Solved

How to handle Ransom ware

Posted on 2016-09-23
23
76 Views
Last Modified: 2016-09-24
Hi,
  Most of the files (Word/Excel/Access/PDF) on my server is infected by ZEPTO virus. The backup device do not have the latest files.  So I am considering paying the ransom money, We don't have much option even if there is no grantee.
Having said that, did anyone try to pay these virus developer "bitcoin dollars" and successfully decry-pt infected files?
Any advise in terms of how to deal with these people?
 I have the screenshot of the message (where it shows the URL to receive my private key along with additional steps to try and it had "personal identification ID: xxxxx!!!". I can post it if you like to see it.
 Thanks in advance.
Zepto-virus.PNG
0
Comment
Question by:sglee
  • 8
  • 6
  • 5
  • +4
23 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 41813269
There is at best a 50:50 chance you will get a key. Ransoms have become more expensive as well if though they may not give you the key.
0
 

Author Comment

by:sglee
ID: 41813270
50/50 is better than anything that we have. Is that from personal experience?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41813271
No, but it is from reading a number of recent articles. Some people win and many lose.

So if you wish to go ahead, all you can do is try.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41813272
Yes and No. There is no gurantee the decryption tool will work 100% and not corrupt the files. Importantly, it does not state that it will not return to reinfect or clean off the machine after payment.

Strongly encourage to not paying ransom though unfortunately, at this time there is still no way to decrypt Zepto/Locky encrypted folder for free.

Meanwhile, I hope you consider below moving ahead.

Disconnect the infected machine.

Change your password esp those using the same in social site and web email etc.

Recover whatever is possible form your working backup.

Rescan using another alternate scan besides using AV and I suggest Malwarebytes Anti-Malware or Anti-exploit and HitmanPro.Alert

Turn on Applocker for whitelisting of application if you have, otherwise consider Cryptoprevent (foolishIT) or SecureAPlus. Disable active macro in use of MS Office.

Have another Anti-ransomware software such as Malwarebytes Anti-ransomware or Winpatrol Winantiransom.

 Spend more time in user education on cyber hygience, looking out for phished link, website, email and use og unknown thumbdrives.

 Dont use admin account by default for user.
0
 

Author Comment

by:sglee
ID: 41813273
Any particular tactic worthy noting from the articles you have read? Like paying partial ransom money for partial recovery ... not exactly but something like that. Or you just have to pay what they asking and hope for the best?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41813274
The latter. Pay what they ask and hope. That is all you can do. Articles are hearsay so no real value here.
0
 

Author Comment

by:sglee
ID: 41813278
@btan
I will update user password.
"There is no gurantee the decryption tool will work 100% and not corrupt the files. Importantly, it does not state that it will not return to reinfect or clean off the machine after payment." ---> I am with you 100%. But as much as I hate to try this option, this is only option that I have. I can't  think about what might happen after files are decrypted at this point. I will think about that later. But for now I need to find the way to decrypt these files.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 41813279
There NO way to decrypt the files except with the key from the criminals.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41813280
If no backup and recovery attempt is futile then the last resort as mentioned in payment.
To receive the unique private key, the infected user is told to visit one of several available Tor pages listed in these ransom notes. The person will eventually navigate to the “Locky Decryptor Page” containing the Bitcoin address, to which they are supposed to send about 0.5 BTC, which roughly equals to $300. While the uncomforting option of paying the ransom it may seem to be the only way out.
0
 

Author Comment

by:sglee
ID: 41813286
"send about 0.5 BTC, which roughly equals to $300" --> We traced that site and the amount was over 2k in our case.
0
 
LVL 61

Expert Comment

by:btan
ID: 41813294
Rate is always changing.. User are the victim and slave to the payment
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sglee
ID: 41813300
Sad ...
0
 
LVL 13

Expert Comment

by:akb
ID: 41813331
You should NOT pay the ransom under any circumstances. You are funding criminals. The more money they make the more they are enabled to develop more sophisticated software to steal more money from more people. Additionally, these thieves are often associated with larger criminal organisations that use the money to fund their other illegal activities - extortion, kidnapping, murder. Do you really want to be funding that?
1
 

Author Comment

by:sglee
ID: 41813348
@alb,
I hear you. All you said makes sense.
0
 
LVL 61

Expert Comment

by:btan
ID: 41813383
It is known not to pay on individual and enterprise level.

A recent advisory issued by the FBI strongly urges victims of ransomware not to pay the criminals.

The advisory quotes FBI Cyber Division Assistant Director James Trainor, who confirms that the bureau does not recommend paying extortionists:


“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
0
 
LVL 12

Expert Comment

by:Sandeep
ID: 41813460
I would suggest you should not give money to them such easily, as that money can be used in wrong way. Few wrong example they gave but terrorism he missed which is imp. Your money can be used by such organisations.

If I would have been at your place, I will restore from what ever back I have and same money I will put to make Backup stronger so if some one try to screw me again I have my ass covered with latest Backup

Thanks
0
 
LVL 61

Expert Comment

by:btan
ID: 41813464
may also try forensic recovery tools as some ransomware may have not secure wipe diligently - you have nothing to lose since all files are already locked. But some ransomware will start wiping out the encrypted files if ransom is due or as the deadline draws nearer. Stay composed and managed the  fear mingling and mind games by those criminals...they ultimately only wants your ransom as the files are nothing to them...unless otherwise there is a hidden agenda from them.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41813477
If you don't have the current backup, just restore the old versions you still have backups of, and have your employees do the work again of what is lost, if needed. There just is no point at all in even thinking about paying the ransom. It is not worth it. If you pay, all you do is support the crooks so they can design even better viruses and extort even more money from others or from you again.
0
 

Author Comment

by:sglee
ID: 41813637
I appreciate all the comments.
0
 

Author Comment

by:sglee
ID: 41813827
Does anyone know how to purchase bitcoin or what the process is?
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41814184
You need to
- register for Bitcoin wallet.
- buy Bitcoin to store in wallet.
- know Bitcoin address to pay using wallet.
Will not go to specific since we have long discussed to discourage it.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41814188
@sglee - Thanks and I was happy to help.
0
 
LVL 6

Expert Comment

by:No More
ID: 41814208
@sglee

You should also get Tor browser and connect to website link what you have in the picture - desktop wallpaper, usually they allow you to decrypt  one of the zepto files.

We do not encourage any of our customers to pay the fee, to those criminals

I would suggest, to focus on prevention and security settings, because you might get another user, who will open that infected attachment and the problem will be back  

And also keep your backups up to date and secure
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now