1. AdmFubar says:

    friends dont let friends use winders…

    see http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information

    unless he was infected before april 1 you are prolly outta luck using the decryption keys.
    you might be able to restore using a shadow copy. (big maybe here)

    but really after the snowden revelations… why is anyone using closed source code? it simply isnt trustworthy enough.

    • Cap'n Kangaroo says:

      Did you know eliminating the “www” from the URL allows the the blog software to turn it into a usable link?

      friends don’t make friends cut and paste

      • pedro says:

        Are you gonna keep on beating that dead horse? Friends don’t make friends do more than copy and paste to post a link in a blog. Get a better browser already.

    • Tim says:

      That looks like the place to start. Of note with the emsisoft tool: “Please run the decrypter on the infected machine under the same user that encrypted your files…”

      “”Unfortunately, Symantec decided to blog about this flaw, instead of keeping it quiet, which led the malware developer to update CryptoDefense so it no longer leaves behind the key.

      Well, this post makes me nervous. I’ve really got to find some backup solutions for procrastinators. — As I’m not likely to have any ‘volume shadow copies’, I think I’d cry awhile and then look for some other exploit.

      If the encryption occured folderwise, then perhaps one could find an exact copy of any one of those folders {old text, emails, something not likely to have changed} and have some routine hash away at it until the desired result is obtained??

      • Marc Perkel says:

        All the individual files are still there. Just encrypted.

        • Tim says:

          Don’t loose heart, then {medic!!}. What I really meant was some small folder or grouping of text files that you have backed up somewhere that you know exactly what it is and did not change. Are the names of the folders encrypted, also? I’m not familiar with the encryption functions.

          My line of thinking was that there is a *public* key and a *private* key — {I’m currently trying to decide which key gets ransomed.. it seems to me that a *public* key is probably stored in the registry somewhere; perhaps in one of the evil MRU slots or listings of recently opened documents. }

          It *seems* that if one had a copy of an encrypted folder to compare with a copy of the original AND one of the keys then it would be possible to figure out the other key??

          Of course, if two of the three variables really are missing then you’ll just have to back up and ask bobbo.

          • MikeN says:

            It might help, but in general having one key doesn’t help you get the other key. RSA is such that knowing how they did the encryption doesn’t help you decrypt.

        • Tim says:

          addendum:

          In the mean time, blocking these c&c sites may provide some initial protection — For me, this would be an edit of the HOSTS file to point them to 127.0.0.1

          **When first executed, CryptoDefense attempts to communicate with one of the following remote locations:

          machetesraka.com
          markizasamvel.com
          armianazerbaijan.com
          allseasonsnursery.com

          they note that it’s ^^ done before the encryption takes place… these are likely to be changed as well??

  2. Shaun Pyle says:

    This is where you teach your friend to back his stuff up & stay off the bad sites. It’s nasty stuff and likely he’s SOL

  3. Marc Perkel says:

    It was infected on April 1st. At least that’s when the encrytion happened according to the file dates.

  4. Alexei Tetenov says:

    Try using “Everything Search Engine”, sort all of the files by date, (should only take about 5 min), and then scroll through the files that were modified around the date of the attack and check to see if you find anything unusual.
    -Alexei

  5. bobbo, digital enthusiast and total self taught noobie says:

    Getting infected about every 6 months, I have always thought what I wanted was “an appliance” computer for surfing the web, downloading files, creating documents, transcoding video files. IE==a computer that doesn’t change its “operation” unless I specifically add a new program?

    So…. how can any computer tell when its “me” changing the computer, or a virus?

    I read about a month ago about a program that basically “sandboxes” your entire OS. Whatever you do each time you turn it on, when you turn it off, it reverts to the original condition. The downside to this ultra protection was that the notes said it was a hassel to go out of the sandbox mode when you actually did want to install/uninstall a program?

    PROS AND CONS TO ALL WE DO.

    Hmmm… I don’t install that many programs any more, but I do transcode everyday and quite often download via copy and paste articles/recipes of interest.

    Seems like there should be a “distinction” between changing the OS/Browser settings and creating a new document file?

    Yeah…. I think I’m leaning towards the sandbox/virtual machine type approach. The virii are getting too virulent. Back Ups and Save Points all have been “iffy” in my self taught experience…when you need them, they don’t work, for whatever reason.

    Small hassels all the time to avoid a Big Hassel on occasion?

    Yes….Pros and Cons.

  6. Gang of One says:

    The only way this crap can infect you is if you’re stupid enough to open email attachments. So if you got stung then…

    GOOD!!!

    How f**king many times do you have to hear it? DON’T OPEN EMAIL ATTACHMENTS FROM PEOPLE YOU DON’T KNOW! (As if anyone still uses email.)

    It’s another good reason to BACKUP too!

    …it’s like the geeks of the world are talking to a brick wall or something.

    • bobbo, digital enthusiast and total self taught noobie says:

      Sadly, that is not true. I rarely open “anything” but I think I’ve been infected from what look like “updates” to programs I have installed.

      Its always “hard to tell.”

      It does freak me 0ut when presented an install options menu and I click “No” or “Close” or “X” and I always think: why not have the cancel command execute as INSTALL instead? I’m sure quite a few infestations do exactly that. Being a noobie, I don’t know.

      …………..I think it may be time to back up my OS, and install a saved copy to see if it works?

      • Gang of One says:

        It’s NOT hard to tell! But if you never READ or UNDERSTAND what you are doing then I suppose it is hard to know — anything!

        • Gang of One says:

          … And to UNDERSTAND does require a bit of an EFFORT too!

          It’s something that sadly, way too many people are just NOT willing to do when there’s a good TV program or fun movie to go watch. (After all, it’s the human equivalent of what grass is to cows.)

        • bobbo, digital enthusiast and total self taught noobie says:

          You are right. I overstated the case. Some fishing/attempted hijacks are easy to spot and avoid.

          ………leaving some others are not.

          For instance: Super video transcoder puts out an update about once a year. If you don’t install it, in about 3 months your current version of Super stops working…so, you install the update. I choose custom install to select just the update and not the toolbars and discount offers that would be installed otherwise….but they get installed anyway. Scotty On Patrol prevents this from happening which only presents Scotty’s Notice every 5 minutes until you install the unwanted services. Then it usually takes 1-2 hours to figure out how to uninstall the unwanted adware and hijacks.

          Thats what I meant by the process being hard to tell/do.

          You know?

    • Raintrees says:

      Most of the malware I have been cleaning recently is coming from the web (think Flash update web page pop-up that won’t go away and is not from Adobe). Few people in my service arena are clicking on attachments… I take care of about 40 businesses on the west coast of the US, so YMMV…

    • Marc Perkel says:

      This program also encrypts backup drives that are connected.

    • Gang of One says:

      Holly crap! I can’t believe the arrogant stupidity. Yes, this “virus” is a program that does some bad things. But if you got it then you have to be asking yourself, how? Answer: either you got it from an email attachment (since some things can be auto-launched that way and is why you’re always told to never open unknown attachments) or you INTENTIONALLY downloaded -and- installed it!!!

      So if you’re a moronic next-next-next / click-click-click type of installer who never reads the mind-numbing installation screens then you’re about as stupid as it gets and DESERVE whatever happens.

    • Marc Perkel says:

      She was tricked into installing a bogus flash update.

      • Captain Obvious says:

        Flash and Java should be outlawed.

        • raintrees says:

          Ho Ho! Why stop with just those? Oulaw C and C++! Assembly, too! And Fortran! Especially Lisp!

          Friends only let friends write in COBOL. :)

          Seriously, Flash seems to have attracted the same type of coder who might have been drawn to using Goto everytime they ran into a problem…

          My Linux systems only need to be rebooted after I have run flash-based sites for too long, and a reboot of the browser no longer helps.

          • Captain Obvious says:

            We love the C++ and C. Hates the assembler we does. Completely unreadable.

            Flash and Java are the attack vector for more than 1/2 of the virus’ on the net.

    • dusanmal says:

      Nope. Just some possible other alleyways that may surprise you:
      1) Ordinary, trusted website by ads served there. My last infection (despite top of the line antivirus, all updates and careful web behavior): ad served on DiscoveryChannel site… I didn’t click on it, scripting did it all.
      2) Worms if someone in your household or in your local network did click on attachments or got infected some other way. Again, no action on your side needed.
      3) Domino effect from “installation tools” now sadly prevalent on free software download sites (legitimate ones). They add “installer” to the good software, it installs tollbars and other crap, other crap installs pervasive virus-like spyware, virus-like spyware downloads and installs TheVirus… Yes, some stupid action by user is required in this scenario but process is well engineered to appear that you are doing what you wanted to do (and safely so).

      Backup? – yes, the only solution. But backup not permanently visible from that PC as the virus in question will encrypt it as well if it is there…

  7. Kyusoath says:

    ha ha.

    yeah lets blame windows, it was microsoft that made the tech illiterate retard get a virus.

    your shit is gone, reformat reinstall windows then install commonsense 2014 if you are able or kill yourself if not.

    actually just stop using computers all together, these viruses would not exist if it weren’t for people like you.

    • Gang of One says:

      You want to talk about tech retards you really need to talk about APPLE!

  8. Peppeddu says:

    Unfortunately the best solution, once he recover his data, is … to get an iPad or Windows RT tablet.

    I don’t really see the reason why people should be computer literate when all they really want to do is excel, games, web, email and other related stuff.
    Some people have busy lives and the computer is just another appliance that they use while they are busy doing a million other unrelated things.
    Why should they even worry what a virus is in the first place?

    Apple understood and embraced this concept early on and the walled garden model has worked (and paid!) very well.

    • tdkyo says:

      Logging via non-full-administrative privileges in Windows also works, although there are a lot of things you can’t do. It’s a trade off

  9. Al B Ready says:

    Gang of One, simmer down now, people are trying to help Marc and you are knocking them down, not everyone is as amazing as you and they might need some advice from time to time. So put the bag of Cheetos down and stop being so condescending.

  10. Marc Perkel says:

    There is no operating system that’s not vulnerable to being hacked. Ordinary people need to be able to securely use their computers

  11. Marc Perkel says:

    Just a thought. If all the files were encrypted then they were probably overwritten, deleted and replaced. Maybe an undelete utility will be able to recover the files. She used an SSD drive which tends to want to not overwrite the same spot.

    I’m looking into this.

    • Tim says:

      Officer thinking, sir!

      I do remember seeing about the ssd algorithms being so that unused portions are used before overwriting to minimize changes of state on any one cell — ‘Physical location’ does not matter like it does to keep an optimized hard drive.

    • Marc Perkel says:

      I tried restoring deleted files, But the deleted files were also encrypted. Don’t quite understand this but apparently the program managed to encrypt the files in place. I was hoping that it opened a new file, read the old one, wrote the new one, deleted the old, and renamed the new. That would have left the original files to be undeleted. But it didn’t work.

  12. Tim says:

    “”We remind you that the sooner you do, the more chances are left to recover your files.

    it’s time to play Stop the Film:
    http://youtube.com/watch?v=w1pcEpSaboo

    “”No, sir; We don’t morally cense you, we just want the money…Thank you, sir!

  13. Captain Obvious says:

    It’s sad that we’re still dealing with virus’ still. For example, when I look at the sophisticated ways attackers go after Android (side loading, multi-part virus, etc) I wonder what would happen if all the energy and ingenuity was used for something constructive.

  14. Tim says:

    You might remember this ass-clown:

    http://en.wikipedia.org/wiki/HBGary#Astroturfing

    Well, I seem to remember that the LulzSec leak had esoteric information about undisclosed windows registry values and obfuscations, especially pertaining to hidden sensitive info, that are used/exploited for later *forensics*…

  15. dusanmal says:

    Listen to the real security expert – Steve Gibson. His advice: if you do not have backup that can’t be seen by the virus (or it will be encrypted too) the only (and imperfect way) is to pay ASAP. In his opinion virus designers did crypto better than “by the book”. There is absolutely no way, even for NSA to recover those encrypted files without safe backup or payment. Catch is (again S.G. statement) that decryption part they have not done so well. It is possible that even if you pay, decryption keys and process may fail without decrypting everything. Only in that case, once YOU paid and received keys but process of recovery was incomplete can you contemplate your own recovery process with those keys. Not before. There is nothing on encrypted machine to allow decryption without paying…

    • Tim says:

      “”There is absolutely no way, even for NSA to recover those encrypted files without safe backup or payment. <– — Naysayer. Who pay you??

      There's an idea, Marc; Just ask the NSA.

      • Carbonite says:

        Don’t you dare!! They are directly squashing American ingenuity and the fruits thereof. Also, you pay us to hold on to your stuff.

        Carbonite *Back it up, get it…. goddammit, disclosed nsa backdoors…*

      • Marc Perkel says:

        I wonder if Windows Vista has the NSA weakened version of RSA encryption that is more easilly broken?

    • Tim says:

      “”In his opinion virus designers did crypto better than “by the book”.

      But, in this case the situation seems to be regular old off-the-shelf compromised stuffware. As per the original post:

      “”The company said the RSA-2048 encryption was done using Microsoft’s cryptographic infrastructure and Windows APIs to perform the key generation, before sending it back in plain text to the attacker’s server.

      Ask the NSA. Or wring the drip out of Greenwald.

  16. Sam says:

    Suddenly DU is a technical help desk? Just what the world needs.

    Let’s talk about something important, like how there’s no accountability in government, or how all politicians are self-serving and can be bought for the right price, or how the extreme left and extreme right get all the media attention, or how f*cked up the state of California is, or how even one day can’t go by without hearing about gay rights, or why every “important” piece of social legislation involves lowering the bar on social responsibility and personal initiative.

    • Tim says:

      Piss off, slave; Don’t give them any ideas because i want to see more stuff about kittens. Not. Enough. Kittens. Almost none, really. I can’t remember the last cute cat story I saw on here.

      Is it true that if yu upgrade to ios7 then your iphone is impervious to cat pee??

  17. Uncle Patso says:

    bobbo said, in part:

    “I read about a month ago about a program that basically “sandboxes” your entire OS. Whatever you do each time you turn it on, when you turn it off, it reverts to the original condition.”

    You can do something similar by booting from a live CD/DVD/USB drive (such as are available with Knoppix, Ubuntu, etc.) with a temporary swap file on hard disk so it doesn’t all have to run in RAM.

    Also:

    “… I think I’ve been infected from what look like “updates” to programs I have installed.”

    So what you do is, when (for example) you get the “Flash Player update” popup, close it and get the update from the maker’s website, NOT from the pop-up. This should be part of Computer 101.

    • bobbo, as nuts on the far left as the Teaparty is on the right, but not religious, no... never religious. In fact, I'm a pragmatic existential anti-theist who nontheless posits that a full on socialist state for the general best welfare of the People wedd says:

      —–go to the website—–

      Yes, I think I did that 10 times in a row….. and then had a brain fart.

      =========or don’t even update if everything is working well? Who needs an update that corrects win8 issues when I’m running win7? Who needs to add support for MKV files if I exclusively use mp3? BUT—when you start not being able to play youtubes and flash videos from long attended websites, you can make a mistake.

      Being forewarned is forearmed though. Disturbing this virus will infect connected hard drives, not just the boot drive? I can only guess that would happen even if using a live linux disk for your os?==maybe not? Or maybe that is just another way of saying move to Ubuntu?

      Why the Hell doesn’t our Gubment track these assholes down and drone them? DRONE THEM TO HELL I say. I saw an article on a competing grammar school principal in China. He was No 2 so he put poison in some yogurt and put it on the road to the competing school. Two kiddies drank it and died. Principle and his goon got found out and sentenced to death. Makes me think those Chi-comcapitalists aren’t all bad?

      DRONE THEM TO HELL!!!!

      Marc—you should start a petition.

    • Tim says:

      “”So what you do is, when (for example) you get the “Flash Player update” popup, close it…

      bobbo had a pretty good point about those, I think. When I get something like that I don’t even hover the mouse over it but kill it with task explorer or equivalent. I also do this when ff goes frozen with the error report box; I’ve noticed sometimes that ff resumes while the box is still there so I don’t know if it really is suspicious or if I’ve got a config parameter set not to crash all the tabs.

      We used to clown around — hexedit the secretaries’ popup messages to things like *ok to delete hard drive?* with nothing but *ok* to click.. hehe.

      ————————-

      Is ‘ActiveX’ still a factor for this one?? I disable it with a little utility called xpAntispy. http://xp-antispy.org/en/

      I also have THE java with the little coffee cup when it’s active. I have had this become engaged to install malware before but I saw it pop up and quickly killed the wireless link only to find one of the fake antivirus maladies unzipping itself all over the place.

  18. Marc Perkel says:

    The virus is being hosted in San Francisco by cloudflare.com. I emailed them about it.

    • Tim says:

      Well, good. But for God’s sake, be wary of opening any attachments in their replies!!

  19. Tim says:

    Perhaps, there is a small chance that scanning for hidden partitions may prove fruitful?

    Maybe the perps carved out their own little workspace somewhere in your friend’s machine instead of actually holding the keys themselves; Whether they really did walk right out the ports’n’portals to a destination, or not.

    http://www.osforensics.com/faqs-and-tutorials/hidden-partitions-drive.html

  20. MikeN says:

    When you say the deleted files are encrypted, this is confusing. Why go to all that trouble, instead of a wipe in place? Are you sure you aren’t looking at encryption of files that were already deleted at the time of infection?

  21. Rich says:

    With each reply I get more and more furious at the bastards who did this. What effort is being made to catch the perps?

    • LibertyLover says:

      No idea. But there are times I wish I could take a baseball bat to these thieves.

      • bobbo, as nuts on the far left as the Teaparty is on the right, but not religious, no... never religious. In fact, I'm a pragmatic existential anti-theist who nontheless posits that a full on socialist state for the general best welfare of the People wedd says:

        Thieves are several degrees above the VANDALS and anarchists that are engaged in this activity. At least thieves put the property to use?

        …. But Obama will continue to look forward as if this was just a case of torture.

        • John E Quantum says:

          Ronald Reagan had a great way to deal with miscreants like this. Sit them down on a log, nail their testicles to the log, then push them over backwards.

  22. Tim says:

    “”I’d like to recover this drive.

    Somebody will probably package together all those NSA backdoor random number generator elliptic curve whathefefer and integrate it with exactly what that intrusion did.

    In the meantime, what looks like encrypted in place is probably based on some pattern/’folders’ from the MFT — Still, if it is folder x folder then it probably writes to a scratch/buffer space then encrypts then overwrites the original folder –> there may be some overrides for what cell is written to in an ssd, like a ‘wipe’ function…

  23. Tim says:

    I almost forgot {man, I’m so high, right now}; I don’t think it is so much a matter of when one got infected, just that the malware was updated on the 1′st — of course, i’m assuming the dirtware had autoupdate enabled?

    Also, it may well be worth scanning for a hidden partion, especially if it’s a laptop. Vendors tend to hide backup partitions of their own in those things and a changing something in the documents folder is likely to be stuffed in there whether one likes it, or not.

  24. MikeN says:

    Marc Perkel, so you have an unencrypted backup version of any files that are now encrypted? It may be possible to brute force a decryption.

  25. Techno Pawn says:

    I can’t believe it! This is DVORAK.ORG!!! And we all know that John C. Dvorak is one of the most technically knowledgeable and tech-insightful people in the tech review business. So when I see one of Dvorak’s staffers post a story like this I can’t help wonder what kind of “staff” is working for him. Because it seems Dvorak.org has at least one staff member who has no idea how to deal with basic computer terminology and things like encryption! So could these staffers be ex-newspaper reporters whose former job was to cover politicians, weather and fashion?! Here’s a hit (if you read that link): TRY LOOKING IN YOUR REGISTRY! (And no, I don’t mean bridal registry either.)

    Seriously. Try reading the very article you provided a link to. I only looked at it and it seemed pretty basic cut and dry stuff. They all but put your nose in it and showed you where your decryption key(s) is located!

    Of course, I do see a problem if you are like any of the multitudes of other idiots with more than one hard drive (be it SSD, spinning disks, or any combination thereof) and then got hit. But even that might not have been a problem had you (or whoever the operator was) been using a modicum of common sense — or even a virtual environment. It’s just a guess, but if there are more than one hard drive involved here, I’m betting the one you want decrypted was infected on a different machine — with a different “primary” HDD!

    I’d love to take a look but personally, I have no compassion for someone who continues to push boundaries despite MULTIPLE WARNINGS and then gets bit. The way I see it, you deserve it.

    So keep opening those unknown email attachments. Keep surfing porn sites on a system with your family photos. Keep installing unknown software from unknown sources. Keep zombie clicking! And whatever you do, DON’T BACKUP!!! Make sure you DON’T READ while you’re at it too. (Don’t “RTFM”!) We all know how the people who get bit by these viruses are the dummies who shouldn’t even be using electric stoves let alone, computing devices. So be sure and follow this advice and maybe you can burn your self too!

    • Marc Perkel says:

      I don’t know if your read anything but it’s not MY drive that was hit. It was a friend of mine.

      Personally – I have backups.

    • Tim says:

      **Here’s a hit (if you read that link): TRY LOOKING IN YOUR REGISTRY!

      **Try reading the very article you provided a link to. I only looked at it and it seemed pretty basic cut and dry stuff. They all but put your nose in it and showed you where your decryption key(s) is located!

      Dude, the words *registry, regedit, entry* do not occur in either article. Since it is a spy machine, the registry probably is a good place to poke around .. you never know what you may find. A bit like looting graveyards, in your case.

      So, I suppose that you did not really withold any good suggestions on where to peek or were you just being a douche-canoe in your spare time?

  26. MikeN says:

    So your friend was the first person hit with the new and improved version?