[Hidden-tech] Any experience with a Virus that attacks documents?

Chris Hart, MyMacTech.com chris at chrishart.net
Fri Jan 16 08:46:17 EST 2015

Previous message: [Hidden-tech] Any experience with a Virus that attacks documents?
Next message: [Hidden-tech] Any experience with a Virus that attacks documents?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The files aren't going to be quarantined by an anti-virus, because they
aren't infected.

They have been ENCRYPTED with a key that is only know to the virus creator
(but, as was noted, the key _might_ be in the list of keys that were made
available by the FBI).*

Utilities that 'recover' deleted files will not likely be effective in this
instance, because the encrypted versions of the files likely overwrote the
original, unencrypted versions.  It's worth trying, but the cost of trying
needs to be weighed against the cost of the alternatives.

If you have an automatic backup of your files in place, or any recent backup
of the files in question, the best thing to do is to restore from that
backup.  Unfortunately, in the case of the original poster, the backup files
were also encrypted.**

The original poster's alternatives are: (1) try and find the correct
encryption key among the keys released by the FBI (this involves methodical
testing of decryption of some sample files)***, OR (2) pay the "ransom," OR
(3) if your files aren't that valuable, wipe the entire system and start
from scratch.

And I would suggest that anyone who offers I.T. services, who is not
familiar with Cryptolocker and it's ilk, needs to immediately educate
themselves.  Because treating a system that is, or has been, 'infected' by
one of these encryption viruses, as though it's a standard file 'infection'
type problem, is going to get you nowhere.

And for all the Windows users here, I strongly recommend installing the
utility Cryptoprevent, which dramatically reduces the chances of getting
infected with this type of virus, that doesn't infect files, but encrypts
them.
https://www.foolishit.com/vb6-projects/cryptoprevent/

* It's important to be aware that the encrypted files will show the same
modification day/time, as the original unencrypted versions.  This can make
identifying the right / original / unencrypted files more difficult, if
you're not 100% sure when the system infection/file encryption started.

** This demonstrates the value of having rotating backups, backups on more
than one media type, or an off-site backup.

*** As I noted before, there are newer iterations of this encryption
"virus," for which the keys may not have been made publicly available.
 

Chris Hart

    • Computer Support & Technology Consulting

        for Connecticut and Western Massachusetts

            Tel: 860-291-9393

                http://www.MyMacTech.com



From:  Donald M Stevens <dstevens at tryandfindit.com>
Date:  Friday, January 16, 2015 at 7:56 AM
To:  Lisa Woods <kir914 at yahoo.com>, "hidden-discuss at lists.hidden-tech.net"
<hidden-discuss at lists.hidden-tech.net>
Subject:  Re: [Hidden-tech] Any experience with a Virus that attacks
documents?




Good Morning Lisa,

I assume the files can be seen? Just cannot open them?
Or you can open them, but cannot read them?

There are tools to recover deleted files from drives that I have used....
I am not sure if the (gogeeks) program quarantined the files?
Usually when a virus programs attempts to fix / repair / get rid of a
virus...
You have the option to quarantine the infected files that cannot be fixed...

Feel free to call / email me off line if you would like to discuss.

Don

Don Stevens
TFI technologies
Technology Services
159 Patricia Circle
Springfield, MA 01119
Office: 413.209.8333
Cell / Text: 860.614.4153
Email: dstevens at tryandfindit.com

-----Original Message-----
From: hidden-discuss-bounces at lists.hidden-tech.net
[mailto:hidden-discuss-bounces at lists.hidden-tech.net] On Behalf Of Lisa
Woods
Sent: Thursday, January 15, 2015 7:37 PM
To: hidden-discuss at lists.hidden-tech.net;
hidden-discuss at lists.hidden-tech.net
Subject: [Hidden-tech] Any experience with a Virus that attacks documents?




_______________________________________________
Hidden-discuss mailing list - home page: http://www.hidden-tech.net
Hidden-discuss at lists.hidden-tech.net

You are receiving this because you are on the Hidden-Tech Discussion list.
If you would like to change your list preferences, Go to the Members
page on the Hidden Tech Web site.
http://www.hidden-tech.net/members



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20150116/e5814460/attachment.html

Previous message: [Hidden-tech] Any experience with a Virus that attacks documents?
Next message: [Hidden-tech] Any experience with a Virus that attacks documents?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list