I had to deal with this yesterday. Not fun. The variant I dealt with was CryptoWall 2.0, and it sounds like that’s what he’s got. It requests $500 in btc, $1000 after 10 days
1. We purchased the bitcoin from Circle. They have quick credit card confirmation and their weekly limit is $500 so you can make the full ransom purchase right away. 2. The cryptowall operators released the decryption software around 5 hours after the payment was made. The software is supposed to use a registry list to automatically decrypt everything it encrypted, however I found it to be quite buggy and had better luck pointing it at specific folders. 3. I was unable to find any way around the encryption to get my user her files back. The best bet seems to be Shadow copies but those are deleted by CryptoWall if the infected user has permissions to do so. Some notes: · The cryptowall operators actually worked with me through their support form on the TOR site. On Circle, $500 of btc was 1.16, but CryptoWall was requesting 1.27. I told them all I could purchase was 1.16 and they accepted it. They also unlocked the encryption without a transaction ID being input. I believe this is because I included the relevant information in the message sent with the bitcoin. · Shadow copies and cold storage backups appear to be the only remedy besides paying. · Circle worked with me as well and hastened the victim’s credit card through their fraud prevention processes after I told them it was necessary to pay the ransom by today (deadline sensitive files) From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of John Quigley Sent: Thursday, November 13, 2014 11:52 AM To: t...@lopsa.org Subject: [lopsa-tech] Hit by Ransomware Colleagues, A good friend of mine owns a dental practice whose data was encrypted with ransomware. Apparently all of the primary and backup data were encrypted. I'm getting info secondhand from him and so don't have all the details yet (eg, which OS, which variant of ransomware, etc). They're asking in the range of $500-1000 in bitcoin. He wants to pay. My questions are: 1. Where/how to get bitcoin safely? 2. What should his expectations be after he pays? 3. Are there any other possible mitigations? For example, another friend sent me the FireEye link where one might be able to obtain a known decryption key. (https://www.decryptcryptolocker.com) I realize question #1 is off-topic for this list, but any personal experience is welcome. Any other advice or questions I should be asking? John
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
