Adam Frost notes from his presentation October 4, 2016




A customer called last week...

the story:

can't get into password file, .crypted extension

note the importance of after-hours emergency service

The banner on Sean's machine

creepy explanation of the situation—criminal almost acting like computer consultant!  adds to the sense of violation

specification of bitcoins, deadline

note that we had cryptoprevent in default mode, using MS security essentials

the customer had gone to the web and downloaded a program that might have given the encryption key-- I did not pursue this route, although if I had thought of it, it might have been a good idea.

restoring the data:

the virus had attacked the server data drive, to which Sean had been mapped.

I used agent ransack to find all .crypted files.

It was 16G out of 90G that was encrypted.

I had Sean shut down the other machines, and disconnect his network cable. I unshared the network drive and the user folders. This isolates the situation.

So now we had the task of restoring those files. We had an Acronis backup from the morning. It was not accessible from Sean's machine. Even if it had been, it is 115G, not an easy rat to swallow.


Now we had problem-- Sean feels strongly about being here till I get things fixed, but even at Acronis' high speeds, it will be an hour to restore the whole data folder. So we just want the files that are crypted. How do we do this?


After some thinking and looking around, chose Robocopy, and used with flags that would only copy over files that are NOT in the target dir. Since the infected files now have different names, this means only those files that were infected will have their unencrypted counter parts coped over


Acronis will let me look at files and let me select which to copy, but it does not let me run command line operations.


Used Acronis mount feature.  It failed, but succeeded when I included the recovery drive, and chose a different letter for the mounted rive.

Now I used Robocopy, which courteously noted that the crypted files were Extra

Restored the shares, and things were working, and I could let Sean go. 

I also had run out of time on my end.

Meanwhile, we ran malwarebytes on Sean's, and it found the nasty. Ran on other machines, found nothing.


Sean let me know next day his desktop icons were blank. They were crypted, as was his documents dir, which he shouldn't have been using. We restored these from our monthly backup-- sad for him-- he needs to keep stuff in his data dir.


What are bitcoins?  Why doesn't the government stop this?  Why do reputable bitcoin companies allow this payments? 

Roles of Acronis and Carbonite

Why they complement each other

End of James bond movie

The worry about the long-term cryptolocker

Thinking about sensors and other methods of detection



Some notes I wrote for people to look at as I was talking:







malwarebytes ---




90G of data 

agent ransack  from




acronis backup  --   

   imaging program--- 

    mounting -- 




Hard disk                        Backup

some encrypted

lovely files  



copy if date different...

all files that haven't changed


all files marked crypted


Delete the crypted files

use a tool that only copies over files that are not there  




How do we know if the virus is active--



  Comodo firewall -- DNS monitors for infected sites



Web of Trust

Adblock Plus

Cryptoprevent from FoolishIT

Acronis backups

   onsite and offsite rotation

Carbonite backup

Shockwave flash by invitation only

user education about funny looking emails 





make copies

make lots of copies

test the copies

keep them in different places


Acronis True Image-- $50 per machine

full backup every night onto external hard drive ---


swap drive once a week offsite  

once a month, make a backup onto a third drive and put in a closet for a whole month


when you do your swap, open a recent important file, like your mystical journal entry, in the backup. This means you know your backup password. This is also an acid test of the backup. 


winzip flash drive backup-- backup batch file with system scheduler from splinterware


online backup like carbonite


logmein  central