Solved

Dealing with Locky ransomware...

Posted on 2016-10-10
13
76 Views
Last Modified: 2016-10-22
I had a user get hit with this on a home computer & had a couple of questions.
They are considering paying the ransom, but want to know how much. The only other time I dealt with one of these, I had access to a verizon usb modem to DL that tor browser & go through the process. Since I no longer have that wireless device, how 'safe' is it to access that site? I had thought of plugging this computer directly into my comcast modem, to keep it isolated from any of my home computers & gp on from there. I've also been reading up on possible recovery options, like EaseUS, Recuva, R-Studio or Shadow Explorer. Anyone have any experience or luck with any of these? And last question, is there an AV software that will stop these?
Any advice appreciated!
0
Comment
Question by:gromack
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 15

Accepted Solution

by:
Ivan earned 250 total points
Comment Utility
Hi,

I don't think there is any AV that can stop ransomware, atm. New versions are coming up every day, so there is always a window of few hours, until AV gets definitions for it.
Users have to be aware of it, some1 has to teach them no to open suspicious emails, not to go to sites that are to unreal to be true, and so on.

Since they all encrypt data on network, that infected computer/ user has access, control is very important, but most important is backup.
Backup, backup, backup :)

Everyone needs to have backup of important data, so when you get hit by ransomware, you will just format hdd, restore from backup, and keep working.

I don't think there is decrypter for Locky, so if you don't intend to pay, I would suggest to keep that hdd somewhere, because maybe there will be some tool available. It has happened before, so it is a possibility.

Regards,
Ivan.
0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 125 total points
Comment Utility
The ransom is often paid in Bitcoin, which means your client will have to buy Bitcoin somewhere.  This is a double threat because some of the Bitcoin-for-cash exchanges are somewhat shady, and your client's credit card will then be exposed.

The ransom is usually on the order of $500, which would buy a new PC.

Personally I recommend not paying the ransom.  Even if it is paid, you don't know what else has been installed in that system by the ransomware and you will never be able to trust it again.  A complete Windows reload is in order no matter what you choose to do.

When considering backups to prevent this type of situation, it is important to remember that the backup media must be kept offline.  The ransomware encrypts files on all drives connected to the system, including USB and network drives.

At present there is nothing that prevents day-zero exploits other than not opening emails with attachments and not going to shady web sites.  There has been some research done that can catch ransomware early on in the process by watching process file access behavior, but it takes a while to be sure it is ransomware and not, for example, Windows Search.  And some files are still lost.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
Don't ever pay the ransom. That is the worst possible thing anyone can do, so never ever even consider that possibility. You then support those criminals, who then have the funds to create even worse viruses. Chances also aren't very high that you actually get the keys.

You must prevent your client from paying at all costs.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
You must prevent your client from paying at all costs.

Was that pun pre-meditated?  'Cause it was very, very good.  B)
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
The FBI recommends against paying ransom. See either my course or articles on ransomware.  Also check out Nomoreransom.org for decryptors.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Advise not to pay ransom as there is no guarantee on getting the decryptor to get back the files or even prevent your client from another of the infection recurrence.

Get back from the backup and if it is stored in that same machine or network mapped drive accessible by that same machine, then you will not be able recover those files back as Locky will have wipe them away or encrypted them.

There is no decryptor for Locky as of now.

For preventive measures, ask your client
- Not to login as administrator which I am sure they do that for convenience. There is need to educate least privileges account also deter such infection.

- Adopt appl whitelisting using applocker which allow authorised appl to run and disable the running of scripts. Disable the macro running in Office too.

- Augment existing AV with Anti-ransomware such as Malwarebytes Anti-ransomware or Winpatrol WinRansom or Sophos intercept X which has a Cryptoguard feature. Consider use of anti-malware instead of the traditional AV. MalwareBytes has anti-malware and Anti-exploit. Microsoft has EMET free.

For now advise client to disconnect the machine, change to stronger password for all account esp those using the same password and rebuild the machine instead of cleaning up.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:gromack
Comment Utility
Thanks for all the advice, I've had an experience with this once before & I'll share as sort of an FYI.
First off, I did get access to a Verizon USB modem & the ransom is 3 bitcoins, or about $1900 at the current exchange rate. I tried the nomoreransom.com site & no decryption available. I also noticed that not all docs have been encrypted, so I am going to look at some of the other recovery options, as I've read that once all files have been encrypted, it deletes any shadow copies,
I do work on the side for a guy who had one of his clients get hit with this. The guy was an accountant & had no choice but to pay the ransom, which was 1.5 bitcoins, which translated to about $1100 at the time (last summer).
The process of buying these things is quite a pain, as well. Contrary to what these A-holes say, you can't just go buy them from Western Union & no banks seem to want to have anything to do with them. I'm in the Houston area & actually found one place where I could walk in with cash & walk out with my ransom money, loaded to my bitcoin wallet.
There were countless options for buying, but I wasn't about to deposit money in someone's account, sight unseen & wait 2 to 3 hours for it to appear in my wallet. The next thing is how volatile the price is. Over the course of 3 days, the price bounced around by about $40 & even made a slight change Saturday morning when I went to get them.
I made the 40+ mile drive to the location, which I'll share if anyone is in need of a reputable place to buy bitcoins. Paid the money, he took a pic of something like a QVR code with my phone & viola' I had 1.5 bitcoins in my wallet. In talking with the guy, he did tell me that I got off lucky, as he's seen much higher ransoms & he also said that he had never heard of this not working (honor among thieves?), as I guess that would only further convince people to not pay.
Made the 40+ mile drive back to office, followed the instructions & was presented with a page that said after so many verification steps (2 or 3?), I'd be redirected to a page with a link to the decrypter & instructions on what to do from there. I'm waiting & waiting, not being redirected to another page & was starting to get nervous.
I have no idea how you'd reverse a transaction like this, but from what I read, after about 6 or 8 of these verification steps, it's irreversible & I was getting close to that number. That number eventually came & went (20 minutes or so?) & still nothing. Then I noticed that where the link had originally said send 1.5 bitcoins, it no said something like send .0001243 bitcoins. The exchange rate had fluctuated slightly, so I was being held up for an additional 8 f*&%ing cents!
I called the guy back, who put another $5 on my account & said just pay it all, so if you're ever in this situation, you may want to buy a couple of dollars over the initial ransom, just to be safe. I paid the additional amount & after a few minutes was redirected to another page, where I DL'd their decryption tool & ran it. A command prompt window opened up, looked like it ran through every file on the computer & at the end had the message 'decryption complete, press any key to exit...' All the files were restored & the decryption tool was deleted. It was also nice enough to redirect me to another page that had links on backing up your computer & how important that can be.  
We did wipe the computer & reinstall everything & had hoped to test different AV software on detecting this, but figured once definition files had been updated, testing would be useless.
From what I hear, cloud based backups are the only thing safe from these exploits? I have a hard enough time getting people to understand the concept of backing up to a drive & swapping out every other week, so making it as automated as possible would be a good thing.
Sorry if I've bored anyone to tears with my story & broke any rules by paying it (it wasn't up to me), but hope someone might find this helpful or informative.
Now, on to exploring my recovery options, as this person is one of the people who never backs anything up & certainly isn't in a position to pay a $1900 ransom...
0
 
LVL 23

Expert Comment

by:Dr. Klahn
Comment Utility
Sorry to hear that your client required you to pay the ransom.

Do point out strongly to him that this infected system can no longer be trusted, and that it is now mandatory to pull his files off it, erase the drive, and reload Windows from scratch.  Otherwise he'll shortly be paying another ransom, and another, and another, ad infinitum.
0
 

Author Comment

by:gromack
Comment Utility
Yeah, we already replaced the HD on that machine & re-installed, kept the other one for testing.
Were you the one who mentioned having a bunch of articles dealing with this?
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
I assume he has now learned his lessone and will in future backup. If not, he shouldn't be allowed close to computers, smart-phones, digital cameras etc.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
Comment Utility
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
Comment Utility
User awareness is a best effort as they are the last line of defence and also the weakest one easily exploited and bypassed.

Check out the US CERT advisory on this esp on
For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.


Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.


Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.


Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.
https://www.us-cert.gov/ncas/alerts/TA16-091A
0
 

Author Closing Comment

by:gromack
Comment Utility
Thanks for the advice!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now