Topics

Way OT: Undoing ransomware damage

Ed Breya
 

I'm rebuilding some of my PCs lately, including a nice old Dell one, that has been sitting out of commission for about a year. It and another one somehow got infected with one of those @#$#&$*%^^)^&)(&) ransomware viruses, which encrypted most of the files.

I put the system HD in a blank PC and reloaded the OS, etc, and got it working and deleted the damaged files.There was a backup data drive in it that also was messed up. There are hundreds of documents in there like .pdfs of instrument service manuals and parts data sheets (so I guess this is sort of on-topic), that can probably be relocated online and downloaded again, but what a PITA.

I recall that when this first happened, I looked for info about it, and found that there were apparently some websites that one could go to, and upload one of the encrypted files, and they would reverse-engineer it and send a key that should undo the rest. This was supposedly a free public service from some data security companies, but I didn't know enough about it to trust them, worrying that they may be even more of a scam than the original problem, so I just set the machine aside for later.

Now "later" is here, so I started looking into it again, and found old reports from apparently reputable PC-related publications, saying essentially the same thing. Two specific ones were mentioned - FireEye, and Fox-IT, which appear to be security outfits, but when I went to their websites, there was no mention of this at all, like it disappeared altogether. It seems like perhaps they didn't want to bother with it anymore, it didn't work, or it was a scam or fake news. I also noticed various other methods discussed, like using backup or restore files, and "shadow restore," but I don't think any of these apply to my case.

So, I'm wondering if anyone here knows anything about this stuff, and if there is any legitimate outfit providing this capability. I was kind of hoping that by now some government agency would have tracked down and taken out the perps, and yanked the key servers out of their cold dead hands, and have the keys available to the public for undoing the damage. But I guess that didn't happen.

Ed

Marian B
 

Some older ransomwares could be easily defeated, but most of them are
essentially impossible to defeat when they're done encrypting stuff.
You have to pay to get the data back.

Cheers, Marian

Peter Gottlieb
 

There have been multiple reports of people and companies paying and not getting their files back. Consider your files lost.


Peter

On Jan 28, 2016, at 3:21 PM, public@... [TekScopes] <TekScopes@...> wrote:

Some older ransomwares could be easily defeated, but most of them are
essentially impossible to defeat when they're done encrypting stuff.
You have to pay to get the data back.

Cheers, Marian


------------------------------------

------------------------------------


------------------------------------

Yahoo Groups Links


Paul Amaranth
 

The short answer is you're out of luck. Once the files are encrypted, you
either pay for the key or throw them away. If you do pay for the key,
immediately backup your files after decrypting them then wipe and
rebuild the system. Hope they didn't leave a backdoor in the stuff
you backed up.

The ONLY safeguard for ransomware is a disconnected backup. If you
just backup to a network share, the ransomware will encrypt that too.

For some of my clients I use PCbackup which uses rsync to pull files to
a linux server. It's not normally visible from the windows box so the
backed up files cannot be encrypted by ransomware. Encrypted files
will get backed up too, of course, but you can always revert to
earlier versions. It's not a big deal to keep years of versions on a
TB drive and just go back to before the infection.

It's possible that early on they used very poor cryptography, but that
is no longer the case. Even police departments have been paying ransom.

Heck, now you can even get "ransomware as a service". This is only
going to get worse; it won't get better.

On Thu, Jan 28, 2016 at 12:15:28PM -0800, edbreya@... [TekScopes] wrote:
I'm rebuilding some of my PCs lately, including a nice old Dell one, that has been sitting out of commission for about a year. It and another one somehow got infected with one of those @#$#&$*%^^)^&)(&) ransomware viruses, which encrypted most of the files.

I put the system HD in a blank PC and reloaded the OS, etc, and got it working and deleted the damaged files.There was a backup data drive in it that also was messed up. There are hundreds of documents in there like .pdfs of instrument service manuals and parts data sheets (so I guess this is sort of on-topic), that can probably be relocated online and downloaded again, but what a PITA.

I recall that when this first happened, I looked for info about it, and found that there were apparently some websites that one could go to, and upload one of the encrypted files, and they would reverse-engineer it and send a key that should undo the rest. This was supposedly a free public service from some data security companies, but I didn't know enough about it to trust them, worrying that they may be even more of a scam than the original problem, so I just set the machine aside for later.

Now "later" is here, so I started looking into it again, and found old reports from apparently reputable PC-related publications, saying essentially the same thing. Two specific ones were mentioned - FireEye, and Fox-IT, which appear to be security outfits, but when I went to their websites, there was no mention of this at all, like it disappeared altogether. It seems like perhaps they didn't want to bother with it anymore, it didn't work, or it was a scam or fake news. I also noticed various other methods discussed, like using backup or restore files, and "shadow restore," but I don't think any of these apply to my case.

So, I'm wondering if anyone here knows anything about this stuff, and if there is any legitimate outfit providing this capability. I was kind of hoping that by now some government agency would have tracked down and taken out the perps, and yanked the key servers out of their cold dead hands, and have the keys available to the public for undoing the damage. But I guess that didn't happen.

Ed








!DSPAM:56aa7609244638228414591!
--
Paul Amaranth, GCIH | Rochester MI, USA
Aurora Group, Inc. | Security, Systems & Software
paul@... | Unix & Windows

Ed Breya
 

Thanks all. I guess I'm out of luck. The only payback I have in mind for these people would have to be done in person.

Ed

Brad Thompson <brad.thompson@...>
 

On 1/28/2016 3:47 PM, edbreya@... [TekScopes] wrote:

Thanks all. I guess I'm out of luck. The only payback I have in mind for these people would have to be done in person.

Ed
Hello--
By coincidence, I just finished hanging up on an unsolicited "computer service call". If anyone is unfamiliar with
this scheme, go here:

http://www.consumer.ftc.gov/articles/0346-tech-support-scams

Also, beware of flashing onscreen "warning messages" urging you to "click here to repair the damage".

Be careful out there.

73--

Brad AA1IP

Richard R. Pope
 

Hello all,
I have been following this thread to a certain extent and I have to
ask: How many out there running a physical firewall between their modem
and the computer and or computers on their LAN?
Thanks,
rich!

On 1/28/2016 2:47 PM, edbreya@... [TekScopes] wrote:

Thanks all. I guess I'm out of luck. The only payback I have in mind
for these people would have to be done in person.

Ed



Geoffrey Thomas
 

On 28/01/2016 20:15, edbreya@... [TekScopes] wrote:
I'm rebuilding some of my PCs lately, including a nice old Dell one, that has been sitting out of commission for about a year. It and another one somehow got infected with one of those @#$#&$*%^^)^&)(&) ransomware viruses, which encrypted most of the files.

I put the system HD in a blank PC and reloaded the OS, etc, and got it working and deleted the damaged files.There was a backup data drive in it that also was messed up. There are hundreds of documents in there like .pdfs of instrument service manuals and parts data sheets (so I guess this is sort of on-topic), that can probably be relocated online and downloaded again, but what a PITA.

I recall that when this first happened, I looked for info about it, and found that there were apparently some websites that one could go to, and upload one of the encrypted files, and they would reverse-engineer it and send a key that should undo the rest. This was supposedly a free public service from some data security companies, but I didn't know enough about it to trust them, worrying that they may be even more of a scam than the original problem, so I just set the machine aside for later.

Now "later" is here, so I started looking into it again, and found old reports from apparently reputable PC-related publications, saying essentially the same thing. Two specific ones were mentioned - FireEye, and Fox-IT, which appear to be security outfits, but when I went to their websites, there was no mention of this at all, like it disappeared altogether. It seems like perhaps they didn't want to bother with it anymore, it didn't work, or it was a scam or fake news. I also noticed various other methods discussed, like using backup or restore files, and "shadow restore," but I don't think any of these apply to my case.

So, I'm wondering if anyone here knows anything about this stuff, and if there is any legitimate outfit providing this capability. I was kind of hoping that by now some government agency would have tracked down and taken out the perps, and yanked the key servers out of their cold dead hands, and have the keys available to the public for undoing the damage. But I guess that didn't happen.

Ed

Geoffrey Thomas
 

On 28/01/2016 20:15, edbreya@... [TekScopes] wrote:
I'm rebuilding some of my PCs lately, including a nice old Dell one, that has been sitting out of commission for about a year. It and another one somehow got infected with one of those @#$#&$*%^^)^&)(&) ransomware viruses, which encrypted most of the files.

I put the system HD in a blank PC and reloaded the OS, etc, and got it working and deleted the damaged files.There was a backup data drive in it that also was messed up. There are hundreds of documents in there like .pdfs of instrument service manuals and parts data sheets (so I guess this is sort of on-topic), that can probably be relocated online and downloaded again, but what a PITA.

I recall that when this first happened, I looked for info about it, and found that there were apparently some websites that one could go to, and upload one of the encrypted files, and they would reverse-engineer it and send a key that should undo the rest. This was supposedly a free public service from some data security companies, but I didn't know enough about it to trust them, worrying that they may be even more of a scam than the original problem, so I just set the machine aside for later.

Now "later" is here, so I started looking into it again, and found old reports from apparently reputable PC-related publications, saying essentially the same thing. Two specific ones were mentioned - FireEye, and Fox-IT, which appear to be security outfits, but when I went to their websites, there was no mention of this at all, like it disappeared altogether. It seems like perhaps they didn't want to bother with it anymore, it didn't work, or it was a scam or fake news. I also noticed various other methods discussed, like using backup or restore files, and "shadow restore," but I don't think any of these apply to my case.

So, I'm wondering if anyone here knows anything about this stuff, and if there is any legitimate outfit providing this capability. I was kind of hoping that by now some government agency would have tracked down and taken out the perps, and yanked the key servers out of their cold dead hands, and have the keys available to the public for undoing the damage. But I guess that didn't happen.

Ed

John Ferguson