Adam Frost notes from his
presentation October 4, 2016
Cryptolocker:
A customer called last week...
the story:
can't get into password file, .crypted extension
note the importance of after-hours emergency service
The banner on Sean's machine
creepy explanation of the situation—criminal almost acting like computer consultant! adds to the sense of violation
specification of bitcoins, deadline
note that we had cryptoprevent in default mode, using MS security essentials
the customer had gone to the web and downloaded a program that might have given the encryption key-- I did not pursue this route, although if I had thought of it, it might have been a good idea.
restoring the data:
the virus had attacked the server data drive, to which Sean had been mapped.
I used agent ransack to find all .crypted files.
It was 16G out of 90G that was encrypted.
I had Sean shut down the other machines, and disconnect his network cable. I unshared the network drive and the user folders. This isolates the situation.
So now we had the task of restoring those files. We had an Acronis backup from the morning. It was not accessible from Sean's machine. Even if it had been, it is 115G, not an easy rat to swallow.
Now we had problem-- Sean feels strongly about being here till I get things fixed, but even at Acronis' high speeds, it will be an hour to restore the whole data folder. So we just want the files that are crypted. How do we do this?
After some thinking and looking around, chose Robocopy, and used with flags that would only copy over files that are NOT in the target dir. Since the infected files now have different names, this means only those files that were infected will have their unencrypted counter parts coped over
Acronis will let me look at files and let me select which to copy, but it does not let me run command line operations.
Used Acronis mount feature. It failed, but succeeded when I included the recovery drive, and chose a different letter for the mounted rive.
Now I used Robocopy, which courteously noted that the crypted files were Extra
Restored the shares, and things were working, and I could let Sean go.
I also had run out of time on my end.
Meanwhile, we ran malwarebytes on Sean's, and it found the nasty. Ran on other machines, found nothing.
Sean let me know next day his desktop icons were blank. They were crypted, as was his documents dir, which he shouldn't have been using. We restored these from our monthly backup-- sad for him-- he needs to keep stuff in his data dir.
What are bitcoins? Why doesn't the government stop this? Why do reputable bitcoin companies allow this payments?
Roles of Acronis and Carbonite
Why they complement each other
End of James bond movie
The worry about the long-term cryptolocker
Thinking about sensors and other methods of detection
Some notes I wrote for people to look at as I was talking:
password.kdbx
password.crypted
malwarebytes --- ninite.com
conservative
90G of data
agent ransack from mythicsoft.com
acronis backup --
imaging program---
mounting --
Hard disk Backup
some encrypted
lovely files
copy if date different...
all files that haven't changed
files
all files marked crypted
Delete the crypted files
use a tool that only copies over files that are not there
------
How do we know if the virus is active--
-------------------
Prevention:
Comodo firewall -- DNS monitors for infected sites
malwarebytes
Opendns
Web of Trust
Adblock Plus
Cryptoprevent from FoolishIT
Acronis backups
onsite and offsite rotation
Carbonite backup
Shockwave flash by invitation only
user education about funny looking emails
make copies
make lots of copies
test the copies
keep them in different places
Acronis True Image-- $50 per machine
full backup every night onto external hard drive ---
swap drive once a week offsite
once a month, make a backup onto a third drive and put in a closet for a whole month
when you do your swap, open a recent important file, like your mystical journal entry, in the backup. This means you know your backup password. This is also an acid test of the backup.
winzip flash drive backup-- backup batch file with system scheduler from splinterware
online backup like carbonite
logmein central
radmin