Big Ransom ware problem!

Any savvy computer guys out there?

I received an email that I thought was from my wife and clicked on the attachment, infecting my computer and all of my files (except emails). My files are encrypted with zepto malware which states it uses RSA-2048 and AES-128 ciphers.

The a##holes are demanding money so that I can recover them. I was able to get the malware off my machine, but I've had no success recovering my files and pics. A local computer company said that I have no choice but to pay if I want my files back.

While I have a back up HD that is infected too, and my restore points are after the malware got into my computer.

Any ideas?

Thanks!
"Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer

Comments

  • motorhead43026
    motorhead43026 Posts: 3,900
    Pay the ransom.
    The best way to predict the future is to invent it.

    It is imperative that we recognize that an opinion is not a fact.
  • drumminman
    drumminman Posts: 3,396
    There's advice all over the place not to do that as it just encourages them, but no one seems to know how to recover the files.
    "Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
  • tonyb
    tonyb Posts: 32,981
    How much are they asking ? Might be cheaper to just screw it and buy a new 'puter. Unless those files and pics are of that much value to you.

    Is this a windows machine ? They seem to be more susceptible to these kinds of things than Apple. Nobody I've talked to has a remedy for these bandits.
    HT SYSTEM-
    Sony 850c 4k
    Pioneer elite vhx 21
    Sony 4k BRP
    SVS SB-2000
    Polk Sig. 20's
    Polk FX500 surrounds

    Cables-
    Acoustic zen Satori speaker cables
    Acoustic zen Matrix 2 IC's
    Wireworld eclipse 7 ic's
    Audio metallurgy ga-o digital cable

    Kitchen

    Sonos zp90
    Grant Fidelity tube dac
    B&k 1420
    lsi 9's
  • motorhead43026
    motorhead43026 Posts: 3,900
    Sure, don't encourage them and don't get you files back. The choice is up to you.
    The best way to predict the future is to invent it.

    It is imperative that we recognize that an opinion is not a fact.
  • msg
    msg Posts: 10,126
    Man, sorry to hear this.
    My understanding is also that the only choices are to pay, or recover from backup. If you want that data back, your only option is to pay if you don't have another backup somewhere.

    I've also read that sometimes if you pay, they only give you a key to release a certain set of files, and you have to keep paying to get the rest. I think that's more for businesses and organizations though, not sure.

    I know it doesn't help your case right now, but while on the subject, two recommendations to everyone moving forward

    EMAIL RULES
    I try to keep people informed on malware attacks. There are two rules for email that will help.
    1. You know the person.
    2. You are expecting the message with a link.
    If you can't answer yes to both of those questions, don't click the link, period. There can be no exceptions. These guys are getting extremely clever with the social engineering.

    BACKUP YOUR BACKUP AND KEEP IT OFFLINE
    I just read about this infection spreading to accessible backups a few months ago. A real D move, but to them, it's business. We make adjustments to combat the attack vectors, and they adjust to skirt those protections. A single backup is no longer sufficient if it is always connected. Keep a second backup, completely disconnected from any other hardware when it is not in use. Be diligent about this. It is only connected to created that second backup, and then disconnected until the next time. Cloud backup is another option, but it should not be always accessible through a mapped drive, otherwise it can be compromised as well.

    Really sorry man, but looks like your only option is to pay if you need that data.
    If you go this route, I'd recommend getting your data back, back it up - just the data, not the computer - and then wipe and reinstall your OS. I can't be sure, and I haven't heard anything about cases of reinfection, but personally I'd feel more secure with a fresh load and a new set of usage rules so you don't get hit again. Wish I had more to offer, but that's all I know about this.

    It is not enough to just keep your computers and security software up to date. It is still important to do so, however, zero day exploits are a real danger here - malware and viruses released and running rampant before the antivirus/antimalware community gets a sample to create the inoculation for distribution and then your subsequent update. Sports, news, entertainment, and political sites - those links you see on those pages are not owned by the host site. They typically go to other sites, which may be compromised. Suspect everything.

    Sorry for your troubles D, but hopefully this can help you moving forward.
    I disabled signatures.
  • nooshinjohn
    nooshinjohn Posts: 25,446
    How much are the **** nozzles trying to extort from you?
    The Gear... Carver "Statement" Mono-blocks, Mcintosh C2300 Arcam AVR20, Oppo UDP-203 4K Blu-ray player, Sony XBR70x850B 4k, Polk Audio Legend L800 with height modules, L400 Center Channel Polk audio AB800 "in-wall" surrounds. Marantz MM7025 stereo amp. Simaudio Moon 680d DSD

    “When once a Republic is corrupted, there is no possibility of remedying any of the growing evils but by removing the corruption and restoring its lost principles; every other correction is either useless or a new evil.”— Thomas Jefferson
  • Emlyn
    Emlyn Posts: 4,529
    drumminman wrote: »
    There's advice all over the place not to do that as it just encourages them, but no one seems to know how to recover the files.

    Because of encryption on the files there is no way even for a business with lots of resources to get those files back without paying for the decryption key. A government agency may be able to recover from such an event, but the expense is usually not worth it. Safest thing to do is consider them gone and not broadcast your identity to the thief that you were snagged by their trap.

    The next thing to consider is if you would trust that computer to not be affected more deeply. Quite often the ransom ware is packaged with other nasty things. Best advice I can give is to start over with a new computer, and in future disconnect any backup drive from it after doing a routine backup of valuable files.

    Just to be safe, I would recommend changing passwords for any web sites you routinely visited on that computer through a login.

    Sorry not to be able to suggest anything better.
  • oldmodman
    oldmodman Posts: 740
    How much would it cost to find all the hackers and kill them all?

    I have watched this happen to several friend's, all with damn game playing kids.

    Second time for one woman.

    She told the eldest kid that if he wants his computer to work again he can fix it himself. So he did. Re-installed the operating system and that eliminated the problem.
    But being a geeky kid he was able to reload all his files from a non attached hard drive.
  • maximillian
    maximillian Posts: 2,144
    Did you check with the NSA to see if they have a copy?

    j/k
  • mhardy6647
    mhardy6647 Posts: 33,901
    heh -- they're probably pocketing the ransoms to augment the budget.
  • teekay0007
    teekay0007 Posts: 2,289
    msg wrote: »
    ...personally I'd feel more secure with a fresh load and a new set of usage rules so you don't get hit again.


    That's what she said. :p





    But seriously, that really sucks! I got stung by this a while back, downloading a user's manual from some site I'd used previously without any problems. Talk about feeling like you are powerless! :# Couldn't bring myself to offer up the cash to such worthless cowards so I took my PC to my local IT guy and got it cleared up. No idea if I lost many/any files.

    Good luck getting it worked out.

  • nguyendot
    nguyendot Posts: 3,594
    Shadow copy enabled? Long shot but who knows. The new variants disable it.
    This is why I'm running Check Point NGTP.
    Main Surround -
    Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub

    Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250

    Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD
  • westmassguy
    westmassguy Posts: 6,850
    Sorry to hear, that really sucks. Personally, I have a backup laptop for my business, photos/documents are sync'd between the two. I also make regular backups to an external drive for all my machines, and that's kept offline. If you have important documents, and photos, then it might be worth paying the ransom.
    Home Theater/2 Channel:
    Front: SDA-2ATL forum.polkaudio.com/discussion/143984/my-2as-finally-finished-almost/p1
    Center: Custom Built forum.polkaudio.com/discussion/150760/my-center-channel-project/p1
    Surrounds & Rears: Custom Built forum.polkaudio.com/discussion/151647/my-surround-project/p1
    Sonicaps, Mills, RDO-194s-198s, Dynamat, Hurricane Nuts, Blackhole5
    Pioneer Elite VSX-72TXV, Carver PM-600, SVS PB2-Plus Subwoofer

    dhsspeakerservice.com/
  • drumminman
    drumminman Posts: 3,396
    My biggest mistake was not keeping the backup offline.
    "Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
  • sucks2beme
    sucks2beme Posts: 5,602
    So, does having your machine already encrypted prevent this?
    BTW, if you do this, keep the key somewhere safe. If
    something happens, you'll need it to recover your files.
    "The legitimate powers of government extend to such acts only as are injurious to others. But it does me no injury for my neighbour to say there are twenty gods, or no god. It neither picks my pocket nor breaks my leg." --Thomas Jefferson
  • erniejade
    erniejade Posts: 6,321
    Having your computer encrypted does not prevent this. I know first hand with the company I work for. Lucky for us we have backups of everything so we can just reload and restore from the day before.
    Klipsch The Nines, Audioquest Thunderbird Interconnect, Innuos Zen MK3 W4S recovery, Revolution Audio Labs USB & Ethernet, Border Patrol SE-I, Audioquest Niagara 5000 & Thunder, Cullen Crossover II PC's.
  • Msabot1
    Msabot1 Posts: 2,098
    Here is an idea..seems to work too..Get 400 million in Swiss Francs..bundle it all on pallets..put it on a private unmarked jet covertly at night,and land it while your hostages are waiting...you will have em back in no time,once your jet has landed!..
  • Msabot1
    Msabot1 Posts: 2,098
    Hey X....I have been under the impression that people and data are one in the same?...
  • polrbehr
    polrbehr Posts: 2,834
    Just curious, how much are they demanding, and in what form? I've heard that they ask for prepaid Visa cards, I guess so there's no online account to be traced.

    Or they'll claim that they were offering a trial of home-based PC encryption software, and you simply decided to pay for it, all nice and legal. I'm sure they've covered all the bases with regards to keeping themselves anonymous either way. Hope it all works out for you.
    So, are you willing to put forth a little effort or are you happy sitting in your skeptical poo pile?


    http://audiomilitia.proboards.com/
  • BlueFox
    BlueFox Posts: 15,251
    I also would like to know the ransom amount. Is it secret?
    Lumin X1 file player, Westminster Labs interconnect cable
    Sony XA-5400ES SACD; Pass XP-22 pre; X600.5 amps
    Magico S5 MKII Mcast Rose speakers; SPOD spikes

    Shunyata Triton v3/Typhon QR on source, Denali 2000 (2) on amps
    Shunyata Sigma XLR analog ICs, Sigma speaker cables
    Shunyata Sigma HC (2), Sigma Analog, Sigma Digital, Z Anaconda (3) power cables

    Mapleshade Samson V.3 four shelf solid maple rack, Micropoint brass footers
    Three 20 amp circuits.
  • drumminman
    drumminman Posts: 3,396
    I haven't clicked on the links they provided to find out the next steps including how much they want. I talked with a local computer guy who seemed familiar with this type of operation, and they said they'll probably want to be paid in bitcoin. He also thought they would send me the de-encryption code as no one would pay them if word got around that they stiffed people.

    If bitcoin is what they want I'll have to work out how much risk I have to get it. Not sure how I'd pay for it except with a credit card, which puts that at risk.

    It appears that I have gotten rid of the virus, if not the results of the file encryption. No new files I've saved have been encrypted since I ran the anti malware programs. I wonder if clicking on the links will infect my computer all over again?

    I suppose there's only one way to find out . . .
    "Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
  • Jhayman
    Jhayman Posts: 1,548
    I'm sure you have been online to search how to remove this nasty bugger..
    Try this http://www.virusresearch.org/zepto-file-extension-virus-removal/
    Hope it helps
    ATC SCM40's,VTL TL 2.5 Preamp,PSB Stratus Goldi's,McCormack DNA 500,McCormack MAP-1 Preamp,Pro-Ject Xtension 10 TT,Ortofon Cadenza Red/Nordost RedDawn LS Speaker cables, Bryston BDP-2, Bryston BDA-2,PS Audio AC-3 power cables
  • steveinaz
    steveinaz Posts: 19,538
    Don't know that there is much you can do. After my latest laptop debacle that cost me 15 yrs of data/pics/movies/etc; I have seriously weened myself down on the computer front. I just don't trust the crap anymore; at least when connected to a network. I've gone back to not automating so much, and being very careful when connected to the internet--and I'm a happier person for it. I'm now backing up regularly (I know, a little late now right?).

    I really believe we have come to depend way too much on computers.
    Source: Bluesound Node 2i - Preamp/DAC: Benchmark DAC2 DX - Amp: Parasound Halo A21 - Speakers: MartinLogan Motion 60XTi - Shop Rig: Yamaha A-S501 Integrated - Shop Spkrs: Elac Debut 2.0 B5.2
  • markmarc
    markmarc Posts: 2,309
    All of my files (and wife's) are double backed up in alternating order a few weeks apart to protect against these ****$%3!*. We'll do this until the wife gets a new desktop, then the old machine will be disconnected from the Internet and become out document/image only computer (still backing up in case of HD failure).
    Review Site_ (((AudioPursuit)))
    Founder/Publisher Affordable$$Audio 2006-13.
    Former Staff Member TONEAudio
    2 Ch. System
    Amplifiers: Parasound Halo P6 pre, Vista Audio i34, Peachtree amp500, Adcom GFP-565 GFA-535ii, 545ii, 555ii
    Digital: SimAudio HAD230 DAC, iMac 20in/Amarra,
    Speakers: Paradigm Performa F75, Magnepan .7, Totem Model 1's, ACI Emerald XL, Celestion Si Stands. Totem Dreamcatcher sub
    Analog: Technics SL-J2 w/Pickering 3000D, SimAudio LP5.3 phono pre
    Cable/Wires: Cardas, AudioArt, Shunyata Venom 3
  • trj
    trj Posts: 320
    This is the reason I keep my photographs backed up in an external hard drive and a copy on DVDs. DVDs/Blu rays are cheap and will retain the data for a long time.

    All the other data on my computers get backed up regularly on the external hard drive. Its the pictures that are most precious to me. Same goes for the documents. If you are writing a book/thesis, back them up on a DVD.

    I am sorry it happened to you OP, but if you can digest the loss of data, just get a new hard drive and start fresh. May be implement a firewall at router level if you know where the hack came from. It doesnt prevent from future attacks if the hackers use bouncing IP addresses, but at least you can block a single or a range of IPs.
    Also, I would get law enforcement involved. Even just a police report is better than nothing.
    Good luck
    Sony BDP-S6500 | Raspberry Pi 2 | XBOX One S | Wii --> Yamaha RX-V667 --> Adcom 5006 bridged to 175 watts for front LCR -- >Front: Polk Audio RTi8s | Center: CSi5 | Side Surrounds: RTi4s | Rear surrounds: FXiA4s | Cheap 12" sub woofer|Samsung UN60KU6300
  • haimoc
    haimoc Posts: 1,031
    edited August 2016
    Post edited by haimoc on