Lomed_Geoff
asked on
My dropbox has been encrypted by an outsider - help!
I put some of my photos and files onto dropbox about a year ago. Two weeks ago I noticed a pop up Notepad message when I booted up my computer (which freezes every so often and needs rebooting).
I never read the message until I tried to access a file from dropbox and found that all of the filres there are now encrypted.
Here is the text of the notepad message. How serious is this? Of course I have not replied.
ATTENTION:
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
If you want to restore your files please follow the instructions:
1. Send email to keybtc@inbox.com, with the following files in attachment:
- FILE1.BIN and FILE2.BIN files (check your desktop
and local disks to find these files or just use Windows Search.
- One of your encrypted personal file for test decryption.
Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.
2. Wait for email from us containing:
- Your decrypted file, prooving that we can really help you.
- Decryption price and payment details.
3. Make payment.
4. Recieve decryption key and detailed instructions how to decrypt your files.
IMPORTANT:
- You must contact us in 24 hours (from 17/11/2014 22:46), unless the price will rise.
- Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
- Your files will be decrypted as quick as you contact us and make payment.
If you have any questions, please feel free to ask.
Contact email: keybtc@inbox.com.
I never read the message until I tried to access a file from dropbox and found that all of the filres there are now encrypted.
Here is the text of the notepad message. How serious is this? Of course I have not replied.
ATTENTION:
All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
If you want to restore your files please follow the instructions:
1. Send email to keybtc@inbox.com, with the following files in attachment:
- FILE1.BIN and FILE2.BIN files (check your desktop
and local disks to find these files or just use Windows Search.
- One of your encrypted personal file for test decryption.
Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.
2. Wait for email from us containing:
- Your decrypted file, prooving that we can really help you.
- Decryption price and payment details.
3. Make payment.
4. Recieve decryption key and detailed instructions how to decrypt your files.
IMPORTANT:
- You must contact us in 24 hours (from 17/11/2014 22:46), unless the price will rise.
- Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
- Your files will be decrypted as quick as you contact us and make payment.
If you have any questions, please feel free to ask.
Contact email: keybtc@inbox.com.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Am I not able to clean this from my computer? Surely paying the ransom won't help = they would simply do it again or take the money and not do anything.
How do I protect my computer assuming I can get it clean?
What about resetting my computer to an earlier date - would that work? I believe that it happened on 16th November.
How do I protect my computer assuming I can get it clean?
What about resetting my computer to an earlier date - would that work? I believe that it happened on 16th November.
If your computer and its files work fine then, It is not your computer that has been hacked.
Only your dropbox account has been hacked / been hijacked by Ransomware.
If your dropbox data is important then paying the ransom is your only way of recovery.
In future always make and store a back-up copy of any cloud / online storage.
Reset all your passwords and do not use the same passwords for multiple accounts.
Only your dropbox account has been hacked / been hijacked by Ransomware.
If your dropbox data is important then paying the ransom is your only way of recovery.
In future always make and store a back-up copy of any cloud / online storage.
Reset all your passwords and do not use the same passwords for multiple accounts.
"Surely paying the ransom won't help = they would simply do it again or take the money and not do anything."
Once you pay the ransom copy the files to another media stogage device external HDD, etc.
Close your dropbox account and open another acount and enabled two-step verification?
See:blog.dropbox.com
https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/
Once you pay the ransom copy the files to another media stogage device external HDD, etc.
Close your dropbox account and open another acount and enabled two-step verification?
See:blog.dropbox.com
https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/
Scan your PC's with malwarebytes, it should be able to remove cryptolocker or cryptowar malware.
http://malwarebytes.org
After that use your backups to restore the data, or sometimes as has been mentioned already, try restore points from earlier dates.
DropBox itself should directly be affected by those malware, but if you mapped a drive-letter from an infected PC to dropbox, the files there can also be encrypted, or of course if dropbox was synced to from an infected PC, that would also have happened.
So the first thing to do is check all your PC's and clean them.
http://malwarebytes.org
After that use your backups to restore the data, or sometimes as has been mentioned already, try restore points from earlier dates.
DropBox itself should directly be affected by those malware, but if you mapped a drive-letter from an infected PC to dropbox, the files there can also be encrypted, or of course if dropbox was synced to from an infected PC, that would also have happened.
So the first thing to do is check all your PC's and clean them.
Dropbox is invariably affected by cryptography virii. Dropbox does keep prior versions, but it takes time to get them to do a restore. We have had great success with versioning software like crashplan.
ASKER
Please confirm then that I need to take these steps:
1) clean the PC with malware (it is also infected by the way - all excel, word , photo files are encrypted but email still works)
2) try version restore from before 15th November - could this in fact solve all problems without having to pay a ransom? Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?
3) have dropbox restore from a pre 15 nov date. then shift key files to a memory stick before opening up another account
Presumably backing up to cloud is also vulnerable so only safe way in future is to backup to a separate hard drive?
Thank you
1) clean the PC with malware (it is also infected by the way - all excel, word , photo files are encrypted but email still works)
2) try version restore from before 15th November - could this in fact solve all problems without having to pay a ransom? Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?
3) have dropbox restore from a pre 15 nov date. then shift key files to a memory stick before opening up another account
Presumably backing up to cloud is also vulnerable so only safe way in future is to backup to a separate hard drive?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A restore to a time previous to infection/encryption should take care of everything.
In terms of backup, files that ate not backed up in at least 2 other locations are files you don't care about. Cloud backup is good, but you need something that does versioning (crashplan, spideroak, comodo, mozy, etc.) System restore will take care of most things but it's not a backup and you can't rely on it keeping restore points very long.
Read my article on backup:
https://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
https://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html
In terms of backup, files that ate not backed up in at least 2 other locations are files you don't care about. Cloud backup is good, but you need something that does versioning (crashplan, spideroak, comodo, mozy, etc.) System restore will take care of most things but it's not a backup and you can't rely on it keeping restore points very long.
Read my article on backup:
https://www.experts-exchange.com/Software/Backup_Restore/A_16059-Backing-up-more-than-a-necessity.html
https://www.experts-exchange.com/Software/Backup_Restore/A_17402-Cloud-Backup-Why-I-changed-providers.html
ASKER
Thank you - will cleaning my pc with malware then prevent me from a system restore? Should I fist attempt the system restore and then load up malware?
I have Windows 8 - home version - how do I find the system restore and whether I have a version old enough?
I have Windows 8 - home version - how do I find the system restore and whether I have a version old enough?
Cleaning malware won't necessarily wipe the system restore points. If you do a system restore before removing the malware could cause the restored system to also get encrypted, as the malware is still active. Also, some malware will disable system restore, so after an infection that sometimes won't work.
In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points.
In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points.
KNOW that you may need to check the box to display all restore points.
Re:
"Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?"
I did not and do not recommend paying the ransom, but if you have no back-ups, and cannot find any recovery method (and the files are worth the ranson asked) then its still a gamble at best.
Read: "Ransomware - would you pay up?" from nakedsecurity.sophos.com and also watch the video.
Link
https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/
"Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?"
I did not and do not recommend paying the ransom, but if you have no back-ups, and cannot find any recovery method (and the files are worth the ranson asked) then its still a gamble at best.
Read: "Ransomware - would you pay up?" from nakedsecurity.sophos.com and also watch the video.
Link
https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/
Also, just to be clear, animal ware and our Antivirus software never guarantees against future "infection." A combination of methods is best, such as MBAM Pro alongside a good AV solution (with only one running on access scanning - I set it to be MBAM ). I also run Winpatrol Plus. These combined with good surfing/browsing habits (and never clicking a link in an email ) should do the trick. Remember that the only completely secure computer is one that is completely isolated from the Internet and filled with cement.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Maybe besides what has already been said, Always make sure you are logged on to your PC's with a standard account, accounts that have Administrator rights should only be used for those specific tasks. This can't protect against everything, but it helps. So make sure you create an Admin and a standard account, and for normal use only use the standard account.
Another good idea is to use a linux PC, and whenever you get a suspicious email, only open it using that PC. Linux is far less likely to pick up malware, particularly from opening attachments etc. Many of those attachments or executables only work under Windows.
Another good idea is to use a linux PC, and whenever you get a suspicious email, only open it using that PC. Linux is far less likely to pick up malware, particularly from opening attachments etc. Many of those attachments or executables only work under Windows.
ASKER
Ok - I have downloaded both Spyhunter and Reghunter so I have to hope that amongst the 600 issues found and cleaned, they have also got rid of the ransomware. Anyway to be sure?
rindi - a few things you have written that I am not clear on:
1)"Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped", - if you are setting up a regular backup from your drives, how can you not have them mapped?
2) "In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points. " - I don't know what you mean by "This PC" - I can't find this to right click on. What window should I be on to right click - and where?
Will a System restore provide me with earlier versions of my files? If not then if the spyHunter has worked I guess there is no point as it is now only the file/photos that I need to have back. If system restore only restores system files its going to be of limited value is that correct?
rindi - a few things you have written that I am not clear on:
1)"Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped", - if you are setting up a regular backup from your drives, how can you not have them mapped?
2) "In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points. " - I don't know what you mean by "This PC" - I can't find this to right click on. What window should I be on to right click - and where?
Will a System restore provide me with earlier versions of my files? If not then if the spyHunter has worked I guess there is no point as it is now only the file/photos that I need to have back. If system restore only restores system files its going to be of limited value is that correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Backup to clouds is okay even if you use a mapped drive, as long as the backup service uses versioning (any service that doesn't use versioning is not worth the effort). Also note that dropbox is NOT backup.
There is no utility that I know of that will decrypt files encrypted with a cryptowall variant.
There is no utility that I know of that will decrypt files encrypted with a cryptowall variant.
ASKER
I have now carried out the following steps
1) paid for and loaded both Spyhunter and Reghunter
2) run their scans - spyhunter found above 650 different issues and these were all cleared
3) The pop up ransom note no longer comes up
4) I then created some word and excel files to see if they became encrypted - and they have not in the interim days.
5) I then managed to get the files I most recently had worked on from a Dropbox restore - which allayed my worst fears. Others such as photos I have either on another computer or on snapfish. Therefore worst loss is of letters, spreadsheets from 10 years - but in practice how often does one really need letters sent to the school about children absences...
Remaining questions:
A) I am now looking for a versioning Backup programme. Should I be trying to find one that sends different versions onto a zip drive - or is it better to choose the same but online? Of the former it seemed that Norton Ghost was the best - but it has been withdrawn....
B) I have been running Spyhunter every couple of evenings - and have not been using the internet on that computer. I would expect it now not to be finding any adware or infections whatsoever. However it is always saying it has found around 50 issues. How is this possible? Is it just trying to show me how good it is and giving me false readings. It doesn't inspire me with confidence - or can infections somehow still be getting in just by my being passively connected to the internet - which I am. And if so how can I be stopping that?
Thank you all for your advice. On receipt of last two questions I will go back through the correspondence to find which replies are the ones that were the solution!
Great service.
Geoff
BUT I do have one more question
1) paid for and loaded both Spyhunter and Reghunter
2) run their scans - spyhunter found above 650 different issues and these were all cleared
3) The pop up ransom note no longer comes up
4) I then created some word and excel files to see if they became encrypted - and they have not in the interim days.
5) I then managed to get the files I most recently had worked on from a Dropbox restore - which allayed my worst fears. Others such as photos I have either on another computer or on snapfish. Therefore worst loss is of letters, spreadsheets from 10 years - but in practice how often does one really need letters sent to the school about children absences...
Remaining questions:
A) I am now looking for a versioning Backup programme. Should I be trying to find one that sends different versions onto a zip drive - or is it better to choose the same but online? Of the former it seemed that Norton Ghost was the best - but it has been withdrawn....
B) I have been running Spyhunter every couple of evenings - and have not been using the internet on that computer. I would expect it now not to be finding any adware or infections whatsoever. However it is always saying it has found around 50 issues. How is this possible? Is it just trying to show me how good it is and giving me false readings. It doesn't inspire me with confidence - or can infections somehow still be getting in just by my being passively connected to the internet - which I am. And if so how can I be stopping that?
Thank you all for your advice. On receipt of last two questions I will go back through the correspondence to find which replies are the ones that were the solution!
Great service.
Geoff
BUT I do have one more question
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Very...
You have been hijacked by Ransomware.
See en.wikipedia.org
Link:
http://en.wikipedia.org/wiki/Ransomware
If you do not have a back-up of your files then your choices are one of two.
1 pay the ransom to get your files back.
2 right-off the files as lost.