Adam Frost notes from his presentation October 4, 2016

 

Cryptolocker:

 

A customer called last week...

the story:

can't get into password file, .crypted extension

note the importance of after-hours emergency service

The banner on Sean's machine

creepy explanation of the situation—criminal almost acting like computer consultant!  adds to the sense of violation

specification of bitcoins, deadline

note that we had cryptoprevent in default mode, using MS security essentials

the customer had gone to the web and downloaded a program that might have given the encryption key-- I did not pursue this route, although if I had thought of it, it might have been a good idea.

restoring the data:

the virus had attacked the server data drive, to which Sean had been mapped.

I used agent ransack to find all .crypted files.

It was 16G out of 90G that was encrypted.

I had Sean shut down the other machines, and disconnect his network cable. I unshared the network drive and the user folders. This isolates the situation.

So now we had the task of restoring those files. We had an Acronis backup from the morning. It was not accessible from Sean's machine. Even if it had been, it is 115G, not an easy rat to swallow.

 

Now we had problem-- Sean feels strongly about being here till I get things fixed, but even at Acronis' high speeds, it will be an hour to restore the whole data folder. So we just want the files that are crypted. How do we do this?

 

After some thinking and looking around, chose Robocopy, and used with flags that would only copy over files that are NOT in the target dir. Since the infected files now have different names, this means only those files that were infected will have their unencrypted counter parts coped over

 

Acronis will let me look at files and let me select which to copy, but it does not let me run command line operations.

 

Used Acronis mount feature.  It failed, but succeeded when I included the recovery drive, and chose a different letter for the mounted rive.

Now I used Robocopy, which courteously noted that the crypted files were Extra

Restored the shares, and things were working, and I could let Sean go. 

I also had run out of time on my end.

Meanwhile, we ran malwarebytes on Sean's, and it found the nasty. Ran on other machines, found nothing.

 

Sean let me know next day his desktop icons were blank. They were crypted, as was his documents dir, which he shouldn't have been using. We restored these from our monthly backup-- sad for him-- he needs to keep stuff in his data dir.

 

What are bitcoins?  Why doesn't the government stop this?  Why do reputable bitcoin companies allow this payments? 

Roles of Acronis and Carbonite

Why they complement each other

End of James bond movie

The worry about the long-term cryptolocker

Thinking about sensors and other methods of detection

 

 

Some notes I wrote for people to look at as I was talking:

 

 

password.kdbx

 

password.crypted

 

malwarebytes --- ninite.com

  conservative  

 

 

90G of data 

agent ransack  from mythicsoft.com

 

 

 

acronis backup  --   

   imaging program--- 

    mounting -- 

 

 

 

Hard disk                        Backup

some encrypted

lovely files  

 

 

copy if date different...

all files that haven't changed

files 

all files marked crypted

 

Delete the crypted files

use a tool that only copies over files that are not there  

 

------

 

How do we know if the virus is active--

-------------------

Prevention:

  Comodo firewall -- DNS monitors for infected sites

malwarebytes

Opendns

Web of Trust

Adblock Plus

Cryptoprevent from FoolishIT

Acronis backups

   onsite and offsite rotation

Carbonite backup

Shockwave flash by invitation only

user education about funny looking emails 

 

 

 

 

make copies

make lots of copies

test the copies

keep them in different places

 

Acronis True Image-- $50 per machine

full backup every night onto external hard drive ---

 

swap drive once a week offsite  

once a month, make a backup onto a third drive and put in a closet for a whole month

 

when you do your swap, open a recent important file, like your mystical journal entry, in the backup. This means you know your backup password. This is also an acid test of the backup. 

 

winzip flash drive backup-- backup batch file with system scheduler from splinterware

 

online backup like carbonite

 

logmein  central   

 

radmin  

 

showmypc.com 

 

 anydesk.com