My dropbox has been encrypted by an outsider - help!

I put some of my photos and files onto dropbox about a year ago.  Two weeks ago I noticed a pop up Notepad message when I booted up my computer (which freezes every so often and needs rebooting).
I never read the message until I tried to access a file from dropbox and found that all of the filres there are now encrypted.
Here is the text of the notepad message.  How serious is this?  Of course I have not replied.


                All your documents, photos, databases and other important personal files
                were encrypted using strong RSA-1024 algorithm with a unique key.
                If you want to restore your files please follow the instructions:

                1. Send email to, with the following files in attachment:

                                - FILE1.BIN and FILE2.BIN files (check your desktop
                                  and local disks to find these files or just use Windows Search.

                                - One of your encrypted personal file for test decryption.
                                  Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.

                2. Wait for email from us containing:

                                - Your decrypted file, prooving that we can really help you.
                                - Decryption price and payment details.

                3. Make payment.

                4. Recieve decryption key and detailed instructions how to decrypt your files.


                - You must contact us in 24 hours (from 17/11/2014 22:46), unless the price will rise.
                - Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
                - Your files will be decrypted as quick as you contact us and make payment.

                If you have any questions, please feel free to ask.

                Contact email:
Who is Participating?
rindiConnect With a Mentor Commented:
1. Correct, clean all your PC's that connect to dropbox first. The malware infects dropbox via your PC and not the other way. Also disable any dropbox startup tools, or the encrypted files will probably just be restored to the PC if a sync starts.

2. A restore from the backup before the infection will help. Never ever pay any ransom, first the price will probably be astronomical, and no one guarantees that you'll get the keys for recovery, and besides, never in any way support the crooks.

3. That is what you can try if your backup is no good. Otherwise just delete the files on dropbox and upload them again. Also, I'm not sure if dropbox does any restore for the free service...

Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped, and you keep more than one version backed up (backing up files that are corrupted, so they overwrite the previous backup, will always be a problem, whether that is to the cloud or somewhere else. If you backup to external disks, always disconnect them after the backup, and always make sure you have several versions backed up.
"How serious is this?"


You have been hijacked by Ransomware.



If you do not have a back-up of your files then your choices are one of two.

1 pay the ransom to get your files back.
2 right-off the files as lost.
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
Third choice for dropbox files:

If you put a ticket in with dropbox they might have older versions,  it really depends on how long those files have been encrypted.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Lomed_GeoffAuthor Commented:
Am I not able to clean this from my computer?  Surely paying the ransom won't help = they would simply do it again or take the money and not do anything.

How do I protect my computer assuming I can get it clean?

What about resetting my computer to an earlier date - would that work?  I believe that it happened on 16th November.
If your computer and its files work fine then, It is not your computer that has been hacked.
Only your dropbox account has been hacked / been hijacked by Ransomware.

If your dropbox data is important then paying the ransom is your only way of recovery.

In future always make and store a back-up copy of any cloud / online storage.

Reset all your passwords and do not use the same passwords for multiple accounts.
"Surely paying the ransom won't help = they would simply do it again or take the money and not do anything."

Once you pay the ransom copy the files to another media stogage device external HDD, etc.
Close your dropbox account and open another acount and enabled two-step verification?
Scan your PC's with malwarebytes, it should be able to remove cryptolocker or cryptowar malware.

After that use your backups to restore the data, or sometimes as has been mentioned already, try restore points from earlier dates.

DropBox itself should directly be affected by those malware, but if you mapped a drive-letter from an infected PC to dropbox, the files there can also be encrypted, or of course if dropbox was synced to from an infected PC, that would also have happened.

So the first thing to do is check all your PC's and clean them.
Thomas Zucker-ScharffSystems AnalystCommented:
Dropbox is invariably affected by cryptography virii. Dropbox does keep prior versions,  but it takes time to get them to do a restore. We have had great success with versioning software like crashplan.
Lomed_GeoffAuthor Commented:
Please confirm then that I need to take these steps:
1) clean the PC with malware (it is also infected by the way - all excel,  word , photo files are encrypted but email still works)
2)  try version restore from before 15th November - could this in fact solve all problems without having to pay a ransom?  Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?
3)  have dropbox restore from a pre 15 nov date.  then shift key files to a memory stick before opening up another account

Presumably backing up to cloud is also vulnerable so only safe way in future is to backup to a separate hard drive?

Thank you
Thomas Zucker-ScharffSystems AnalystCommented:
A restore to a time previous to infection/encryption  should take care of everything.  

In terms of backup,  files that ate not backed up in at least 2 other locations are files you don't care about.  Cloud backup is good,  but you need something that does versioning (crashplan, spideroak, comodo, mozy, etc.)  System restore will take care of most things but it's not a backup and you can't rely on it keeping restore points very long.

Read my article on backup:
Lomed_GeoffAuthor Commented:
Thank you - will cleaning my pc with malware then prevent me from a system restore?  Should I fist attempt the system restore and then load up malware?
I have Windows 8 - home version - how do I find the system restore and whether I have a version old enough?
Cleaning malware won't necessarily wipe the system restore points. If you do a system restore before removing the malware could cause the restored system to also get encrypted, as the malware is still active. Also, some malware will disable system restore, so after an infection that sometimes won't work.

In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points.
Thomas Zucker-ScharffSystems AnalystCommented:
KNOW that you may need to check the box to display all restore points.
"Michael Best please clarify why your confidence that they will in face decrypt if I pay and not just take the money?"

I did not and do not recommend paying the ransom, but if you have no back-ups, and cannot find any recovery method (and the files are worth the ranson asked) then its still a gamble at best.

Read: "Ransomware - would you pay up?" from and also watch the video.

Thomas Zucker-ScharffSystems AnalystCommented:
Also,  just to be clear,  animal ware and our Antivirus software never guarantees against future "infection." A combination of methods is best, such as MBAM Pro alongside a good AV  solution (with only one running on access scanning - I set it to be MBAM ). I also run Winpatrol Plus.  These combined with good surfing/browsing habits (and never clicking a link in an email ) should do the trick.  Remember that the only completely secure computer is one that is completely isolated from the Internet and filled with cement.
Michael-BestConnect With a Mentor Commented:
Cloud based free antivirus tools will protect you from any suspect internet content.

I trust and have used free Panda ( on all my computers (XP and up)  for many years with "0" infections.


Never open an attachment in an email from someone you do not know or tust or open an untrustworthy or suspect downloaded file without first scanning it with an an antivirus software that automatically scans compressed files.

BTW, Panda free, automatically scans compressed files by default.
If you wish to do a "scan on demand" then go to "settings" and turn on " scan compressed files"
Maybe besides what has already been said, Always make sure you are logged on to your PC's with a standard account, accounts that have Administrator rights should only be used for those specific tasks. This can't protect against everything, but it helps. So make sure you create an Admin and a standard account, and for normal use only use the standard account.

Another good idea is to use a linux PC, and whenever you get a suspicious email, only open it using that PC. Linux is far less likely to pick up malware, particularly from opening attachments etc. Many of those attachments or executables only work under Windows.
Lomed_GeoffAuthor Commented:
Ok - I have downloaded both Spyhunter and Reghunter so I have to hope that amongst the 600 issues found and cleaned, they have also got rid of the ransomware.  Anyway to be sure?

 rindi - a few things you have written that I am not clear on:
1)"Backup to the cloud is OK, as long as you don't use mapped drives or keep them mapped", - if you are setting up a regular backup from your drives, how can you not have them mapped?
2) "In Windows 8.x, right click "This PC", select "Properties", "System Protection", then input the admin account's credentials, then select "System Restore", then follow the wizard's steps to find and restore to older restore points. " - I don't know what you mean by "This PC" - I can't find this to right click on.  What window should I be on to right click - and where?

Will a System restore provide me with earlier versions of my files?  If not then if the spyHunter has worked I guess there is no point as it is now only the file/photos that I need to have back.  If system restore only restores system files its going to be of limited value is that correct?
rindiConnect With a Mentor Commented:
1. You can access dropbox directly from from within the browser and download / upload files to / from it without mapping a drive. But there could also be utilities from the cloud provider (I never used them so I'm not sure what can exactly they do) you have installed on the PC which may automatically sync your PC's files with the cloud, or map the cloud to a drive-letter so you can access them directly via explorer etc. Cryptolocker and Cryptowall and their variants both only access local files, and those directly accessible via a drive letter. So if you have such a tool installed, disable it when not in use.

2. In my Windows 8.x setups, I always set it up so all the normal desktop icons are shown on the desktop. The default setting isn't setup correctly in my point view. For that I right click an empty space on the desktop, select "Personalize", then click on "Change Desktop Icons". Now I put a checkmark in all which are available (Computer, User's files, Network, Control Panel, Recycle Bin). After that you'll have an Icon named "This PC" on the desktop. That's the one you right click.

An earlier restore point or volume shadow copy of your files will probably not help, as at least CryptoWall deletes all previous versions.

I'm also not sure whether the software you mentioned above removes those malwares, but I do know that Malwarebytes does. I suggest you scan your PC with malwarebytes.
Thomas Zucker-ScharffSystems AnalystCommented:
Backup to clouds is okay even if you use a mapped drive,  as long as the backup service uses versioning (any service that doesn't use versioning is not worth the effort). Also note that dropbox is NOT backup.

There is no utility that I know of that will decrypt files encrypted with a cryptowall variant.
Lomed_GeoffAuthor Commented:
I have now carried out the following steps
1)  paid for and loaded both Spyhunter and Reghunter
2)  run their scans - spyhunter found above 650 different issues and these were all cleared
3) The pop up ransom note no longer comes up
4) I then created some word and excel files to see if they became encrypted - and they have not in the interim days.
5) I then managed to get the files I most recently had worked on from a Dropbox restore - which allayed my worst fears.  Others such as photos I have either on another computer or on snapfish.  Therefore worst loss is of letters, spreadsheets from 10 years - but in practice how often does one really need letters sent to the school about children absences...
Remaining questions:
A) I am now looking for a versioning Backup programme.  Should I be trying to find one that sends different versions onto a zip drive - or is it better to choose the same but online?  Of the former it seemed that Norton Ghost was the best - but it has been withdrawn....
B)  I have been running Spyhunter every couple of evenings - and have not been using the internet on that computer.  I would expect it now not to be finding any adware or infections whatsoever.  However it is always saying it has found around 50 issues.  How is this possible?  Is it just trying to show me how good it is and giving me false readings.  It doesn't inspire me with confidence - or can infections somehow still be getting in just by my being passively connected to the internet - which I am.  And if so how can I be stopping that?

Thank you all for your advice.  On receipt of last two questions I will go back through the correspondence to find which replies are the ones that were the solution!
Great service.

BUT  I do have one more question
rindiConnect With a Mentor Commented:
I don't know spyhunter. In my point of view malwarebytes is the best product.

Sometimes some issues can't be removed, so they show up again after a later scan. For those issues you must go through each of them, decide whether they are bad or not, then look online for ways to remove them (some issues can be false positives, or software you actually trust). Besides that, there will always be malware that can't be found.

For backup or any other product, I would never recommend anything from Symantec (norton). Very good are the paragon products, they have a free backup tool which is for personal use, or the professional version which has more options. The best but also more expensive is shadowprotect from storagecraft. If you set your backups to do incremental backups the backups will be small in size, as only files that were changed will be backed up again later, and you'll have all those different files still available. You should also change the disk you backup to, so you have several you can cycle through, and always only connect them to the PC during the backup. Always remove them when the backup is done, and store them away from the PC.

Personally I don't recommend backing up to the cloud (or only as an additional backup). You never know what the company does with your data, or what happens if it goes bust.
Thomas Zucker-ScharffConnect With a Mentor Systems AnalystCommented:
A resounding Crashplan is the answer to most of your question. See my article on why i changed versioning software providers.

There is a free version that does backup to local disks or folders.

In terms of the constant issues, your best bet is a complete rebuild.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.