Overclock.net › Forums › Industry News › Software News › [AR] You’re Infected—If You Want To See Your Data Again, Pay Us $300 in Bitcoins
New Posts  All Forums:Forum Nav:

[AR] You’re Infected—If You Want To See Your Data Again, Pay Us $300 in Bitcoins - Page 5  

post #41 of 321
Gotta love people for thinking of this stuff, if it wasn't so evil it'd be genius. Good thing this won't bother me any, all my storage is networked and read only. Can only be written to over SFTP/SSH.
Quote:
Originally Posted by Gallien View Post

LOL 54TB+ our entire local backup location is 42 TB. SO MUCH SPACE:p

You should check out his log tongue.gif

http://www.overclock.net/t/1282253/117tb-unraid-servers/0_30
post #42 of 321
oh crap ... is that for real? I mean REALLY encrypting the data with pretty much unbreakable key??

Last time I saw an FBI/Police ransom malware (co-worker's computer) locking the OS out it was pretty easy to fix ... but this will not be, at all without a full backup from before ...

I cannot believe those deposits are untraceable to the account owners ... so evil ...
Salamander
(30 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4790K Gigabyte GA-Z97X-UD5H EVGA GTX 670 2GB SLI AMD Radeon RP1866 
Hard DriveHard DriveOptical DriveCooling
WD Black Mushkin Chronos Deluxe SSD Sony DVDRW sata XSPC Copper Raystorm CPU block 
CoolingCoolingCoolingCooling
XSPC Razor GTX 670 block w/ backplate FrozenQ Liquid Fusion V2 dual-color helix res Koolance PMP-450S pump Alphacool NexXxos Monsta 240 rad 
CoolingCoolingCoolingOS
XSPC EX360 Crossflow rad Primochill UV Pearl Yellow Advanced LRT Swiftech radbox Windows 8.1 x64 Pro 
MonitorKeyboardPowerCase
ASUS VG248QE 24'' 144Hz Logitech G510 Seasonic Platinum-1000 Thermaltake Armor VA8000BWS modded 
MouseMouse PadAudioOther
Logitech G700 Fellowes integrated Realtek HD Sunbeam Rheosmart 3-channel fan controller 
OtherOtherOtherOther
Phobya UV LED strip Logitech X-530 5.1 speakers Logitech Quickcam 9000 Pro 5x scythe ap-45 2150rpm 
OtherOther
5x scythe ap-15 1850rpm Koolance CTR-SPD24 24v pump controller 
  hide details  
Salamander
(30 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4790K Gigabyte GA-Z97X-UD5H EVGA GTX 670 2GB SLI AMD Radeon RP1866 
Hard DriveHard DriveOptical DriveCooling
WD Black Mushkin Chronos Deluxe SSD Sony DVDRW sata XSPC Copper Raystorm CPU block 
CoolingCoolingCoolingCooling
XSPC Razor GTX 670 block w/ backplate FrozenQ Liquid Fusion V2 dual-color helix res Koolance PMP-450S pump Alphacool NexXxos Monsta 240 rad 
CoolingCoolingCoolingOS
XSPC EX360 Crossflow rad Primochill UV Pearl Yellow Advanced LRT Swiftech radbox Windows 8.1 x64 Pro 
MonitorKeyboardPowerCase
ASUS VG248QE 24'' 144Hz Logitech G510 Seasonic Platinum-1000 Thermaltake Armor VA8000BWS modded 
MouseMouse PadAudioOther
Logitech G700 Fellowes integrated Realtek HD Sunbeam Rheosmart 3-channel fan controller 
OtherOtherOtherOther
Phobya UV LED strip Logitech X-530 5.1 speakers Logitech Quickcam 9000 Pro 5x scythe ap-45 2150rpm 
OtherOther
5x scythe ap-15 1850rpm Koolance CTR-SPD24 24v pump controller 
  hide details  
post #43 of 321
Quote:
Originally Posted by frickfrock999 View Post

Here's a method for preventing it. You have to disable .exe files from activating in your Appdata folder.

Once you do that, you cease the program from being able to launch.

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

This can also be setup in group policy smile.gif

File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is :

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData.

You can see an alert and event log showing the executable being blocked:

G6GUVbG.jpg

I9zp2eC.jpg

is that meaning that this malware always put its executable only under:
AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}

pretty sure the next revision of trojan will randomly place their malware in some other subfolder instead of appdata/roaming ...
Edited by feniks - 10/18/13 at 9:40am
Salamander
(30 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4790K Gigabyte GA-Z97X-UD5H EVGA GTX 670 2GB SLI AMD Radeon RP1866 
Hard DriveHard DriveOptical DriveCooling
WD Black Mushkin Chronos Deluxe SSD Sony DVDRW sata XSPC Copper Raystorm CPU block 
CoolingCoolingCoolingCooling
XSPC Razor GTX 670 block w/ backplate FrozenQ Liquid Fusion V2 dual-color helix res Koolance PMP-450S pump Alphacool NexXxos Monsta 240 rad 
CoolingCoolingCoolingOS
XSPC EX360 Crossflow rad Primochill UV Pearl Yellow Advanced LRT Swiftech radbox Windows 8.1 x64 Pro 
MonitorKeyboardPowerCase
ASUS VG248QE 24'' 144Hz Logitech G510 Seasonic Platinum-1000 Thermaltake Armor VA8000BWS modded 
MouseMouse PadAudioOther
Logitech G700 Fellowes integrated Realtek HD Sunbeam Rheosmart 3-channel fan controller 
OtherOtherOtherOther
Phobya UV LED strip Logitech X-530 5.1 speakers Logitech Quickcam 9000 Pro 5x scythe ap-45 2150rpm 
OtherOther
5x scythe ap-15 1850rpm Koolance CTR-SPD24 24v pump controller 
  hide details  
Salamander
(30 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 4790K Gigabyte GA-Z97X-UD5H EVGA GTX 670 2GB SLI AMD Radeon RP1866 
Hard DriveHard DriveOptical DriveCooling
WD Black Mushkin Chronos Deluxe SSD Sony DVDRW sata XSPC Copper Raystorm CPU block 
CoolingCoolingCoolingCooling
XSPC Razor GTX 670 block w/ backplate FrozenQ Liquid Fusion V2 dual-color helix res Koolance PMP-450S pump Alphacool NexXxos Monsta 240 rad 
CoolingCoolingCoolingOS
XSPC EX360 Crossflow rad Primochill UV Pearl Yellow Advanced LRT Swiftech radbox Windows 8.1 x64 Pro 
MonitorKeyboardPowerCase
ASUS VG248QE 24'' 144Hz Logitech G510 Seasonic Platinum-1000 Thermaltake Armor VA8000BWS modded 
MouseMouse PadAudioOther
Logitech G700 Fellowes integrated Realtek HD Sunbeam Rheosmart 3-channel fan controller 
OtherOtherOtherOther
Phobya UV LED strip Logitech X-530 5.1 speakers Logitech Quickcam 9000 Pro 5x scythe ap-45 2150rpm 
OtherOther
5x scythe ap-15 1850rpm Koolance CTR-SPD24 24v pump controller 
  hide details  
post #44 of 321
The weakness for this ransomware would be an effective firewall so that it couldn't contact its servers. I'm sure I'll be working on this stuff soon.
Finally...
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel 4930k asus rampage IV extreme black edition Nvidia GTX 1070 Founder's Edition 32GB Corsair Vengeance Pro DDR3-2400 
Hard DriveHard DriveOptical DriveCooling
Samsung 850 Pro 2TB WD Black ASUS Blu-ray combo, LiteOn dvdrw MCR320 
CoolingCoolingCoolingCooling
MCR320 MCP655 Heatkiller 3.0 Nickel plated EK Multi-Option 150 Res 
OSMonitorKeyboardPower
windows 10 Acer H243H Logitech G19 & Logitech G13 EVGA SuperNOVA 1300 G2 
CaseMouseMouse PadAudio
Mountain Mods U2-UFO Razer Mamba Razer Destructor Logitech G930 
  hide details  
Finally...
(20 items)
 
  
CPUMotherboardGraphicsRAM
Intel 4930k asus rampage IV extreme black edition Nvidia GTX 1070 Founder's Edition 32GB Corsair Vengeance Pro DDR3-2400 
Hard DriveHard DriveOptical DriveCooling
Samsung 850 Pro 2TB WD Black ASUS Blu-ray combo, LiteOn dvdrw MCR320 
CoolingCoolingCoolingCooling
MCR320 MCP655 Heatkiller 3.0 Nickel plated EK Multi-Option 150 Res 
OSMonitorKeyboardPower
windows 10 Acer H243H Logitech G19 & Logitech G13 EVGA SuperNOVA 1300 G2 
CaseMouseMouse PadAudio
Mountain Mods U2-UFO Razer Mamba Razer Destructor Logitech G930 
  hide details  
post #45 of 321
time to code bit miners to brute it....tongue.gif
[ WOMD ] Rainuke
(17 items)
 
  
CPUMotherboardGraphicsRAM
i7-2600k Asrock Z77E-ITX R9 290X Crucial Ballistix Sport 
Hard DriveHard DriveCoolingOS
Seagate 7200 RPM Samsung 830 128GB XSPC AX240 kit - With custom Components windows 8 professional 
MonitorKeyboardPowerCase
2x Asus VG248QE Coolermaster TK Coolermaster Hybrid Define R4 
MouseMouse PadAudioAudio
Razer Mamba Rainbow dash custom Schitt Modi Bose Companion 3 
Audio
Objective 2 
  hide details  
[ WOMD ] Rainuke
(17 items)
 
  
CPUMotherboardGraphicsRAM
i7-2600k Asrock Z77E-ITX R9 290X Crucial Ballistix Sport 
Hard DriveHard DriveCoolingOS
Seagate 7200 RPM Samsung 830 128GB XSPC AX240 kit - With custom Components windows 8 professional 
MonitorKeyboardPowerCase
2x Asus VG248QE Coolermaster TK Coolermaster Hybrid Define R4 
MouseMouse PadAudioAudio
Razer Mamba Rainbow dash custom Schitt Modi Bose Companion 3 
Audio
Objective 2 
  hide details  
post #46 of 321
Quote:
Originally Posted by 47 Knucklehead View Post

I *HATE* people who do things like this, as well as people who write and release viri. Personally, I think that if they are caught, they should be executed after conviction as enemies of the human race.

There are white and black hat coders that write shell code, viruses, Trojans, and root kits. You can't 'hate' everyone that writes them. There is a perfectly good reason to write viruses, and that is to pen test. Without pen testers, everything would be like swiss cheese.

And execution?! Seriously?

Of course extortion isn't nice any way you slice it, regardless of the opening, but this witch burning mentality is what fuels the stigma associated with it. It only bolsters the blackhat's resolve to see such blatant overreaction to a simple infection of a PC, which could be as harmless as a prank, etc.

However, my position on fraud, extortion, and destruction of software (the OS) is of course negative, but I think that your response is a prime example of over reaction to this matter.
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
post #47 of 321
CryptoLocker Malware has been going on for weeks now. News stories are just posting about it?
Gaming
(17 items)
 
Gaming PC
(20 items)
 
 
CPUMotherboardGraphicsRAM
6700K AS Rock Z170 Extreme7+ Titan X Pascal G.Skill DDR4-3200 
Hard DriveHard DriveHard DriveCooling
Intel 730 series Intel 730 series Samsung 840 EVO Custom water cooling 
OSMonitorKeyboardPower
Win 10 Pro x64 AMH A399U E-Element mechanical, black switches, Vortex b... EVGA SuperNOVA 750w 
CaseMouseAudioAudio
Lian-Li PC-V1000L Redragon M901 LH Labs Pulse X Infinity DAC Custom built balanced tube amp with SS diamond ... 
Audio
Fostex TH-X00 headphones with custom mods 
  hide details  
Gaming
(17 items)
 
Gaming PC
(20 items)
 
 
CPUMotherboardGraphicsRAM
6700K AS Rock Z170 Extreme7+ Titan X Pascal G.Skill DDR4-3200 
Hard DriveHard DriveHard DriveCooling
Intel 730 series Intel 730 series Samsung 840 EVO Custom water cooling 
OSMonitorKeyboardPower
Win 10 Pro x64 AMH A399U E-Element mechanical, black switches, Vortex b... EVGA SuperNOVA 750w 
CaseMouseAudioAudio
Lian-Li PC-V1000L Redragon M901 LH Labs Pulse X Infinity DAC Custom built balanced tube amp with SS diamond ... 
Audio
Fostex TH-X00 headphones with custom mods 
  hide details  
post #48 of 321
Quote:
Originally Posted by zooterboy View Post

The weakness for this ransomware would be an effective firewall so that it couldn't contact its servers. I'm sure I'll be working on this stuff soon.

If you are able to, please post about what you do on that.
Ive been working on a firewall in my down time as a hobby project but incorporating a defense for this is going to strain my already maxed abilities beyond what im capable of.
Micro Mule
(11 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k MSI Z170I Gaming Pro AC Gigabyte GTX 1070 G1 Gaming 16GB GSkill Ripjaws V DDR4 3200 
Hard DriveCoolingMonitorPower
250GB Crucial MX200, 960GB Adata , 1TB WD Black Noctua NH-L12 LG 27UD68 4k Seasonic M12II 620W 
CaseMouseAudio
Corsair Obsidian 250D Logitech Performance Mouse MX Topping TP-30 Mk2, 2x Polk M10, Sony MDR-7506 
  hide details  
Micro Mule
(11 items)
 
  
CPUMotherboardGraphicsRAM
i7 6700k MSI Z170I Gaming Pro AC Gigabyte GTX 1070 G1 Gaming 16GB GSkill Ripjaws V DDR4 3200 
Hard DriveCoolingMonitorPower
250GB Crucial MX200, 960GB Adata , 1TB WD Black Noctua NH-L12 LG 27UD68 4k Seasonic M12II 620W 
CaseMouseAudio
Corsair Obsidian 250D Logitech Performance Mouse MX Topping TP-30 Mk2, 2x Polk M10, Sony MDR-7506 
  hide details  
post #49 of 321
Quote:
Originally Posted by feniks View Post

that sounds good enough, the question is how many of safe programs will be locked out from starting once that policy is in place ... most of them store only settings in appdata ... but I wonder how many vendors put executables in there too ...

also, pretty sure the next revision of trojan will randomly place their malware in some other subfolder instead of appdata/roaming ...

Most well coded virii are polymorphic or metamorphic, completely thwarting any form of detection or heuristics, as well as injecting the malware into critical DLLs or system functions. These are the ones that are rarely found, although once you start extorting someone, they know it's there and will not stop until it's found, but if it's coded well enough, it will not be possible to recover your data.

Quote:
Originally Posted by zooterboy View Post

The weakness for this ransomware would be an effective firewall so that it couldn't contact its servers. I'm sure I'll be working on this stuff soon.

Contacting its servers means nothing. Once you're infected, you haven't done your job and you're too far gone, IF it's coded well enough...

Most recent adaptations use peer to peer hosting, effectively making the other PCs on your network that are infected, it's servers. Regardless, who cares if you do manage to break its contact with its server network? It's still on your system, and unless you comply with the demands, you have a slim chance of recovering your data. If coded correctly, something like this can be a nightmare. All it needs to do is encrypt all of your files with a decent modern algorithm, and it doesn't matter if you break its server contact, your files are inaccessible. thumbsdownsmileyanim.gif
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
post #50 of 321
Quote:
Originally Posted by PhilWrir View Post

If you are able to, please post about what you do on that.
Ive been working on a firewall in my down time as a hobby project but incorporating a defense for this is going to strain my already maxed abilities beyond what im capable of.

PREVENTING the infection in the first place should be your goal, not what you're going to do after.

Anyone in the security community knows that if you're worrying about security AFTER you're infected, it's too late. Because by the time you realize you're infected, your passwords/data have been harvested already and the damage has been done.
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
    
CPUMotherboardGraphicsGraphics
i7 3770k @ 4.7ghz 1.36v Asus P8P67 WS Revolution EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 
GraphicsGraphicsRAMHard Drive
EVGA GTX 780 Ti Classified @ 1285mhz 1.212v EVGA GTX 780 Ti Classified @ 1285mhz 1.212v 32GB Gskill 2133mhz Intel 520 60GB SSD 
Hard DriveHard DriveHard DriveOptical Drive
Vertex 2 240GB SSD Hitachi 2TB 7200RPM HDD External USB 3.0 3TB HDD Samsung Blu Ray Burner 
CoolingOSMonitorKeyboard
RX360 CPU only loop (for now) Windows 8.1 Samsung U28D590D 28" 4K Resolution Steelseries 6G v2 
PowerCaseMouseMouse Pad
Enermax MaxRevo 1500W Corsair C60 Razer Deathadder Razer Goliathus 
Audio
Logitech 5.1 
  hide details  
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
This thread is locked  
Overclock.net › Forums › Industry News › Software News › [AR] You’re Infected—If You Want To See Your Data Again, Pay Us $300 in Bitcoins