Inside CryptoWall 2.0: Ransomware, professional edition

Toggle sidebar Toggle sidebar
C

chin311

Diamond Member
Feb 27, 2003
4,306
3
81
Have seen two people this week with this virus. It's nasty. Luckily somehow one of them didn't lose their pictures folder just the documents...which they were more okay with. The other lost the whole group of user files (desktop, documents, pictures, etc), she had a backup from November so wasn't as catastrophic.
 
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
chin311 said:
Have seen two people this week with this virus. It's nasty. Luckily somehow one of them didn't lose their pictures folder just the documents...which they were more okay with. The other lost the whole group of user files (desktop, documents, pictures, etc), she had a backup from November so wasn't as catastrophic.
Click to expand...
Just as a matter of research, what version of Windows were those systems using? Does anyone know if the blocking of execution in AppData works as well as it did for Cryptolocker? Upon the dismantling of the CL operation, blogs forecasted a future that would never be free of ransomware like this solely because it did make the mastermind millions of dollars although he only got to enjoy it for what, a year or so? This version is now scary because there was a tool for decrypting 1.0's files. I have not seen it in the wild yet but based on the longevity of their operations since version 1, it is only a matter of time before I am involved in a decryption process for somebody without backups.
 
C

chin311

Diamond Member
Feb 27, 2003
4,306
3
81
PliotronX said:
Just as a matter of research, what version of Windows were those systems using? Does anyone know if the blocking of execution in AppData works as well as it did for Cryptolocker? Upon the dismantling of the CL operation, blogs forecasted a future that would never be free of ransomware like this solely because it did make the mastermind millions of dollars although he only got to enjoy it for what, a year or so? This version is now scary because there was a tool for decrypting 1.0's files. I have not seen it in the wild yet but based on the longevity of their operations since version 1, it is only a matter of time before I am involved in a decryption process for somebody without backups.
Click to expand...

The one who actually didn't lose EVERYTHING was on Vista SP1! After cleaning it up, I obviously loaded SP2 and every "important" Windows update so it would at least stay up to speed.

The other was Windows 7 Pro, fairly up to date, somehow missed a few months of updates. I've also seen it on Win 8 in the past. Not XP that comes to mind as most have moved past that OS.
 
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
chin311 said:
The one who actually didn't lose EVERYTHING was on Vista SP1! After cleaning it up, I obviously loaded SP2 and every "important" Windows update so it would at least stay up to speed.

The other was Windows 7 Pro, fairly up to date, somehow missed a few months of updates. I've also seen it on Win 8 in the past. Not XP that comes to mind as most have moved past that OS.
Click to expand...
Interesting! In that case Vista SP1 was more secure than 7 LOL. With CL, I worked with half a dozen systems infected, three were XP, two were 7 and one on 8. Two of the users paid out astonishingly and I was involved in the payment process for one of them. Feels so dirty. For the high risk offices with a lot of ID10T errors, we tend to redirect their folders to a file server that backs itself up every night now.
 
DrPizza

DrPizza

Administrator Elite Member Goat Whisperer
Mar 5, 2001
49,601
167
111
www.slatebrookfarm.com
PliotronX said:
Interesting! In that case Vista SP1 was more secure than 7 LOL. With CL, I worked with half a dozen systems infected, three were XP, two were 7 and one on 8. Two of the users paid out astonishingly and I was involved in the payment process for one of them. Feels so dirty. For the high risk offices with a lot of ID10T errors, we tend to redirect their folders to a file server that backs itself up every night now.
Click to expand...

Locally, we had a case where it infected not only the user's computer, but also their folders on the server. Fortunately, it only wiped out that individual's files, and those files were backed up.

Apparently it got through via email and they opened an attachment that they shouldn't have. But, I would have thought that at the server end of things, well, the damage should have been limited to their own workstation.
 
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
DrPizza said:
Locally, we had a case where it infected not only the user's computer, but also their folders on the server. Fortunately, it only wiped out that individual's files, and those files were backed up.

Apparently it got through via email and they opened an attachment that they shouldn't have. But, I would have thought that at the server end of things, well, the damage should have been limited to their own workstation.
Click to expand...
That is the scarier part! Usually servers have (or should have) good backups so I never have had to help payout for server files. Apparently the way to limit the virus's access is by using UNC shortcuts rather than mapping shared folders of the server, but some third party software explicitly requires networked drives. At worst the company loses a day's worth of work because of having to revert to the previous night's backup but that could still be costly. All I can do is try to educate people but the masterminds of this virus will make bank just like CLs.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom