Other issues in this category (23)
How to keep your data and money safe
Tuesday, April 3, 2018
Unfortunately, many users have seen these kinds of messages on their screens:
WARNING,YOUR FILES, DOCUMENTS, PHOTOS, ARCHIVES AND OTHER INFORMATION HAVE BEEN ENCRYPTED!!!
TO DECRYPT YOUR FILES, CONTACT US BY EMAIL ...@.... or (if you receive no reply within 24 hours) send your message to this address.....@....
ANY ATTEMPTS TO DECRYPT THE FILES WITHOUT THE ORIGINAL KEY WILL CORRUPT YOUR FILES!!! ALSO NOTE THAT DECRYPTION CAN ONLY BE PERFORMED WITHIN 96 HOURS AFTER THE FILES WERE ENCRYPTED!!!
REINSTALLLING WINDOWS OR RUNNING AN ANTI-VIRUS WILL NOT HELP RECOVER YOUR DATA!!!
YOU CAN SEND US ONE ENCRYPTED FILE WHICH WE WILL RETURN TO YOU UNENCRYPTED TO PROVE THAT DECRYPTION IS POSSIBLE !!!
Users are well aware that the chances of recovering data compromised by encryption ransomware are slim, and, therefore, they’re ready to pay ransom to the people who’ve attacked them. However, a paid ransom doesn’t necessarily resolve anything when there are plenty of attackers who don't fulfil their promises.
All the files were encrypted. We paid the ransom, and the extortionists provided us with a decryption utility. We managed to recover all of our data except for our accounting databases. Please help us recover them.
A technical support request
The correspondence resulted in the following message being sent to the user:
Your files have been analysed and decrypted successfully.
But the following was noted in Doctor Web internal correspondence:
Crummy attackers; they won’t decrypt the files because they’re so big.
Yet another clear example that plenty of criminals aren't necessarily skilled programmers.
And one more:
A question for Doctor Web’s tech support
We decided to buy a decryption utility from the extortionists, but over half of our files still wouldn't open after the decryption.
The reply from Doctor Web’s Technical Support
Both of the encrypted files you've provided have an incorrect encryption format. They both have certain pieces of meta data missing. One file has some of its data still unencrypted. Apparently, the ransomware program is rather buggy.
I'm afraid that your files can’t be recovered.
Interestingly, in addition to extorting money from users, criminals also devote some of their time to advertising cryptocurrency mining:
You can purchase bitcoins or mine them completely free of charge. You can find out more about mining on Wikipedia and other sites.
The decryption service is free. The choice is yours: mine bitcoins free of charge or save some time and buy them right away.
So why do they extort money rather than mine cryptocurrencies themselves?
But let's get back to decryption issues. A very interesting statistic was published at www.bleeepingcomputer.com:
As many as 19.6%—one out of five ransomware victims—paid the ransom but lost their data for good.
Interestingly, the survey, whose respondents included corporate users, revealed that:
In 2018, the study’s participants intended to pay special attention to advanced malware analysis technologies, sandbox solutions, containerisation and virtualisation (end-point and mobile security).
And none of them had backups on their list of priorities. Apparently, that’s not in vogue.#encryption_ransomware #Trojan #Trojan.Encoder #Data_Loss_Prevention
The Anti-virus Times recommends
Backups are the most reliable way to ensure the integrity of your data.
Find out more about encryption ransomware at http://antifraud.drweb.ru/encryption_trojs. In addition, we recommend that you study the course DWCERT-070-6 Protection from encryption ransomware for Windows PCs and file servers: https://training.drweb.com/users.
To avoid future infections, use the up-to-date version of Dr.Web Security Space https://download.drweb.com.
Dr.Web 11.0 incorporates the behaviour analyser Dr.Web Process Heuristic, which offers effective protection against the latest unknown threats. Because many malicious programs exhibit similar behaviour, Dr.Web Process Heuristic can identify malignant applications that Dr.Web is unfamiliar with, particularly new modifications of Trojan.Encoder and Trojan.Inject. The malware gets blocked before it corrupts data on infected machines.
Dr.Web Security Space 11 incorporates the Data Loss Prevention feature, which can be used to back up important information. Find out more here: http://download.geo.drweb.com/pub/drweb/windows/workstation/11.0/documentation/html/ru/tools_data_loss_prevention.htm.
Doctor Web technical support service replies