[Hidden-tech] Any experience with a Virus that attacksdocuments?

[Bruce Hooke]

A quick clarification. I just did some more reading and it turns out Cryptoprevent is not running all the time. It sets some policy rules in Windows that should prevent the Cryptolocker software from running.
 
- Bruce


  _____  

From: Bruce Hooke [mailto:bghooke at att.net] 
Sent: Friday, January 16, 2015 11:28 AM
To: 'Chris Hart, MyMacTech.com'; 'Hidden-discuss at lists.hidden-tech.net'
Subject: RE: [Hidden-tech] Any experience with a Virus that attacksdocuments?


Thank you, Chris, for this very informative email. While, as you said, anti-virus software won't quarrantine the affected files, do you know if properly up-to-date anti-virus software should catch the initial "virus" (if that's the right name for it) that causes the documents to be encrypted? I am considering installing the Cryptoprevent software but it is presumably yet another background process that has to be there and running all the time, using system resources.
 
Thanks,
Bruce

  _____  

From: hidden-discuss-bounces at lists.hidden-tech.net [mailto:hidden-discuss-bounces at lists.hidden-tech.net] On Behalf Of Chris Hart, MyMacTech.com
Sent: Friday, January 16, 2015 8:46 AM
To: Hidden-discuss at lists.hidden-tech.net
Subject: Re: [Hidden-tech] Any experience with a Virus that attacksdocuments?



The files aren't going to be quarantined by an anti-virus, because they aren't infected.

They have been ENCRYPTED with a key that is only know to the virus creator (but, as was noted, the key _might_ be in the list of keys that were made available by the FBI).*

Utilities that 'recover' deleted files will not likely be effective in this instance, because the encrypted versions of the files likely overwrote the original, unencrypted versions.  It's worth trying, but the cost of trying needs to be weighed against the cost of the alternatives.

If you have an automatic backup of your files in place, or any recent backup of the files in question, the best thing to do is to restore from that backup.  Unfortunately, in the case of the original poster, the backup files were also encrypted.**

The original poster's alternatives are: (1) try and find the correct encryption key among the keys released by the FBI (this involves methodical testing of decryption of some sample files)***, OR (2) pay the "ransom," OR (3) if your files aren't that valuable, wipe the entire system and start from scratch.

And I would suggest that anyone who offers I.T. services, who is not familiar with Cryptolocker and it's ilk, needs to immediately educate themselves.  Because treating a system that is, or has been, 'infected' by one of these encryption viruses, as though it's a standard file 'infection' type problem, is going to get you nowhere.

And for all the Windows users here, I strongly recommend installing the utility Cryptoprevent, which dramatically reduces the chances of getting infected with this type of virus, that doesn't infect files, but encrypts them.
https://www.foolishit.com/vb6-projects/cryptoprevent/

* It's important to be aware that the encrypted files will show the same modification day/time, as the original unencrypted versions.  This can make identifying the right / original / unencrypted files more difficult, if you're not 100% sure when the system infection/file encryption started.

** This demonstrates the value of having rotating backups, backups on more than one media type, or an off-site backup.

*** As I noted before, there are newer iterations of this encryption "virus," for which the keys may not have been made publicly available.
 


Chris Hart

     Computer Support & Technology Consulting

        for Connecticut and Western Massachusetts

            Tel: 860-291-9393

                http://www.MyMacTech.com



From: Donald M Stevens <dstevens at tryandfindit.com>
Date: Friday, January 16, 2015 at 7:56 AM
To: Lisa Woods <kir914 at yahoo.com>, "hidden-discuss at lists.hidden-tech.net" <hidden-discuss at lists.hidden-tech.net>
Subject: Re: [Hidden-tech] Any experience with a Virus that attacks documents?





Good Morning Lisa,

I assume the files can be seen? Just cannot open them?
Or you can open them, but cannot read them?

There are tools to recover deleted files from drives that I have used....
I am not sure if the (gogeeks) program quarantined the files?
Usually when a virus programs attempts to fix / repair / get rid of a virus...
You have the option to quarantine the infected files that cannot be fixed...

Feel free to call / email me off line if you would like to discuss.

Don

Don Stevens
TFI technologies
Technology Services
159 Patricia Circle
Springfield, MA 01119
Office: 413.209.8333
Cell / Text: 860.614.4153
Email: dstevens at tryandfindit.com

-----Original Message-----
From: hidden-discuss-bounces at lists.hidden-tech.net [mailto:hidden-discuss-bounces at lists.hidden-tech.net] On Behalf Of Lisa Woods
Sent: Thursday, January 15, 2015 7:37 PM
To: hidden-discuss at lists.hidden-tech.net; hidden-discuss at lists.hidden-tech.net
Subject: [Hidden-tech] Any experience with a Virus that attacks documents?




_______________________________________________
Hidden-discuss mailing list - home page: http://www.hidden-tech.net
Hidden-discuss at lists.hidden-tech.net

You are receiving this because you are on the Hidden-Tech Discussion list.
If you would like to change your list preferences, Go to the Members   
page on the Hidden Tech Web site.
http://www.hidden-tech.net/members

  _____  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5645 / Virus Database: 4260/8939 - Release Date: 01/16/15

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20150116/4f201f8b/attachment-0001.html