We help IT Professionals succeed at work.

My dropbox has been encrypted by an outsider - help!

1,928 Views
Last Modified: 2014-12-14
I put some of my photos and files onto dropbox about a year ago.  Two weeks ago I noticed a pop up Notepad message when I booted up my computer (which freezes every so often and needs rebooting).
I never read the message until I tried to access a file from dropbox and found that all of the filres there are now encrypted.
Here is the text of the notepad message.  How serious is this?  Of course I have not replied.

ATTENTION:

                All your documents, photos, databases and other important personal files
                were encrypted using strong RSA-1024 algorithm with a unique key.
                If you want to restore your files please follow the instructions:

                1. Send email to keybtc@inbox.com, with the following files in attachment:

                                - FILE1.BIN and FILE2.BIN files (check your desktop
                                  and local disks to find these files or just use Windows Search.

                                - One of your encrypted personal file for test decryption.
                                  Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.

                2. Wait for email from us containing:

                                - Your decrypted file, prooving that we can really help you.
                                - Decryption price and payment details.

                3. Make payment.

                4. Recieve decryption key and detailed instructions how to decrypt your files.

                IMPORTANT:

                - You must contact us in 24 hours (from 17/11/2014 22:46), unless the price will rise.
                - Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
                - Your files will be decrypted as quick as you contact us and make payment.

                If you have any questions, please feel free to ask.

                Contact email: keybtc@inbox.com.
Comment
Watch Question

CERTIFIED EXPERT

Commented:
"How serious is this?"

Very...

You have been hijacked by Ransomware.

See en.wikipedia.org

Link:
http://en.wikipedia.org/wiki/Ransomware

If you do not have a back-up of your files then your choices are one of two.

1 pay the ransom to get your files back.
2 right-off the files as lost.
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Am I not able to clean this from my computer?  Surely paying the ransom won't help = they would simply do it again or take the money and not do anything.

How do I protect my computer assuming I can get it clean?

What about resetting my computer to an earlier date - would that work?  I believe that it happened on 16th November.
CERTIFIED EXPERT

Commented:
If your computer and its files work fine then, It is not your computer that has been hacked.
Only your dropbox account has been hacked / been hijacked by Ransomware.

If your dropbox data is important then paying the ransom is your only way of recovery.

In future always make and store a back-up copy of any cloud / online storage.

Reset all your passwords and do not use the same passwords for multiple accounts.
CERTIFIED EXPERT

Commented:
"Surely paying the ransom won't help = they would simply do it again or take the money and not do anything."

Once you pay the ransom copy the files to another media stogage device external HDD, etc.
Close your dropbox account and open another acount and enabled two-step verification?

See:blog.dropbox.com

https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Scan your PC's with malwarebytes, it should be able to remove cryptolocker or cryptowar malware.

http://malwarebytes.org

After that use your backups to restore the data, or sometimes as has been mentioned already, try restore points from earlier dates.

DropBox itself should directly be affected by those malware, but if you mapped a drive-letter from an infected PC to dropbox, the files there can also be encrypted, or of course if dropbox was synced to from an infected PC, that would also have happened.

So the first thing to do is check all your PC's and clean them.
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
Dropbox is invariably affected by cryptography virii. Dropbox does keep prior versions,  but it takes time to get them to do a restore. We have had great success with versioning software like crashplan.

Author

Commented:
Please confirm then that I need to take these steps:
1) clean the PC with malware (it is also infected by the way - all excel,  word , photo files are encrypted but email still works)
2)  try version restore from before 15th November - could this in fact solve all problems without having to pay a ransom?  Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?
3)  have dropbox restore from a pre 15 nov date.  then shift key files to a memory stick before opening up another account

Presumably backing up to cloud is also vulnerable so only safe way in future is to backup to a separate hard drive?

Thank you
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
A restore to a time previous to infection/encryption  should take care of everything.  

In terms of backup,  files that ate not backed up in at least 2 other locations are files you don't care about.  Cloud backup is good,  but you need something that does versioning (crashplan, spideroak, comodo, mozy, etc.)  System restore will take care of most things but it's not a backup and you can't rely on it keeping restore points very long.

Read my article on backup:
https://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
https://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html

Author

Commented:
Thank you - will cleaning my pc with malware then prevent me from a system restore?  Should I fist attempt the system restore and then load up malware?
I have Windows 8 - home version - how do I find the system restore and whether I have a version old enough?
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Cleaning malware won't necessarily wipe the system restore points. If you do a system restore before removing the malware could cause the restored system to also get encrypted, as the malware is still active. Also, some malware will disable system restore, so after an infection that sometimes won't work.

In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points.
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
KNOW that you may need to check the box to display all restore points.
CERTIFIED EXPERT

Commented:
Re:
"Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?"

I did not and do not recommend paying the ransom, but if you have no back-ups, and cannot find any recovery method (and the files are worth the ranson asked) then its still a gamble at best.

Read: "Ransomware - would you pay up?" from nakedsecurity.sophos.com and also watch the video.

Link
https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
Also,  just to be clear,  animal ware and our Antivirus software never guarantees against future "infection." A combination of methods is best, such as MBAM Pro alongside a good AV  solution (with only one running on access scanning - I set it to be MBAM ). I also run Winpatrol Plus.  These combined with good surfing/browsing habits (and never clicking a link in an email ) should do the trick.  Remember that the only completely secure computer is one that is completely isolated from the Internet and filled with cement.
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
Maybe besides what has already been said, Always make sure you are logged on to your PC's with a standard account, accounts that have Administrator rights should only be used for those specific tasks. This can't protect against everything, but it helps. So make sure you create an Admin and a standard account, and for normal use only use the standard account.

Another good idea is to use a linux PC, and whenever you get a suspicious email, only open it using that PC. Linux is far less likely to pick up malware, particularly from opening attachments etc. Many of those attachments or executables only work under Windows.

Author

Commented:
Ok - I have downloaded both Spyhunter and Reghunter so I have to hope that amongst the 600 issues found and cleaned, they have also got rid of the ransomware.  Anyway to be sure?

 rindi - a few things you have written that I am not clear on:
1)"Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped", - if you are setting up a regular backup from your drives, how can you not have them mapped?
2) "In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points. " - I don't know what you mean by "This PC" - I can't find this to right click on.  What window should I be on to right click - and where?

Will a System restore provide me with earlier versions of my files?  If not then if the spyHunter has worked I guess there is no point as it is now only the file/photos that I need to have back.  If system restore only restores system files its going to be of limited value is that correct?
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
Backup to clouds is okay even if you use a mapped drive,  as long as the backup service uses versioning (any service that doesn't use versioning is not worth the effort). Also note that dropbox is NOT backup.

There is no utility that I know of that will decrypt files encrypted with a cryptowall variant.

Author

Commented:
I have now carried out the following steps
1)  paid for and loaded both Spyhunter and Reghunter
2)  run their scans - spyhunter found above 650 different issues and these were all cleared
3) The pop up ransom note no longer comes up
4) I then created some word and excel files to see if they became encrypted - and they have not in the interim days.
5) I then managed to get the files I most recently had worked on from a Dropbox restore - which allayed my worst fears.  Others such as photos I have either on another computer or on snapfish.  Therefore worst loss is of letters, spreadsheets from 10 years - but in practice how often does one really need letters sent to the school about children absences...
Remaining questions:
A) I am now looking for a versioning Backup programme.  Should I be trying to find one that sends different versions onto a zip drive - or is it better to choose the same but online?  Of the former it seemed that Norton Ghost was the best - but it has been withdrawn....
B)  I have been running Spyhunter every couple of evenings - and have not been using the internet on that computer.  I would expect it now not to be finding any adware or infections whatsoever.  However it is always saying it has found around 50 issues.  How is this possible?  Is it just trying to show me how good it is and giving me false readings.  It doesn't inspire me with confidence - or can infections somehow still be getting in just by my being passively connected to the internet - which I am.  And if so how can I be stopping that?

Thank you all for your advice.  On receipt of last two questions I will go back through the correspondence to find which replies are the ones that were the solution!
Great service.
Geoff

BUT  I do have one more question
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.