our use of cookies and our Privacy Policy.
OK
Index  •   • New posts  •   • RTAT  •   • 'Best of'  •   • Gallery  •   • Gear  •   • Reviews
Guest
New posts  •   • RTAT  •   • 'Best of'  •   • Gallery  •   • Gear  •   • Reviews
Register to forums    Log in

 
FORUMS General Gear Talk Computers 
Thread started 27 Oct 2013 (Sunday) 11:55
Search threadPrev/next
sponsored links
(this ad will go away when you log in as a registered member)

Cryptolocker ransomware: Windows

 
Tony-S
Cream of the Crop
Avatar
9,903 posts
Likes: 204
Joined Jan 2006
Location: Fort Collins, Colorado, USA
     
Oct 27, 2013 11:55 |  #1

http://www.computerwor​ld.com …nd_what_to_do_i​f_you_are_ (external link)

This appears particularly nasty. Does anyone know where it originated? Seems like one of the more serious threats to Windows users since there appears to be no easy way of dealing with it.


"Raw" is not an acronym, abbreviation, nor a proper noun; thus, it should not be in capital letters.

  
  LOG IN TO REPLY
sponsored links
(this ad will go away when you log in as a registered member)
Scatterbrained
Cream of the Crop
Avatar
8,472 posts
Gallery: 246 photos
Best ofs: 12
Likes: 4298
Joined Jan 2010
Location: Chula Vista, CA
     
Oct 27, 2013 12:23 |  #2

Wow. Thanks for the heads up.


VanillaImaging.com (external link)"Vacuous images for the Vapid consumer"
500px (external link)
flickr (external link)
1x (external link)
instagram (external link)

  
  LOG IN TO REPLY
MaxxuM
Goldmember
Avatar
3,361 posts
Gallery: 3 photos
Likes: 22
Joined May 2007
Location: Rio Grande Valley
     
Oct 27, 2013 20:34 |  #3

Creative... Pay us, or the file gets it.




  
  LOG IN TO REPLY
tim
Light Bringer
Avatar
51,009 posts
Likes: 369
Joined Nov 2004
Location: Wellington, New Zealand
     
Oct 27, 2013 22:18 |  #4

The only way to deal with it is from your backups, I've read.


Professional wedding photographer, solution architect and general technical guy with multiple Amazon Web Services certifications.
Read all my FAQs (wedding, printing, lighting, books, etc)

  
  LOG IN TO REPLY
Cam ­ Eye
Hatchling
Avatar
1 post
Joined Nov 2013
     
Nov 02, 2013 16:35 |  #5

In case you are infected, here is a guide on how to remove it: http://privacy-pc.com …e-cryptolocker-virus.html (external link)

You will still need to deal with infection, in case shadows copies mention in the article do not work, you may try using some computer forensic tools: http://en.wikipedia.or​g …f_digital_foren​sics_tools (external link)




  
  LOG IN TO REPLY
Simply ­ Ravishing
Goldmember
Avatar
1,036 posts
Likes: 4
Joined Jan 2009
Location: Seattle, Washington
     
Nov 19, 2013 17:02 |  #6

Just got infected last night... most of my stuff is backed but some of my most recent stuff is not... which is horrifying to think about.



http://justinkraemerph​otography.com (external link)
http://www.flickr.com/​photos/justinkraemer (external link)

  
  LOG IN TO REPLY
calypsob
Goldmember
Avatar
1,178 posts
Gallery: 3 photos
Likes: 90
Joined Jan 2012
Location: Lynchburg Virginia
     
Nov 19, 2013 17:21 as a reply to  @ Simply Ravishing's post |  #7

wow that is serious. One thing I do, which others may do similar, is keep a desktop computer whihc does not use the internet. It is clean, runs xp, it's super fast and it stores my back up data. When I get a virus on my laptop, which knock on wood is rare these days, I do the usual routine. System restore, if that fails then I pull out my HD and put it into the desktop tower. I run windows vista x64 on my laptop and I run XP x32 on my desktop. I use XP and I access all of my HD information from the desktop. Because Vista is not running I can usually fix any corrupted data or retrieve valuable files with my desktop computer. I have been meaning to "mirror" my HD so that restoration would be even easier, as soon as I setup my new wifi HD this will go into practice.

I must say that my most glorious victory against a virus was one particularly nasty fake FBI virus threat ransom job that tried to take a picture through my webcam and it took over admin privileges, erased my computer from the desktop and taskbar, erased system restore all together, and did some other weird stuff that I could not fix with my desktop by transferring the HD from my laptop. I simply hit control alt delete rapidly until I could click switch user before the fake fbi warning screen reappeared on my screen and I was able to switch users, change privileges, and defeat the virus by repairing system restore and removing the virus from the root directory all under a newly modified user name.

Also I would like to add one more thing. When I got this virus, and others in the past I could tell something was going on with my computer, the internet slowed down, the hard drive started grunting like it was doing an install or writing a file, several times when this occured I would turn off my wifi switch on the front of my laptop. I am a firm believer that this will save you in a pinch.


Wes
-----------
flickr (external link)
Gear: Many gears Yes.

  
  LOG IN TO REPLY
morph2_7
Goldmember
1,112 posts
Joined Sep 2012
Location: Los Angeles
     
Nov 19, 2013 17:39 |  #8

I'd be interested to know how you got hit. Was it a drive-by download or an email attachment or something else? Computers don't "get infected" without user interactions.




  
  LOG IN TO REPLY
mike_d
Cream of the Crop
Avatar
5,490 posts
Gallery: 8 photos
Likes: 698
Joined Aug 2009
     
Nov 21, 2013 20:58 |  #9

morph2_7 wrote in post #16464764 (external link)
I'd be interested to know how you got hit. Was it a drive-by download or an email attachment or something else? Computers don't "get infected" without user interactions.

From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe




  
  LOG IN TO REPLY
Tony-S
THREAD ­ STARTER
Cream of the Crop
Avatar
9,903 posts
Likes: 204
Joined Jan 2006
Location: Fort Collins, Colorado, USA
     
Nov 21, 2013 21:35 |  #10

If they catch these people, they should lock them up for decades.


"Raw" is not an acronym, abbreviation, nor a proper noun; thus, it should not be in capital letters.

  
  LOG IN TO REPLY
Colorblinded
Goldmember
Avatar
2,712 posts
Gallery: 18 photos
Best ofs: 3
Likes: 689
Joined Jul 2007
     
Nov 21, 2013 21:42 |  #11

mike_d wrote in post #16470767 (external link)
From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe

Correct, it is normally in the form of a "fake" PDF that is actually an executable received through email as an attachment. In fact as far as I know that's the only widely confirmed means of getting this particular nasty.

Removing the virus is trivial for the most part but the data that's been encrypted by it is toast. Pando claims to have a tool that may decrypt data I believe, I'm not sure how unless it somehow intercepts/finds the encryption key used on your system, because otherwise it's impractical to ever decrypt your data using brute force methods.

Make sure your data is backed up, and unless it has versioning make sure that backup isn't going to do a live backup as changes are made because otherwise it will just overwrite your good backup with the newly encrypted data. If you have a service like Crashplan that has a lot of versioning support it can save your butt.

Best thing to do is just be smart about how you deal with attachments you receive, have a good backup system in place and keep your AV up to date if you have one. I don't know how well most AV programs are doing at blocking this one, but every little bit helps.


http://www.colorblinde​dphoto.com (external link)
http://www.thecolorbli​ndphotographer.com (external link)

  
  LOG IN TO REPLY
morph2_7
Goldmember
1,112 posts
Joined Sep 2012
Location: Los Angeles
     
Nov 21, 2013 23:08 |  #12

mike_d wrote in post #16470767 (external link)
From what I've heard, its usually an email attachment. Something like, "You FedEx packages cannot be delivers. Print out attach form and take to Post Office."

attached: Form.pdf.exe

Colorblinded wrote in post #16470857 (external link)
Correct, it is normally in the form of a "fake" PDF that is actually an executable received through email as an attachment. In fact as far as I know that's the only widely confirmed means of getting this particular nasty.

Careful... I've seen a non EXE(cutable) attachment delivering the payload. It's a DOC file. The antivirus software that protects my mail server is configured to remove all EXE attachments. One day my mail server AV software fails to detect an infected DOC file (DOC files are of course allowed). It's one of those fake shipping email that asks users to open the DOC file attachment.

A user (at work) opens it. It's a good thing the desktop antivirus intercepts it. I believe the DOC file creates an EXE in the temp folder. That's when the desktop AV interception occurs. Long story short, I took the PC off the network. Format and reinstall the OS. Thankfully no damage is done.




  
  LOG IN TO REPLY
Colorblinded
Goldmember
Avatar
2,712 posts
Gallery: 18 photos
Best ofs: 3
Likes: 689
Joined Jul 2007
     
Nov 21, 2013 23:11 |  #13

Moral of the story either way is to be careful with your attachments. It's certainly not a new means of spreading infections.


http://www.colorblinde​dphoto.com (external link)
http://www.thecolorbli​ndphotographer.com (external link)

  
  LOG IN TO REPLY
morph2_7
Goldmember
1,112 posts
Joined Sep 2012
Location: Los Angeles
     
Nov 21, 2013 23:23 |  #14

I wish it was that easy. It doesn't matter how many times you tell people to be careful and not to believe everything in their mailbox. Some users are click happy. They click anything they see regardless of the warnings.

A user forwarded a similar fake shipping to another user and asked her to check it. She helps the spammer spread the spam. Aint' that awesome? The mail contains a link to download EXE. Both users click the link. My firewall is set to deny all EXE downloads so it's good.




  
  LOG IN TO REPLY
Colorblinded
Goldmember
Avatar
2,712 posts
Gallery: 18 photos
Best ofs: 3
Likes: 689
Joined Jul 2007
     
Nov 21, 2013 23:26 |  #15

The user is usually the biggest security risk be it through ignorance or neglect or whatever. People never like to be told "this wouldn't have happened if you had done x, y or z" though.


http://www.colorblinde​dphoto.com (external link)
http://www.thecolorbli​ndphotographer.com (external link)

  
  LOG IN TO REPLY
sponsored links
(this ad will go away when you log in as a registered member)

2,572 views & 0 likes for this thread
Cryptolocker ransomware: Windows
FORUMS General Gear Talk Computers 
AAA
x 1600
y 1600

Jump to forum...   •  Rules   •  Index   •  New posts   •  RTAT   •  'Best of'   •  Gallery   •  Gear   •  Reviews   •  Member list   •  Polls   •  Image rules   •  Search   •  Password reset

Not a member yet?
Register to forums
Registered members may log in to forums and access all the features: full search, image upload, follow forums, own gear list and ratings, likes, more forums, private messaging, thread follow, notifications, own gallery, all settings, view hosted photos, own reviews, see more and do more... and all is free. Don't be a stranger - register now and start posting!


COOKIES DISCLAIMER: This website uses cookies to improve your user experience. By using this site, you agree to our use of cookies and to our privacy policy.
Privacy policy and cookie usage info.


POWERED BY AMASS forum software 2.1forum software
version 2.1 /
code and design
by Pekka Saarinen ©
for photography-on-the.net

Latest registered member is Brik
674 guests, 225 members online
Simultaneous users record so far is 15144, that happened on Nov 22, 2018

Photography-on-the.net Digital Photography Forums is the website for photographers and all who love great photos, camera and post processing techniques, gear talk, discussion and sharing. Professionals, hobbyists, newbies and those who don't even own a camera -- all are welcome regardless of skill, favourite brand, gear, gender or age. Registering and usage is free.