LOCKY Ransomware - I Got hit - my stupidity

[DuffMan]

Received an invoice from a client. Attachment was a .js extension. I routinely saved the file and scanned it. It appeared OK.so, without thinking, I opened it and immediately knew that was a mistake. (.js is a javascript extension.)

 

Within a few minutes it had encrypted hundreds of .pdf, .txt, .jpeg, doc, etc files and renamed them to random numbers with a .locky extension.

 

Fascinating thing is it went immediately to my DropBox account and OneDrive account. It hit onedrive first and virtually wiped that one out but only got 2 files on my DropBox account. In looking at how it works, it encrypts the file and saves it under a new name (Random numbers with a .locky extension) then deletes the original file and empties the deleted file folder in OneDrive and DropBox. This prevents you from restoring a previous version of the file as the saved version is an original file and the deleted original file no longer exists. Of course it leaves a txt file behind with instructions on how to pay the ransom with Bit Coins. (It puts the public key in your registry and when you pay the ransom it provides you with the private key.)

 

Apparently neither DropBox not OneDrive have a feature of being able to restore a directory to a previous date version - at least none that I could find. Anyone know if this feature exists or how to access it? All the help screens deal with un-deleting files, however, once LOCKY hits, they now no longer exist!

 

There is plenty of information on the net about how LOCKY works but no information on how to detect its presence or how to remove it once infected. Apparently it's too new. Even the regular security software we depend on SpyBot, Malware Bytes, Norton, Defender, etc carefully don't talk about Ransom-Ware protection! McAffee admits that it is a very well written piece of ransom ware!

 

Luckily I only lost about 100 files that were not backed up and I can recreate them witthout too much hassle. I just went ahead and did a clean install of Win 10 to be safe.

 

Anyone else get hit? How did you recover?

 

 

[skp51443]

I dread something like this hitting here as my systems are networked together and one compromised system would go after the rest in short order.

 

I have a an external hard drive connected to each computer that generates local data that I want to be sure to have a copy of. The external hard drives are not powered on until I am ready to make a backup and I do that as the first thing after I boot, before doing anything on-line, once finished backing up the drives are powered off again.

 

Worst case is I'd have to reinstall which takes about an hour to load the new OS and applications and reapply my settings and then restore the data from the external drives. Depending on the week and how far into it I was recovering the lost work since the last backup could be a real pain but wouldn't be a disaster.

[wildmandmc]

As an IT guy, i have come across different variations of this. so far have been able to clean them all up with no problems.

I don't use drop box. but i tell all my customers that, if you are backing up daily, don't have your external drive always plugged in. Nowadays with all the cyber attacks, what we all need (which is sad) is another pc/laptop for opening files. send file over to usb then insert in dummy pc/laptop an open it there.

[DuffMan]

As an IT guy, i have come across different variations of this. so far have been able to clean them all up with no problems.

I don't use drop box. but i tell all my customers that, if you are backing up daily, don't have your external drive always plugged in. Nowadays with all the cyber attacks, what we all need (which is sad) is another pc/laptop for opening files. send file over to usb then insert in dummy pc/laptop an open it there.

 

Unfortunately we become dependent on the cloud to store our active files so they can be accessed by multiple remote people - ie Google Docs, Drop Box, etc. Even Microsoft is pushing to handle all programs in the cloud. Seems like the industry would rally around these type of attacks to prevent them since they are pushing for all applications to be run from the cloud and subscription pricing. ie why would DropBox allow a file change to an extension of .locky when it is well known that a ransome ware attack would be in process and they could lock down the account until rectified?

[Dutch_12078]

Was your "Deleted Files" directory on Dropbox cleaned out? Dropbox retains changed files for 30 days, and they can be restored individually.

[DuffMan]

Was your "Deleted Files" directory on Dropbox cleaned out? Dropbox retains changed files for 30 days, and they can be restored individually.

 

The deleted files directory was there but it was empty and each .locky file registered as a new file with no previous status. Apparently LOCKY found out how to empty the "Defeted Files" directory!

 

LOCKY was also thorough enough to even encrypt all the corresponding files on my windows Recovery Drive. (McAffee admitted LOCKY was well written and thorough!)

 

EDIT:

Wooo Hooo - I just found a hidden cached folder under my DropBox folder that had copies of all the deleted files. Time to grab and run! (It's accessible under Windows Explorer - show hidden files turned on - a folder under DropBox called ".dropbox.cache" then a sub-folder for each day (at least the last 3 days)

[Jim & Alice]

Thanks for sharing this... never heard of LOCKY... Not fun. Glad you found your cached folder

[skp51443]

There are more and more of these "file locking" type programs out there and even more coming in the future. While the criminals involved are happy to see your money they are really hoping to get a big score where the locked files are at a big business that will pay huge sums to get unlocked.

 

Why? Because they can make the attacker a pile of money that is very hard to trace to them.

 

How? They scramble your files in a manner that you can't undo with any tool or utility. A caveat here, most not all, a few are so poorly written that you can find the unlock key so that is worth checking for.

 

Repair without paying the extortion: Clean the system of all traces of the locking program, maybe a format and reinstall. Restore your files from backups and redo any missing work.

 

Repair after paying the extortion: You will get a copy of the secret key and instructions for unlocking your files. Unlock them and make secure backups of the unlocked files. Clean your system as above.

 

 

Some interesting and not too technical reading:

 

http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning_pc_to_wrecking_websites/

 

 

A new ransomware variant appears to be ripping through WordPress sites encrypting data and demanding a payment of half a bitcoin to release files.

The website variant of CTB Locker is encrypting all files on WordPress-powered sites and replacing the index.php with a file that displays instructions for paying the ransom.

It even sports a chat room support feature where verified victims can exchange words with ransomware scum.

 

http://www.theregister.co.uk/2014/12/15/tor_advanced_cryptography_malvertising_the_shape_of_next_gen_ransomware/

 

 

Cybercrooks have brewed a strain of ransomware that uses elliptic curve cryptography for file encryption, and Tor for communication.

The malware, dubbed OphionLocker, is spreading using a malicious advertising (malvertising) campaign featuring the RIG exploit kit.

The ransomware encrypts files of particular types on infected systems before using Tor2web URL as a conduit for instructions on how to send the payment and obtain the decryptor tool. The extortionists are asking for a payoff of 1 BTC ($352 at current rates of exchange).

 

 

Done wrong:

 

http://www.theregister.co.uk/2015/05/20/teslacrypt_ransomware_scam_dissected/

 

 

The TeslaCrypt ransomware gang raked in $76,500 in around 10 weeks, according to new research into the scam.

TeslaCrypt, which was distributed through the widely-used Angler browser exploit kit, was first spottedin February 2015 by security researchers at Dell SecureWorks.

After encrypting popular file types on compromised machines, TeslaCrypt demanded a ransom of $150 or more, payable in Bitcoin. The malware uses the Tor anonymity network for command and control. TeslaCrypt was also notable for its encryption of filetypes associated with popular online games.

Security researchers at Cisco were able to analyse and break the TeslaCrypt ransomware before releasing a decryption utility in late April. The release of the recovery tool thwarted the whole basis of the scam.

 

http://www.theregister.co.uk/2015/11/12/cures_for_ransomware_linux_cryptowall/

 

 

Ransomware targeting Linux servers has been thwarted by hard working security boffins, with help from the software itself, mere days after its existence was made public.

The Linux.Encoder.1 ransomware seeks Linux systems to encrypt and like others of its ilk demands owners pay BitCoins to have files decrypted.

But the first iteration of the malware has, like most betas, proven fallible.

Not only can it be decrypted using scripts without the need for ransoms to be paid, but it can re-encrypt itself, corrupting files and even encrypting the ransom note that directs victims how to pay the extortion.

 

http://www.theregister.co.uk/2015/04/10/ransomware_crypto_mistakes_coding_error/

 

 

A newly released crypto-ransomware strain has been broken, thus allowing victims — in over two out of three cases — to get back their data without paying.

The Scraper ransomware has a flaw, meaning that in about 70 per cent of cases files can be decrypted, according to Kaspersky Labs, with the Russian security firm publishing a free decryption utility.

Of course, it's a lot better not to get infected in the first place but for those who do get hit the utility offers the chance to save $300.

[Dutch_12078]

All of my critical files are automatically backed up to a personal cloud program (I use "OwnCloud") installed on my virtual web server hosted by 1and1. The local apps that handle the file uploads have been set to ignore .locky and 43 other known ransomware file extensions. I do use Dropbox for minor file syncing between multi-platform ebook readers, etc., but those are non-critical. I'm not aware of anyway to specify specific file extensions that Dropbox will ignore, but I haven't looked very hard for it either. It seems to me I recall at least some of the hard drive backup programs having that option though.

[RV_]

Hey Guys,

I read through many pages of threat reports daily from several sources and post the most widespread ones or the ones folks might not know about that are stepping up attacks down in Computers and Software forums here. As usual I post the links with all the info. Here is the one about the Locky Ransomware, which is from the same botnet as some very successful banking malware programs. That post is here on the forums: http://www.rvnetwork.com/index.php?showtopic=122268

 

I don't post a lot of the malware I read about, just the ones that are snagging more than the usual few out of thousands. Everyone needs to know about these. Sorry you had to go through it Duffman.

[DuffMan]

The interesting thing about LOCKY is that the perpetrators are trying to establish a reputation of unlocking upon payment of a reasonable ransom (most demands seem to be in the $300 - $700 range) and there are numerous comments from people that paid the ransom and got their data unscrambled. There are far more condemnations from commentators complaining that payment of the ransom exacerbates and funds the bad guys and continuation of the problem.

 

It's easy to take the high ground when your livelihood is not at stake! If it is my data and that data is worth big bucks, payment of say $700 to get it back is a no-brainer. Sure, if I pay, I may have only a 50/50 chance of getting it unlocked, but, if I don't pay, I have a 100% of not getting it unlocked. If it will cost me $50K to recreate the lost info, $700 is a bargain and well worth the risk.

[Jack Mayer]

For a business it may make some sense to pay if you cannot replicate the data For me, if it got mine I'd literally pull out the hard drive, destroy it and start over. That assumes it did not affect my Google Drive data. That is backed up but it may not be up to date since I only download it and put it on an external drive once a month.

[justRich]

Hollywood Presbyterian Medical System got hit by ransomware last month and coughed up $17K in Bitcoin to restore their systems.

http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html

[Ronbo]

If the NSA is do good, why can't they shut down these hackers? I guess if they were doing in on their cell phones, it would be no problem.

[DuffMan]

For a business it may make some sense to pay if you cannot replicate the data For me, if it got mine I'd literally pull out the hard drive, destroy it and start over. That assumes it did not affect my Google Drive data. That is backed up but it may not be up to date since I only download it and put it on an external drive once a month.

 

Jack,

 

If your Google Drive is mapped or sync'd where you access your GoogleDrive automatically to save files in the cloud, say through windows explorer, LOCKY will access those files and scramble them. That's how it got my DropBox and OneDrive files. If you're using GoogleDrives Spreadsheets, Docs, etc. I haven't heard of those being accessed.

 

BTW: Windows used to have a feature called "Group Policy Management Console" (gpedit.msc) where you could declare certain file types/extensions as prohibited. I can't find it in Windows 10. Any idea how I can declare globally in Windows 10 certain file types as prohibited extensions? (Say the .locky extension!)

[DuffMan]

... Clean the system of all traces of the locking program, maybe a format and reinstall.

 

That's the fascinating thing about LOCKY - nowhere can I find a program that can detect the existence of the LOCKY encrypting program - only the existence of it's results - ie. the existence of files with a .locky extension. Heck by that time I know it exists.

 

In my case the malware program was enclosed in an invoice file that I had saved and scanned and was said to be OK by SpyBot and MalwareBytes and Windows. (But did have a .js extension which should have been a red flag!) Even Googling LOCKY detection, the various programs admit they only detect and report files with the .locky extension not the program itself.

 

I haven't heard whether LOCKY exists in other than a .js (JavaScript) format. If it can be encased in a .pdf or .doc file, we're all in trouble!

 

I need an automatic backup program that backs up to a separate drive on a predetermined schedule (Say Daily) then locks that Back-Up file preventing access, overwriting, deleting, etc without a secure password. Then the next day do the backup again but to a new back-up file. (Windows back-up/ imaging program just overwrites the existing back-up file which wipes out all your good files and saves the scrambled files in their place.) I need to be able to access all the previous back-ups in order to be able to step back in time and select which backup to restore. (The date stamp on a scrambled file would indicate where to start to restore an unscrambled version of the affected files. ) To prevent the massive storage from becoming unmanageable, maybe a full back-up say once every 2 months plus daily back-ups of only changed files. I wonder if I can do this with say Acronis?

[Jack Mayer]

 

Jack,

 

If your Google Drive is mapped or sync'd where you access your GoogleDrive automatically to save files in the cloud, say through windows explorer, LOCKY will access those files and scramble them. That's how it got my DropBox and OneDrive files. If you're using GoogleDrives Spreadsheets, Docs, etc. I haven't heard of those being accessed.

 

 

I SPECIFICALLY keep a wall between Drive and my PC. At least that is my attempt. Nothing uploads or synchs automatically. I now almost exclusively work in Drive via the web. Rarely do I do any content building -other than web content - on my PC. I think I'm going to take the Onedrive and Drive folders out of Explorer - I can and do get to them through a web interface.