JPGs, too, usually. It's a nasty piece of work. --
rk -----Original Message----- From: ProfoxTech [mailto:[email protected]] On Behalf Of Dave Crozier Sent: Wednesday, October 07, 2015 9:57 AM To: [email protected] Subject: RE: Another new ransomware Oh and just to keep the thread on some sort of VFP relevance, all the .dbf and .dbt files were encrypted as well as the CAD files, word and Excel documents. Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Dave Crozier Sent: 07 October 2015 14:53 To: ProFox Email List <[email protected]> Subject: RE: Another new ransomware Kurt, I noticed that the backups hadn't been done so set one going and it was that backup that we did the restore with. As for the ransom amount (for Peter) I recall that it was about 13,000 Euros payable by bank transfer into a named Rumanian account so the recipients of the monies were obviously known so why couldn't the authorities apprehend the perpetrators? Sometimes international law enforcement and cross border co-operation is a sham. Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Kurt Wendt Sent: 07 October 2015 14:49 To: [email protected] Subject: RE: Another new ransomware Hello again Dave, Understood about your clients. I meant, folks here that were hit Personally - not their clients being hit. That's why I wrote that follow-up question. As for your client. Ouch - to have gotten warnings for months re:Backup failure and ignored it - that's pretty lame of them to have done. So - for all those 80GB of CAD data - they only had to do 2 days of updates to them? And, if they were getting Backup errors for 3 months - then how did they only lose 2 days of work and not 3 months. Are you saying that some of the backups worked - while some times it failed? I'm REALLY Bad at home - and I have not really done backups. I really SHOULD do that - and initiate some kind of ongoing backup plan. Since - something like this CryptoCrap could potentially be devastating OR Very Costly! -K- -----Original Message----- From: ProfoxTech [mailto:[email protected]] On Behalf Of Dave Crozier Sent: Wednesday, October 07, 2015 9:35 AM To: [email protected] Subject: RE: Another new ransomware Kurt, As I said, one of my clients got hit a couple of days after I had done a site visit to check they were doing regular backups. As it turned out, the backups were failing and sending emails to everyone in the company letting them know they were at risk. They had been ignoring them for over 3 months. When the Cryptolocker struck they thought of paying the ransom but after I convinced them they would lose only two days' work, they just restored the backup. It could have ended in total tears though as the malware had encrypted over 80Gb of Autocad floorplan drawings that they were totally dependent on being an Electrical engineering company. Needless to say, their backup regime is now working as it should. I have heard of people who did pay the ransom and the decryption did work, but it certainly cost them! Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Kurt Wendt Sent: 07 October 2015 14:28 To: [email protected] Subject: RE: Another new ransomware Thanks for your feedback Dave. In the co. newsletter - one article mentioned a nasty story of a woman who paid the ransom - but, was struggling to do it on time - since I understand they do something if its not paid timely - like increase the ransom price. I'd be curious to know if anyone here has actually gotten hit by it personally - and if they actually paid the ransom. Again - just curious... -K- -----Original Message----- From: ProfoxTech [mailto:[email protected]] On Behalf Of Dave Crozier Sent: Wednesday, October 07, 2015 9:17 AM To: [email protected] Subject: RE: Another new ransomware Kurt, The Cryptolocker ransomware only infected mapped drives (F:, G:.... etc) and if your shortcuts on the desktop and elsewhere were all based upon URL's then Cryptolocker did NOT spread the infection. I don't know about the new variants as they may well differ but I made a change on all my clients removing mapped drives completely and the two instances since doing this (on different clients) were restricted to local files. Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Kurt Wendt Sent: 07 October 2015 14:12 To: [email protected] Subject: RE: Another new ransomware The co. where I work - they send out these monthly internal newsletters regarding security. The last newsletter centered around the Ransomware scandals. I know some folks here have discussed it in the past. Luckily I have never been personally hit by this type of Ransomware scandal on my home PC's. But, it sure is a good reason for everyone to have backups. The newsletter mentioned backups on an external drive - that is Not connect to your PC (only connect when running the backup). -K- -----Original Message----- From: ProfoxTech [mailto:[email protected]] On Behalf Of Paul Hill Sent: Wednesday, October 07, 2015 3:52 AM To: [email protected] Subject: Another new ransomware Hi All, I found possible new ransomware at a site today. There were many dbf files that had been renamed. For example: HS_0WIN.DBF was renamed to: [email protected] I tried renaming this file back but it was corrupt. Looking in the file it seemed scrambled (probably encrypted?). I found these all over the place. Did not find a ransom note. I'm guessing 'hairullah' wants money to decrypt these. Luckily this site had a backup only a few hours old. -- Paul [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/sn1pr10mb09283455cfcf415fd1c0b5c4d2...@sn1pr10mb0928.namprd10.prod.outlook.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
