Big Ransom ware problem!
drumminman
Posts: 3,396
Any savvy computer guys out there?
I received an email that I thought was from my wife and clicked on the attachment, infecting my computer and all of my files (except emails). My files are encrypted with zepto malware which states it uses RSA-2048 and AES-128 ciphers.
The a##holes are demanding money so that I can recover them. I was able to get the malware off my machine, but I've had no success recovering my files and pics. A local computer company said that I have no choice but to pay if I want my files back.
While I have a back up HD that is infected too, and my restore points are after the malware got into my computer.
Any ideas?
Thanks!
I received an email that I thought was from my wife and clicked on the attachment, infecting my computer and all of my files (except emails). My files are encrypted with zepto malware which states it uses RSA-2048 and AES-128 ciphers.
The a##holes are demanding money so that I can recover them. I was able to get the malware off my machine, but I've had no success recovering my files and pics. A local computer company said that I have no choice but to pay if I want my files back.
While I have a back up HD that is infected too, and my restore points are after the malware got into my computer.
Any ideas?
Thanks!
"Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
Comments
-
Pay the ransom.The best way to predict the future is to invent it.
It is imperative that we recognize that an opinion is not a fact. -
There's advice all over the place not to do that as it just encourages them, but no one seems to know how to recover the files."Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
-
How much are they asking ? Might be cheaper to just screw it and buy a new 'puter. Unless those files and pics are of that much value to you.
Is this a windows machine ? They seem to be more susceptible to these kinds of things than Apple. Nobody I've talked to has a remedy for these bandits.HT SYSTEM-
Sony 850c 4k
Pioneer elite vhx 21
Sony 4k BRP
SVS SB-2000
Polk Sig. 20's
Polk FX500 surrounds
Cables-
Acoustic zen Satori speaker cables
Acoustic zen Matrix 2 IC's
Wireworld eclipse 7 ic's
Audio metallurgy ga-o digital cable
Kitchen
Sonos zp90
Grant Fidelity tube dac
B&k 1420
lsi 9's -
Sure, don't encourage them and don't get you files back. The choice is up to you.The best way to predict the future is to invent it.
It is imperative that we recognize that an opinion is not a fact. -
Man, sorry to hear this.
My understanding is also that the only choices are to pay, or recover from backup. If you want that data back, your only option is to pay if you don't have another backup somewhere.
I've also read that sometimes if you pay, they only give you a key to release a certain set of files, and you have to keep paying to get the rest. I think that's more for businesses and organizations though, not sure.
I know it doesn't help your case right now, but while on the subject, two recommendations to everyone moving forward
EMAIL RULES
I try to keep people informed on malware attacks. There are two rules for email that will help.- You know the person.
- You are expecting the message with a link.
BACKUP YOUR BACKUP AND KEEP IT OFFLINE
I just read about this infection spreading to accessible backups a few months ago. A real D move, but to them, it's business. We make adjustments to combat the attack vectors, and they adjust to skirt those protections. A single backup is no longer sufficient if it is always connected. Keep a second backup, completely disconnected from any other hardware when it is not in use. Be diligent about this. It is only connected to created that second backup, and then disconnected until the next time. Cloud backup is another option, but it should not be always accessible through a mapped drive, otherwise it can be compromised as well.
Really sorry man, but looks like your only option is to pay if you need that data.
If you go this route, I'd recommend getting your data back, back it up - just the data, not the computer - and then wipe and reinstall your OS. I can't be sure, and I haven't heard anything about cases of reinfection, but personally I'd feel more secure with a fresh load and a new set of usage rules so you don't get hit again. Wish I had more to offer, but that's all I know about this.
It is not enough to just keep your computers and security software up to date. It is still important to do so, however, zero day exploits are a real danger here - malware and viruses released and running rampant before the antivirus/antimalware community gets a sample to create the inoculation for distribution and then your subsequent update. Sports, news, entertainment, and political sites - those links you see on those pages are not owned by the host site. They typically go to other sites, which may be compromised. Suspect everything.
Sorry for your troubles D, but hopefully this can help you moving forward.I disabled signatures. -
How much are the **** nozzles trying to extort from you?The Gear... Carver "Statement" Mono-blocks, Mcintosh C2300 Arcam AVR20, Oppo UDP-203 4K Blu-ray player, Sony XBR70x850B 4k, Polk Audio Legend L800 with height modules, L400 Center Channel Polk audio AB800 "in-wall" surrounds. Marantz MM7025 stereo amp. Simaudio Moon 680d DSD
“When once a Republic is corrupted, there is no possibility of remedying any of the growing evils but by removing the corruption and restoring its lost principles; every other correction is either useless or a new evil.”— Thomas Jefferson -
drumminman wrote: »There's advice all over the place not to do that as it just encourages them, but no one seems to know how to recover the files.
Because of encryption on the files there is no way even for a business with lots of resources to get those files back without paying for the decryption key. A government agency may be able to recover from such an event, but the expense is usually not worth it. Safest thing to do is consider them gone and not broadcast your identity to the thief that you were snagged by their trap.
The next thing to consider is if you would trust that computer to not be affected more deeply. Quite often the ransom ware is packaged with other nasty things. Best advice I can give is to start over with a new computer, and in future disconnect any backup drive from it after doing a routine backup of valuable files.
Just to be safe, I would recommend changing passwords for any web sites you routinely visited on that computer through a login.
Sorry not to be able to suggest anything better. -
How much would it cost to find all the hackers and kill them all?
I have watched this happen to several friend's, all with damn game playing kids.
Second time for one woman.
She told the eldest kid that if he wants his computer to work again he can fix it himself. So he did. Re-installed the operating system and that eliminated the problem.
But being a geeky kid he was able to reload all his files from a non attached hard drive. -
Did you check with the NSA to see if they have a copy?
j/k -
heh -- they're probably pocketing the ransoms to augment the budget.
-
...personally I'd feel more secure with a fresh load and a new set of usage rules so you don't get hit again.
That's what she said.
But seriously, that really sucks! I got stung by this a while back, downloading a user's manual from some site I'd used previously without any problems. Talk about feeling like you are powerless! Couldn't bring myself to offer up the cash to such worthless cowards so I took my PC to my local IT guy and got it cleared up. No idea if I lost many/any files.
Good luck getting it worked out.
-
Shadow copy enabled? Long shot but who knows. The new variants disable it.
This is why I'm running Check Point NGTP.Main Surround -
Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub
Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250
Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD -
Sorry to hear, that really sucks. Personally, I have a backup laptop for my business, photos/documents are sync'd between the two. I also make regular backups to an external drive for all my machines, and that's kept offline. If you have important documents, and photos, then it might be worth paying the ransom.Home Theater/2 Channel:
Front: SDA-2ATL forum.polkaudio.com/discussion/143984/my-2as-finally-finished-almost/p1
Center: Custom Built forum.polkaudio.com/discussion/150760/my-center-channel-project/p1
Surrounds & Rears: Custom Built forum.polkaudio.com/discussion/151647/my-surround-project/p1
Sonicaps, Mills, RDO-194s-198s, Dynamat, Hurricane Nuts, Blackhole5
Pioneer Elite VSX-72TXV, Carver PM-600, SVS PB2-Plus Subwoofer
dhsspeakerservice.com/ -
My biggest mistake was not keeping the backup offline."Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer
-
So, does having your machine already encrypted prevent this?
BTW, if you do this, keep the key somewhere safe. If
something happens, you'll need it to recover your files."The legitimate powers of government extend to such acts only as are injurious to others. But it does me no injury for my neighbour to say there are twenty gods, or no god. It neither picks my pocket nor breaks my leg." --Thomas Jefferson -
Having your computer encrypted does not prevent this. I know first hand with the company I work for. Lucky for us we have backups of everything so we can just reload and restore from the day before.Klipsch The Nines, Audioquest Thunderbird Interconnect, Innuos Zen MK3 W4S recovery, Revolution Audio Labs USB & Ethernet, Border Patrol SE-I, Audioquest Niagara 5000 & Thunder, Cullen Crossover II PC's.
-
Here is an idea..seems to work too..Get 400 million in Swiss Francs..bundle it all on pallets..put it on a private unmarked jet covertly at night,and land it while your hostages are waiting...you will have em back in no time,once your jet has landed!..
-
Hey X....I have been under the impression that people and data are one in the same?...
-
Just curious, how much are they demanding, and in what form? I've heard that they ask for prepaid Visa cards, I guess so there's no online account to be traced.
Or they'll claim that they were offering a trial of home-based PC encryption software, and you simply decided to pay for it, all nice and legal. I'm sure they've covered all the bases with regards to keeping themselves anonymous either way. Hope it all works out for you.So, are you willing to put forth a little effort or are you happy sitting in your skeptical poo pile?
http://audiomilitia.proboards.com/ -
I also would like to know the ransom amount. Is it secret?Lumin X1 file player, Westminster Labs interconnect cable
Sony XA-5400ES SACD; Pass XP-22 pre; X600.5 amps
Magico S5 MKII Mcast Rose speakers; SPOD spikes
Shunyata Triton v3/Typhon QR on source, Denali 2000 (2) on amps
Shunyata Sigma XLR analog ICs, Sigma speaker cables
Shunyata Sigma HC (2), Sigma Analog, Sigma Digital, Z Anaconda (3) power cables
Mapleshade Samson V.3 four shelf solid maple rack, Micropoint brass footers
Three 20 amp circuits. -
I haven't clicked on the links they provided to find out the next steps including how much they want. I talked with a local computer guy who seemed familiar with this type of operation, and they said they'll probably want to be paid in bitcoin. He also thought they would send me the de-encryption code as no one would pay them if word got around that they stiffed people.
If bitcoin is what they want I'll have to work out how much risk I have to get it. Not sure how I'd pay for it except with a credit card, which puts that at risk.
It appears that I have gotten rid of the virus, if not the results of the file encryption. No new files I've saved have been encrypted since I ran the anti malware programs. I wonder if clicking on the links will infect my computer all over again?
I suppose there's only one way to find out . . ."Science is suppose to explain observations not dismiss them as impossible" - Norm on AA; 2.3TL's w/sonicaps/mills/jantzen inductors, Gimpod's boards, Lg Solen SDA inductors, RD-0198's, MW's dynamatted, Armaflex speaker gaskets, H-nuts, brass spikes, Cardas CCGR BP's, upgraded IC Cable, Black Hole Damping Sheet strips, interior of cabinets sealed with Loctite Power Grab, AI-1 interface with 1000VA A-L transformer -
I'm sure you have been online to search how to remove this nasty bugger..
Try this http://www.virusresearch.org/zepto-file-extension-virus-removal/
Hope it helpsATC SCM40's,VTL TL 2.5 Preamp,PSB Stratus Goldi's,McCormack DNA 500,McCormack MAP-1 Preamp,Pro-Ject Xtension 10 TT,Ortofon Cadenza Red/Nordost RedDawn LS Speaker cables, Bryston BDP-2, Bryston BDA-2,PS Audio AC-3 power cables -
Don't know that there is much you can do. After my latest laptop debacle that cost me 15 yrs of data/pics/movies/etc; I have seriously weened myself down on the computer front. I just don't trust the crap anymore; at least when connected to a network. I've gone back to not automating so much, and being very careful when connected to the internet--and I'm a happier person for it. I'm now backing up regularly (I know, a little late now right?).
I really believe we have come to depend way too much on computers.Source: Bluesound Node 2i - Preamp/DAC: Benchmark DAC2 DX - Amp: Parasound Halo A21 - Speakers: MartinLogan Motion 60XTi - Shop Rig: Yamaha A-S501 Integrated - Shop Spkrs: Elac Debut 2.0 B5.2 -
All of my files (and wife's) are double backed up in alternating order a few weeks apart to protect against these ****$%3!*. We'll do this until the wife gets a new desktop, then the old machine will be disconnected from the Internet and become out document/image only computer (still backing up in case of HD failure).Review Site_ (((AudioPursuit)))
Founder/Publisher Affordable$$Audio 2006-13.
Former Staff Member TONEAudio
2 Ch. System
Amplifiers: Parasound Halo P6 pre, Vista Audio i34, Peachtree amp500, Adcom GFP-565 GFA-535ii, 545ii, 555ii
Digital: SimAudio HAD230 DAC, iMac 20in/Amarra,
Speakers: Paradigm Performa F75, Magnepan .7, Totem Model 1's, ACI Emerald XL, Celestion Si Stands. Totem Dreamcatcher sub
Analog: Technics SL-J2 w/Pickering 3000D, SimAudio LP5.3 phono pre
Cable/Wires: Cardas, AudioArt, Shunyata Venom 3 -
This is the reason I keep my photographs backed up in an external hard drive and a copy on DVDs. DVDs/Blu rays are cheap and will retain the data for a long time.
All the other data on my computers get backed up regularly on the external hard drive. Its the pictures that are most precious to me. Same goes for the documents. If you are writing a book/thesis, back them up on a DVD.
I am sorry it happened to you OP, but if you can digest the loss of data, just get a new hard drive and start fresh. May be implement a firewall at router level if you know where the hack came from. It doesnt prevent from future attacks if the hackers use bouncing IP addresses, but at least you can block a single or a range of IPs.
Also, I would get law enforcement involved. Even just a police report is better than nothing.
Good luckSony BDP-S6500 | Raspberry Pi 2 | XBOX One S | Wii --> Yamaha RX-V667 --> Adcom 5006 bridged to 175 watts for front LCR -- >Front: Polk Audio RTi8s | Center: CSi5 | Side Surrounds: RTi4s | Rear surrounds: FXiA4s | Cheap 12" sub woofer|Samsung UN60KU6300 -
Post edited by haimoc on