Jump to content


Photo

CryptoLocker Ransomware - No Fix at this Time


  • Please log in to reply
24 replies to this topic

#1 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 19 October 2013 - 03:27 PM

Nasty infection that encrypts data, and no fix for it unless there is a backup to restore data files from.
You can read about it here at BC:
CryptoLocker Ransomware Information Guide and FAQ


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 October 2013 - 03:41 PM

Yes, very scary. That article is well worth reading.  All files are lost unless you pay. Most PC's can be restored to original factory condition (with loss of personal date and need to update and reinstall programs), but who wants to do that.  

 

Consider posting in a public forum..


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 19 October 2013 - 04:24 PM

Want me to move it to Security Warnings?


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 October 2013 - 04:29 PM

Yes, please.  People need to be aware!


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#5 r2d290

r2d290

    SWI Junkie

  • Helper
  • PipPipPipPip
  • 375 posts

Posted 19 October 2013 - 06:38 PM

An interesting video in this article:

http://nakedsecurity...p-and-recovery/


Is it still impossible to decrypt the code?

Edited by r2d290, 19 October 2013 - 07:08 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 20 October 2013 - 08:50 PM

Utility to protect PC by preventing it from ever running CryptoBlocker:  CryptoPrevent
See also How to use the CryptoPrevent Tool: in http://www.bleepingc...n#cryptoprevent


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 November 2013 - 06:18 AM

FYI...

CryptoLocker - demands $2,000 for overdue ransom
- http://blog.malwareb...overdue-ransom/
Nov 4, 2013 - "The criminals behind the infamous CryptoLocker ransomware that encrypts all your personal files are now offering a late payment option, albeit at a higher cost... news was first reported on the Bleeping Computer forums early last Saturday*... exercise -extreme- caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver..."
* http://www.bleepingc...yption-service/

Cryptolocker: Time to Backup
- http://www.threattra...er-time-backup/
Nov 5, 2013 - "... nasty piece of Malware which takes great delight in encrypting files on an infected PC, rendering them all but unreachable unless the victim is willing to pay the Malware authors..."

Also see: http://www.spywarein...e-etc/?p=783151
 

:ph34r: :ph34r: :grrr:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 14 November 2013 - 07:30 AM

FYI...

CryptoLocker Emergence connected to Blackhole Exploit Kit Arrest
- http://blog.trendmic...oit-kit-arrest/
Nov 8, 2013 - "... We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest. The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware... We reiterate that users should absolutely -not- open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat."

- http://blog.trendmic...tachment-found/
Nov 13. 2013 - "... we came across rather unusual spam samples...
> http://blog.trendmic...3/11/upatre.png
These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other. The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns. The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here. Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure..."
___

- http://www.nationalc...-computer-users
Nov 15, 203 - "The NCA's National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions. The emails may be sent out to tens of millions... appear to be targeting small and medium businesses in particular.... The emails carry an -attachment- that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a -malware- that can install Cryptolocker – which is a piece of ransomware..."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 16 November 2013 - 02:03 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 December 2013 - 09:09 AM

FYI...

New CryptoLocker -variant- spreads via removable drives
- http://blog.trendmic...movable-drives/
Dec 25, 2013 - "... a CryptoLocker -variant- that had one notable feature — it has propagation routines. Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants. Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware — often UPATRE — to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems -without- the need to create (and send) spammed messages. Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability. The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals. Users should -avoid- using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should -never- connect their drives into unfamiliar or unknown machines..."

- http://www.welivesec...ion-or-copycat/
19 Dec 2013
___

- http://www.securewor...ker-ransomware/
18 Dec 2013
 

:grrr: :ph34r:


Edited by AplusWebMaster, 27 December 2013 - 10:22 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 December 2013 - 11:02 AM

FYI...

Tracking CryptoLocker ...
- http://garwarner.blo...covery-iid.html
Dec 29, 2013 - "... some IP addresses that Malcovery* thinks you should -block- immediately because they are linked to CryptoLocker... 46.149.111.28, 62.76.45.1, 83.69.233.25, 83.69.233.176, 95.59.26.43, 95.172.146.68, 109.234.154.254, 188.65.211.137, 188.120.255.37, 195.2.77.48 ..."
(More detail at the URL above.)
* http://www.malcovery.com/

- https://www.virustot...28/information/

- https://www.virustot....1/information/

- https://www.virustot...25/information/

- https://www.virustot...43/information/

- https://www.virustot...68/information/

- https://www.virustot...54/information/

- https://www.virustot...37/information/

- https://www.virustot...37/information/

- https://www.virustot...48/information/
 

:ph34r: :ph34r:  :grrr:


Edited by AplusWebMaster, 30 December 2013 - 11:46 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 30 December 2013 - 08:20 PM

For the domains mentioned in the first link for December, here's a handy addition to any HOSTS file:

 

#CryptoLocker added manually
127.0.0.1lbmuvpwgcmquc.org
127.0.0.1 jknuotworuebip.org
127.0.0.1 syusdoctfpnee.org
127.0.0.1 msncwipuqpxxoqa.org
127.0.0.1 yebdbfsomgdbqu.biz
127.0.0.1 pkakvsexbmxpwxw.org
127.0.0.1 dhjicdgfykqoq.org
127.0.0.1 wjbodchhlgidofm.org
127.0.0.1 ghvoersorwsrgef.org
127.0.0.1 rttvxygkmwlqmq.net
127.0.0.1 wwfcogdgntlxw.biz
127.0.0.1 bsngfunwcpkjt.org
127.0.0.1 tmphandchtcnffy.org
127.0.0.1 qnsoiclrikwj.org
127.0.0.1 nfnfskbniyajd.org
127.0.0.1 swmbolrxyflhwm.biz
127.0.0.1 agwwcjhinwyl.org
127.0.0.1 osmhvqijsiedt.org
127.0.0.1 cmidahhutlcx.org
127.0.0.1 emttankkwhqsoe.org
127.0.0.1 ormyfnlykajkdr.org
127.0.0.1 ypxnqheckgjkbu.org
127.0.0.1 vsjotulrsjhyf.org
127.0.0.1 kmjqcsfxnyeuo.org
127.0.0.1 cpapfioutwypmh.org
127.0.0.1 xivexnrjahpfk.org
127.0.0.1 ukyfkufdi7ytdfuit.ru
127.0.0.1 www.qnsoiclrikwj.org
127.0.0.1 www.jxjyndpaoofctm.com
127.0.0.1 slbugcihgrgny.org
127.0.0.1 ykmccdhpgavm.org
127.0.0.1 wpowcdntgoye.org
127.0.0.1 gavhopncgfmdq.org
127.0.0.1 rkmmrxbpafgnplt.org
127.0.0.1 fpvpnoqmgntmc.org
127.0.0.1 mqagyenfbebsau.org
127.0.0.1 ahqnsclgckkpho.org
127.0.0.1 urkitujgkhsjl.org
127.0.0.1 kgvmmylyflrqml.org
127.0.0.1 shjeyrqelevega.org
127.0.0.1 ohmfbedvtftg.org
127.0.0.1 rldrrlcakwnumbe.org
127.0.0.1 hgfcqopaylrvyht.org
127.0.0.1 wxntojirxraawe.org
127.0.0.1 jlbrdhtbkmhkryk.org
127.0.0.1 rwmhbmtauqgyhcqhizinljirjr.org
127.0.0.1 pdfaayxydaqpyrouwrkydmneu.org
127.0.0.1 qplmkjrolbvc.org
127.0.0.1 mdaodtaifpkqkk.org
127.0.0.1 lnxbofsriihe.org
127.0.0.1 mpcljoupkkipyl.org
127.0.0.1 cuxsdtynsyml.org
127.0.0.1 oxgufearvtqkwh.org
127.0.0.1 jnptslhlsqise.org
127.0.0.1 pqulnjwedvbpm.org
127.0.0.1 vcbetblhrykeyxv.biz
127.0.0.1 omeidojwwtmalsy.biz
127.0.0.1 huqenkdqtoatvnc.biz
127.0.0.1 klufixwglgyb.biz
127.0.0.1 wwrahwrdcfhygp.org
127.0.0.1 wnjoalurtgqpd.biz
127.0.0.1 uwelewosqoirmt.org
127.0.0.1 yxmbwneyurhxfv.org
127.0.0.1 mgkppyunffvvd.org
127.0.0.1 teeusgcggvys.biz
127.0.0.1 ooqgdlwctrpt.org
127.0.0.1 fsihpjionkbb.net
127.0.0.1 bsgxxguicafc.org
127.0.0.1 aemivjtujaddhab.org
127.0.0.1 iwgymewvnfpyveg.org
127.0.0.1 dryadsncyghpyx.org


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#12 art248

art248

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 102 posts

Posted 12 January 2014 - 09:01 AM

so how do i do that for the hosts file?

just copy and paste? in addition to the mvsps hosts file?



#13 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 12 January 2014 - 09:45 AM

Using Notepad you would just copy and pate that info into the HOSTS file anywhere below this entry:

 

127.0.0.1 localhost

 

Save (with no extension), and then reboot.

 

You should read this page though:

http://winhelp2002.mvps.org/hosts.htm

 

And note that for the block of entries to add, you would need to do a global replace in Notepad from 127.0.0.1 to 0.0.0.0 (if you were using the most recent version of the HOSTS file). That page will explain why the entries changed from 127.0.0.1 to 0.0.0.0 in the current edition of the HOSTS file, and the exceptions where it caused a problem and would need to be globally changed back to 127.0.0.1:

 

COMODO antivirus and System Mechanic seems to have issues with the "0.0.0.0" prefix ...

 

 


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#14 art248

art248

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 102 posts

Posted 12 January 2014 - 01:08 PM

erm i am using the most recent edition of hosts file where they are all 0.0.0.0.

 

so does that mean i cannot use 127.0.0.1 and 0.0.0.0 together? 

 

so also global replace does it also mean that this entry:

 

 

127.0.0.1 localhost

is also replaced with 0.0.0.0? or should i leave that one as it is?

i'll leave it as it is for now.



#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 12 January 2014 - 01:15 PM

so does that mean i cannot use 127.0.0.1 and 0.0.0.0 together?

 
The information on that page didn't specify. I would keep them all the same.
 
 

so also global replace does it also mean that this entry:
Quote

127.0.0.1 localhost

 

No, you would copy and paste the list above into Notepad and do a global replace of 127.0.0.1 with 0.0.0.0

Then in notepad Select All, and Copy, and then open your current HOSTS file, paste the list into it, and save it (with no file extension).

 

Or, to make it easier, just copy this list and paste it into the current HOSTS file:

 

#CryptoLocker added manually
0.0.0.0lbmuvpwgcmquc.org
0.0.0.0 jknuotworuebip.org
0.0.0.0 syusdoctfpnee.org
0.0.0.0 msncwipuqpxxoqa.org
0.0.0.0 yebdbfsomgdbqu.biz
0.0.0.0 pkakvsexbmxpwxw.org
0.0.0.0 dhjicdgfykqoq.org
0.0.0.0 wjbodchhlgidofm.org
0.0.0.0 ghvoersorwsrgef.org
0.0.0.0 rttvxygkmwlqmq.net
0.0.0.0 wwfcogdgntlxw.biz
0.0.0.0 bsngfunwcpkjt.org
0.0.0.0 tmphandchtcnffy.org
0.0.0.0 qnsoiclrikwj.org
0.0.0.0 nfnfskbniyajd.org
0.0.0.0 swmbolrxyflhwm.biz
0.0.0.0 agwwcjhinwyl.org
0.0.0.0 osmhvqijsiedt.org
0.0.0.0 cmidahhutlcx.org
0.0.0.0 emttankkwhqsoe.org
0.0.0.0 ormyfnlykajkdr.org
0.0.0.0 ypxnqheckgjkbu.org
0.0.0.0 vsjotulrsjhyf.org
0.0.0.0 kmjqcsfxnyeuo.org
0.0.0.0 cpapfioutwypmh.org
0.0.0.0 xivexnrjahpfk.org
0.0.0.0 ukyfkufdi7ytdfuit.ru
0.0.0.0 www.qnsoiclrikwj.org
0.0.0.0 www.jxjyndpaoofctm.com
0.0.0.0 slbugcihgrgny.org
0.0.0.0 ykmccdhpgavm.org
0.0.0.0 wpowcdntgoye.org
0.0.0.0 gavhopncgfmdq.org
0.0.0.0 rkmmrxbpafgnplt.org
0.0.0.0 fpvpnoqmgntmc.org
0.0.0.0 mqagyenfbebsau.org
0.0.0.0 ahqnsclgckkpho.org
0.0.0.0 urkitujgkhsjl.org
0.0.0.0 kgvmmylyflrqml.org
0.0.0.0 shjeyrqelevega.org
0.0.0.0 ohmfbedvtftg.org
0.0.0.0 rldrrlcakwnumbe.org
0.0.0.0 hgfcqopaylrvyht.org
0.0.0.0 wxntojirxraawe.org
0.0.0.0 jlbrdhtbkmhkryk.org
0.0.0.0 rwmhbmtauqgyhcqhizinljirjr.org
0.0.0.0 pdfaayxydaqpyrouwrkydmneu.org
0.0.0.0 qplmkjrolbvc.org
0.0.0.0 mdaodtaifpkqkk.org
0.0.0.0 lnxbofsriihe.org
0.0.0.0 mpcljoupkkipyl.org
0.0.0.0 cuxsdtynsyml.org
0.0.0.0 oxgufearvtqkwh.org
0.0.0.0 jnptslhlsqise.org
0.0.0.0 pqulnjwedvbpm.org
0.0.0.0 vcbetblhrykeyxv.biz
0.0.0.0 omeidojwwtmalsy.biz
0.0.0.0 huqenkdqtoatvnc.biz
0.0.0.0 klufixwglgyb.biz
0.0.0.0 wwrahwrdcfhygp.org
0.0.0.0 wnjoalurtgqpd.biz
0.0.0.0 uwelewosqoirmt.org
0.0.0.0 yxmbwneyurhxfv.org
0.0.0.0 mgkppyunffvvd.org
0.0.0.0 teeusgcggvys.biz
0.0.0.0 ooqgdlwctrpt.org
0.0.0.0 fsihpjionkbb.net
0.0.0.0 bsgxxguicafc.org
0.0.0.0 aemivjtujaddhab.org
0.0.0.0 iwgymewvnfpyveg.org
0.0.0.0 dryadsncyghpyx.org


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#16 art248

art248

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 102 posts

Posted 12 January 2014 - 01:30 PM

ah ic, yeah i was abit confused since they didn't specify. 

 

so this would mean only the entries above would be 0.0.0.0 as well as the other entries that the hosts file has been set to and my first entry in the hosts will still be 127.0.0.1 local host?



#17 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 12 January 2014 - 01:34 PM

Correct, only this line would have 127.0.0.1:

 

127.0.0.1 localhost


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#18 art248

art248

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 102 posts

Posted 12 January 2014 - 01:37 PM

alright thanks. but then i though the change is for Win8, or since Win7 also runs IE11 thus it also applies to users of Win7?



#19 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,426 posts

Posted 12 January 2014 - 02:51 PM

According to the MVPS HOSTS file web page, the change was made for Window 8, as the current HOSTS file is in that format, you would want to keep any other manual additions to the file in the same format. Does it make a difference if not Windows 8? I don't know, but keep it all the same and it won't matter.


Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#20 art248

art248

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 102 posts

Posted 13 January 2014 - 09:50 AM

alright. thanks for the info  :good:



#21 AwesomeLife

AwesomeLife

    Member

  • Helper Trainee
  • Pip
  • 29 posts

Posted 02 June 2014 - 09:03 PM

Woohoo....BUSTED!!!!

 

http://www.symantec....ercrime-network

 

...or at least wounded, anyway ...


Edited by AwesomeLife, 02 June 2014 - 09:04 PM.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 July 2014 - 11:23 AM

FYI...

New Crypto-Ransomware in the wild
- http://blog.trendmic...ge-in-the-wild/
July 30, 2014 - "... new crypto-ransomware variants that use new methods of encryption and evasion... 'Cryptoblocker' will not drop any text files instructing the victim on how to decrypt the files. Rather, it displays the dialog box below. Entering a transaction ID in the text box will trigger a message stating that the “transaction was sent and will be verified soon.”:
> http://blog.trendmic...07/cryptob1.jpg
... This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that  the advanced encryption standard (AES) is found in the malware code. A closer look also reveals that the compiler notes were still intact upon unpacking the code... Based on feedback from the Trend Micro Smart Protection Network, the US is the top affected country, followed by France and Japan. Spain and Italy round up the top five affected countries.
Countries affected by Cryptoblocker:
> http://blog.trendmic...nfection-01.jpg
... These ransomware variants prove that despite significant takedowns, cybercriminals will continue to find ways to victimize users. Users should remain cautious when dealing with unfamiliar files, emails, or URL links. While it might be tempting to pay the ransom for encrypted files, there is no guarantee that the cybercriminals will decrypt the ransomed files..."
 

:ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 August 2014 - 04:12 PM

FYI...

FireEye and Fox-IT - free keys designed to unlock systems infected by CryptoLocker
>> https://www.decryptcryptolocker.com/
Aug 6, 2014 - "Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.
- Please note that each infected system will require its own unique master decryption key. So in case you have multiple systems compromised by CryptoLocker, you will need to repeat this procedure per compromised system.
- Notes:
[1] Email addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox‑IT.
[2] You should only upload encrypted files that do not contain any sensitive or personally identifiable information..."

- http://www.fireeye.c...decryption.html
Aug 6, 2014
- http://www.fireeye.c.../08/crypto2.png

- https://www.fox-it.c...locker-victims/
6 Aug 2014
 

:thumbup:


Edited by AplusWebMaster, 06 August 2014 - 05:42 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 JohnnyW

JohnnyW

    Member

  • Full Member
  • Pip
  • 87 posts

Posted 07 April 2018 - 11:19 AM

I am wondering if the above free unlock has in fact been confirmed as functional. I see the last (above) post was way back in 2014, and am curious why there doesn't seem to be any sort of sticky regarding this or other specific ransomware fixes. Given the title of this thread, I am led to believe that the above solution is untested. I'm not even entirely sure this particular infection I am dealing with currently is actually crypto-locker specifically, but I'm sure we will find out soon enough.

 

I ask because a member of my local community just confided in me that she got her computer jacked up, and that last night she went and paid $300 to these scammers to get back into her laptop. She's a community college student turning work on via removable media, so that MAY be one vector that caused her to become infected with ransomware, but in any case it is quite possible this garbage code could affect others becasue of the fact that her work is tuned in on flash drives. I do feel a responsibility to end this sort of cyber-thievery, and if I am not part of the solution, then in reality, I feel I am part of the problem.

 

I have enough on my plate personally with health and housing crises that I really can't be a regular participant here, much as I wish I could. In any case, I will follow this thread, and hope there is actually a workable fix for this ransom-ware issue. She is going to drop her laptop off this evening, so I can follow instructions and post logs. I also advised her to contact her banking institution, which she has, and is getting her card reissued and contesting the charge.


Edited by JohnnyW, 07 April 2018 - 04:02 PM.


#25 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,430 posts

Posted 07 April 2018 - 04:18 PM

The ransomware battles go back and forth...  Some of them are fixable now and some are not...  As we develop fixes, the crooks develop new software that gets around the fixes...  This topic is largely obsolete at this point...


Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




Member of ASAP and UNITE
Support SpywareInfo Forum - click the button