Solved

My dropbox has been encrypted by an outsider - help!

Posted on 2014-12-05
23
1,400 Views
Last Modified: 2014-12-14
I put some of my photos and files onto dropbox about a year ago.  Two weeks ago I noticed a pop up Notepad message when I booted up my computer (which freezes every so often and needs rebooting).
I never read the message until I tried to access a file from dropbox and found that all of the filres there are now encrypted.
Here is the text of the notepad message.  How serious is this?  Of course I have not replied.

ATTENTION:

                All your documents, photos, databases and other important personal files
                were encrypted using strong RSA-1024 algorithm with a unique key.
                If you want to restore your files please follow the instructions:

                1. Send email to keybtc@inbox.com, with the following files in attachment:

                                - FILE1.BIN and FILE2.BIN files (check your desktop
                                  and local disks to find these files or just use Windows Search.

                                - One of your encrypted personal file for test decryption.
                                  Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.

                2. Wait for email from us containing:

                                - Your decrypted file, prooving that we can really help you.
                                - Decryption price and payment details.

                3. Make payment.

                4. Recieve decryption key and detailed instructions how to decrypt your files.

                IMPORTANT:

                - You must contact us in 24 hours (from 17/11/2014 22:46), unless the price will rise.
                - Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
                - Your files will be decrypted as quick as you contact us and make payment.

                If you have any questions, please feel free to ask.

                Contact email: keybtc@inbox.com.
0
Comment
Question by:Lomed_Geoff
  • 7
  • 6
  • 5
  • +1
23 Comments
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40483279
"How serious is this?"

Very...

You have been hijacked by Ransomware.

See en.wikipedia.org

Link:
http://en.wikipedia.org/wiki/Ransomware

If you do not have a back-up of your files then your choices are one of two.

1 pay the ransom to get your files back.
2 right-off the files as lost.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 167 total points
ID: 40483383
Third choice for dropbox files:

If you put a ticket in with dropbox they might have older versions,  it really depends on how long those files have been encrypted.
0
 

Author Comment

by:Lomed_Geoff
ID: 40483436
Am I not able to clean this from my computer?  Surely paying the ransom won't help = they would simply do it again or take the money and not do anything.

How do I protect my computer assuming I can get it clean?

What about resetting my computer to an earlier date - would that work?  I believe that it happened on 16th November.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40483613
If your computer and its files work fine then, It is not your computer that has been hacked.
Only your dropbox account has been hacked / been hijacked by Ransomware.

If your dropbox data is important then paying the ransom is your only way of recovery.

In future always make and store a back-up copy of any cloud / online storage.

Reset all your passwords and do not use the same passwords for multiple accounts.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40483656
"Surely paying the ransom won't help = they would simply do it again or take the money and not do anything."

Once you pay the ransom copy the files to another media stogage device external HDD, etc.
Close your dropbox account and open another acount and enabled two-step verification?

See:blog.dropbox.com

https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/
0
 
LVL 87

Expert Comment

by:rindi
ID: 40483735
Scan your PC's with malwarebytes, it should be able to remove cryptolocker or cryptowar malware.

http://malwarebytes.org

After that use your backups to restore the data, or sometimes as has been mentioned already, try restore points from earlier dates.

DropBox itself should directly be affected by those malware, but if you mapped a drive-letter from an infected PC to dropbox, the files there can also be encrypted, or of course if dropbox was synced to from an infected PC, that would also have happened.

So the first thing to do is check all your PC's and clean them.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40483789
Dropbox is invariably affected by cryptography virii. Dropbox does keep prior versions,  but it takes time to get them to do a restore. We have had great success with versioning software like crashplan.
0
 

Author Comment

by:Lomed_Geoff
ID: 40484450
Please confirm then that I need to take these steps:
1) clean the PC with malware (it is also infected by the way - all excel,  word , photo files are encrypted but email still works)
2)  try version restore from before 15th November - could this in fact solve all problems without having to pay a ransom?  Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?
3)  have dropbox restore from a pre 15 nov date.  then shift key files to a memory stick before opening up another account

Presumably backing up to cloud is also vulnerable so only safe way in future is to backup to a separate hard drive?

Thank you
0
 
LVL 87

Accepted Solution

by:
rindi earned 249 total points
ID: 40484457
1. Correct, clean all your PC's that connect to dropbox first. The malware infects dropbox via your PC and not the other way. Also disable any dropbox startup tools, or the encrypted files will probably just be restored to the PC if a sync starts.

2. A restore from the backup before the infection will help. Never ever pay any ransom, first the price will probably be astronomical, and no one guarantees that you'll get the keys for recovery, and besides, never in any way support the crooks.

3. That is what you can try if your backup is no good. Otherwise just delete the files on dropbox and upload them again. Also, I'm not sure if dropbox does any restore for the free service...

Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped, and you keep more than one version backed up (backing up files that are corrupted, so they overwrite the previous backup, will always be a problem, whether that is to the cloud or somewhere else. If you backup to external disks, always disconnect them after the backup, and always make sure you have several versions backed up.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40484463
A restore to a time previous to infection/encryption  should take care of everything.  

In terms of backup,  files that ate not backed up in at least 2 other locations are files you don't care about.  Cloud backup is good,  but you need something that does versioning (crashplan, spideroak, comodo, mozy, etc.)  System restore will take care of most things but it's not a backup and you can't rely on it keeping restore points very long.

Read my article on backup:
http://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
http://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html
0
 

Author Comment

by:Lomed_Geoff
ID: 40484494
Thank you - will cleaning my pc with malware then prevent me from a system restore?  Should I fist attempt the system restore and then load up malware?
I have Windows 8 - home version - how do I find the system restore and whether I have a version old enough?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 87

Expert Comment

by:rindi
ID: 40484515
Cleaning malware won't necessarily wipe the system restore points. If you do a system restore before removing the malware could cause the restored system to also get encrypted, as the malware is still active. Also, some malware will disable system restore, so after an infection that sometimes won't work.

In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40484524
KNOW that you may need to check the box to display all restore points.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 40484543
Re:
"Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?"

I did not and do not recommend paying the ransom, but if you have no back-ups, and cannot find any recovery method (and the files are worth the ranson asked) then its still a gamble at best.

Read: "Ransomware - would you pay up?" from nakedsecurity.sophos.com and also watch the video.

Link
https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40484576
Also,  just to be clear,  animal ware and our Antivirus software never guarantees against future "infection." A combination of methods is best, such as MBAM Pro alongside a good AV  solution (with only one running on access scanning - I set it to be MBAM ). I also run Winpatrol Plus.  These combined with good surfing/browsing habits (and never clicking a link in an email ) should do the trick.  Remember that the only completely secure computer is one that is completely isolated from the Internet and filled with cement.
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 84 total points
ID: 40484658
Cloud based free antivirus tools will protect you from any suspect internet content.

I trust and have used free Panda (panda-free-antivirus.en.softonic.com) on all my computers (XP and up)  for many years with "0" infections.

Link:
http://panda-free-antivirus.en.softonic.com/

Never open an attachment in an email from someone you do not know or tust or open an untrustworthy or suspect downloaded file without first scanning it with an an antivirus software that automatically scans compressed files.

BTW, Panda free, automatically scans compressed files by default.
If you wish to do a "scan on demand" then go to "settings" and turn on " scan compressed files"
0
 
LVL 87

Expert Comment

by:rindi
ID: 40484667
Maybe besides what has already been said, Always make sure you are logged on to your PC's with a standard account, accounts that have Administrator rights should only be used for those specific tasks. This can't protect against everything, but it helps. So make sure you create an Admin and a standard account, and for normal use only use the standard account.

Another good idea is to use a linux PC, and whenever you get a suspicious email, only open it using that PC. Linux is far less likely to pick up malware, particularly from opening attachments etc. Many of those attachments or executables only work under Windows.
0
 

Author Comment

by:Lomed_Geoff
ID: 40485088
Ok - I have downloaded both Spyhunter and Reghunter so I have to hope that amongst the 600 issues found and cleaned, they have also got rid of the ransomware.  Anyway to be sure?

 rindi - a few things you have written that I am not clear on:
1)"Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped", - if you are setting up a regular backup from your drives, how can you not have them mapped?
2) "In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points. " - I don't know what you mean by "This PC" - I can't find this to right click on.  What window should I be on to right click - and where?

Will a System restore provide me with earlier versions of my files?  If not then if the spyHunter has worked I guess there is no point as it is now only the file/photos that I need to have back.  If system restore only restores system files its going to be of limited value is that correct?
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 249 total points
ID: 40485368
1. You can access dropbox directly from from within the browser and download / upload files to / from it without mapping a drive. But there could also be utilities from the cloud provider (I never used them so I'm not sure what can exactly they do) you have installed on the PC which may automatically sync your PC's files with the cloud, or map the cloud to a drive-letter so you can access them directly via explorer etc. Cryptolocker and Cryptowall and their variants both only access local files, and those directly accessible via a drive letter. So if you have such a tool installed, disable it when not in use.

2. In my Windows 8.x setups, I always set it up so all the normal desktop icons are shown on the desktop. The default setting isn't setup correctly in my point view. For that I right click an empty space on the desktop, select "Personalize", then click on "Change Desktop Icons". Now I put a checkmark in all which are available (Computer, User's files, Network, Control Panel, Recycle Bin). After that you'll have an Icon named "This PC" on the desktop. That's the one you right click.

An earlier restore point or volume shadow copy of your files will probably not help, as at least CryptoWall deletes all previous versions.

I'm also not sure whether the software you mentioned above removes those malwares, but I do know that Malwarebytes does. I suggest you scan your PC with malwarebytes.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40485445
Backup to clouds is okay even if you use a mapped drive,  as long as the backup service uses versioning (any service that doesn't use versioning is not worth the effort). Also note that dropbox is NOT backup.

There is no utility that I know of that will decrypt files encrypted with a cryptowall variant.
0
 

Author Comment

by:Lomed_Geoff
ID: 40498234
I have now carried out the following steps
1)  paid for and loaded both Spyhunter and Reghunter
2)  run their scans - spyhunter found above 650 different issues and these were all cleared
3) The pop up ransom note no longer comes up
4) I then created some word and excel files to see if they became encrypted - and they have not in the interim days.
5) I then managed to get the files I most recently had worked on from a Dropbox restore - which allayed my worst fears.  Others such as photos I have either on another computer or on snapfish.  Therefore worst loss is of letters, spreadsheets from 10 years - but in practice how often does one really need letters sent to the school about children absences...
Remaining questions:
A) I am now looking for a versioning Backup programme.  Should I be trying to find one that sends different versions onto a zip drive - or is it better to choose the same but online?  Of the former it seemed that Norton Ghost was the best - but it has been withdrawn....
B)  I have been running Spyhunter every couple of evenings - and have not been using the internet on that computer.  I would expect it now not to be finding any adware or infections whatsoever.  However it is always saying it has found around 50 issues.  How is this possible?  Is it just trying to show me how good it is and giving me false readings.  It doesn't inspire me with confidence - or can infections somehow still be getting in just by my being passively connected to the internet - which I am.  And if so how can I be stopping that?

Thank you all for your advice.  On receipt of last two questions I will go back through the correspondence to find which replies are the ones that were the solution!
Great service.
Geoff

BUT  I do have one more question
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 249 total points
ID: 40498253
I don't know spyhunter. In my point of view malwarebytes is the best product.

Sometimes some issues can't be removed, so they show up again after a later scan. For those issues you must go through each of them, decide whether they are bad or not, then look online for ways to remove them (some issues can be false positives, or software you actually trust). Besides that, there will always be malware that can't be found.

For backup or any other product, I would never recommend anything from Symantec (norton). Very good are the paragon products, they have a free backup tool which is for personal use, or the professional version which has more options. The best but also more expensive is shadowprotect from storagecraft. If you set your backups to do incremental backups the backups will be small in size, as only files that were changed will be backed up again later, and you'll have all those different files still available. You should also change the disk you backup to, so you have several you can cycle through, and always only connect them to the PC during the backup. Always remove them when the backup is done, and store them away from the PC.

Personally I don't recommend backing up to the cloud (or only as an additional backup). You never know what the company does with your data, or what happens if it goes bust.
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 167 total points
ID: 40498261
A resounding Crashplan is the answer to most of your question. See my article on why i changed versioning software providers.

www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html

There is a free version that does backup to local disks or folders.

In terms of the constant issues, your best bet is a complete rebuild.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
aix tls version 6 154
remove chinese softwares 22 96
Info tools for social network surveillance 12 94
How to remove Odin ransomware ? 11 155
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now