dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1645
share rss forum feed


Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

U R infected ........, pay us $300 in Bitcoins

Ransomware comes of age with unbreakable crypto, anonymous payments....ouch !! >>http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

Ouch, but not surprised they are willing to go this far.

Malware devs seem to finally catch on that tech support was booting people into safemode and running spybot S&D along with a few other tools.

But this is also a message to never open email attachments without first letting them get scanned. Never running an EXE that is in an attachment. And if possible using firefox/chrome with adblock.(I say if possible because in a corporate structure one may still be trapped by apps demanding IE6)
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

U R right, "SAFE_HEX" is the key


HarryH3
Premium
join:2005-02-21
kudos:3

1 recommendation

Awesome advice for us nerds, but the typical user is clueless.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

5 recommendations

reply to Parad0X787

The folks at Bleeping Computer have a full FAQ and removal guide:
»www.bleepingcomputer.com/virus-r···ormation

Also see from the folks at Malwarebytes:
»blog.malwarebytes.org/intelligen···to-know/



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

good address, Randy ...... THX !!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

1 recommendation

Glad to help as this is an especially nasty one.


OZO
Premium
join:2003-01-17
kudos:2
reply to Parad0X787

It's all about money, isn't?

On the other hand, it's a good time to remind folks about importance of backuping all data from their computers
--
Keep it simple, it'll become complex by itself...



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 recommendation

reply to Parad0X787

Clickable links are always appreciated.
»arstechnica.com/security/2013/10···itcoins/
--
"Graffiti Wall" Dustyn's Wall »[Serious] RIP



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

..... will do,Dustyn.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Parad0X787

More Info:
»www.theregister.co.uk/2013/10/18···nsmware/

»www.youtube.com/watch?feature=pl···kmmsMpMI



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

THX again, Randy ....... BTW,none of my machine ever "INFECTED" thanks GOD !!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Out of curiosity - which guide did you use (or) what tools did you use to make that determination. You'd need to be locked via ransomeware first, yes ?



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

1 recommendation

Click for full size
As U know, I am just simplycity Jo ...... {{{ SMILE }}} .... first U R aware that best layer defences is the best choice, in my opinion !!! I run first in VM & behind those all AV + MBAM with some external usb app.Hitman PRO & SAS PRO + Host file that run like process guard + all Win security app.enough to safe me from all the trouble BTW, that is one of my three running machine ......enough said.


joepwpb
Premium
join:2000-12-15
West Palm Beach, FL

2 edits
reply to Parad0X787

It seems that between Malwarbytes Pro and adjustments to Group Policy, as defined in the Bleeping Computer post, I should be able to thwart this menace. My problem is that I have no experience with Gpedit. Would someone like to post, or IM me, a quick and easy how-to enter those Path Rules in the Bleeping Computer post?

Thanks

Joe P

UPDATE: I may have the answer to my request in that I stumbled upon a program called CrypoPrevent. It makes the following statement:

CryptoPrevent is based on the excellent prevention information from Grinler found here: »www.bleepingcomputer.com/virus-r···ormation and will block the infection from executing

It can be found here:

»www.foolishit.com/vb6-projects/c···prevent/

Has anyone seen this or tried this yet??



seaman
Premium
join:2000-12-08
Seattle, WA

joepwpb, thanks for posting this tool. I imaged my sys drive and installed it this morning.

Question to anyone- does running MBAM Pro realtime component conflict with AV such as Avira, Eset or NAV?



TheJoker
Premium,VIP,MVM
join:2001-04-26
Charlottesville, VA
kudos:5

said by seaman:

Question to anyone- does running MBAM Pro realtime component conflict with AV such as Avira, Eset or NAV?

No, it shoudln't conflict, as it's an antimalware program, not an antivirus program. Some security programs install routine will detect it and not install unless MBAM is first removed, but simply reinstalling MBAM after the other security software is installed will fix the problem.
--
Proud ASAP member since 2005
Microsoft MVP/Consumer Security 2009-2010


seaman
Premium
join:2000-12-08
Seattle, WA

Thanks for the info TheJoker!



angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

1 recommendation

reply to joepwpb

said by joepwpb:

Has anyone seen this or tried this yet??

Yes, I implemented Software Policy Restrictions on my home box, which has Windows 7 Pro and therefore allows secpol.msc to be run. Click Start, Run, type "secpol.msc" and press [Enter] to start this process. Add new path restrictions under "Software Restriction Policies" -> "Additional Rules" by right-clicking "Additional Rules" and choosing "New Path Rule".

I blocked %AppData%\*.exe, %AppData%\*\*.exe, and four %Temp%\XXX\*.exe where XXX was *.zip, 7z*, Rar*, and wz*. When I rebooted, this immediately broke Cubby, Dropbox, and LogMeIn's Firefox module, so I had to explicitly allow those .exes.

For most home users this won't work - home versions of Vista and Windows 7 don't support SRPs.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/


Drunkula
Premium
join:2000-06-12
Denton, TX
reply to Parad0X787

Apparently a handful of people at work got hit by this. They said about 10 people (out of 1000's).


Quattrohead
Premium
join:2005-02-09

Just came across this on a customer computer, was an old XP machine with no backup, all the files are encrypted and dead.
Removing the malware is easy enough, decrypting the files is impossible without payment.
This is a BAD one.


psloss
Premium
join:2002-02-24
Lebanon, KS
reply to angussf

said by angussf:

For most home users this won't work - home versions of Vista and Windows 7 don't support SRPs.

Yes and no -- there's no GUI, but most of the plumbing is there on other SKUs. The aforementioned CryptoPrevent appears to be generating the SAFER entries in the Registry on Win7 Starter and the system appears to be generating what looks like SRP alert to me when I exercise one of them.

b_p_smith

join:2002-02-13
Merrickville, ON
reply to Parad0X787

Sent this info to my son, and he phoned me to let me know he got a popup like CryptoLocker just yesterday. But it looks like it was a fake because he seems clean. In his case, it was a popup from a web page, as opposed to an EXE he ran (because he's better trained than that ).

Installed the prevention tools anyway. At home I run a full domain, so I just updated my domain policy, which'll push out to all the machines soon.
--
Xplornet WiMAX -} Buffalo WZR-HP-G300NH running DD-WRT -} about 13 machines running everything you can think of.



Parad0X787
"If U know neither the enemy nor yoursel
Premium
join:2013-09-17
Edmonton, AB

Good job ...... & Siljalne LINK to bleeping.com is prevention for home user


ashrc4
Premium
join:2009-02-06
australia
reply to HarryH3

said by HarryH3:

Awesome advice for us nerds, but the typical user is clueless.

quote:
It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit.

The easiest advice for a small business that is not clued up is that e-mail and internet browsing should be done on a separate pc/tablet that is not networked rest of their operation.


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1

...which really isn't practical for most. For example, in my position, email is pretty much critical.
--
Oh, Opera, what have you done?



ashrc4
Premium
join:2009-02-06
australia

said by ashrc4:

The easiest advice for a small business that is not clued up is that e-mail and internet browsing should be done on a separate pc/tablet that is not networked rest of their operation.

said by sivran:

...which really isn't practical for most. For example, in my position, email is pretty much critical.

The problem with infected E-mail depends how it's handled/stored.

A zero day that isn't detectable by AV if stored in the cloud can be mitigated by using a hardened browser by viewing online using various techniques such as HIPS or good sandboxing like Sandboxie.

If you store/download E-mails then the best/easiest way is to view these like i mentioned above, yet you can REPLY(only) to them using a computer within the network that caries data necessary for a response.
It's probably the only solution for those not able to follow correct back-up procedures on a regular basis.

I see room for a new type of security related product that can handle E-mail for this type of scenario.