Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!

[Joe User]

This is a great time to reinforce the need to do backups. Since it's a 
sensitive thing - you need to judge how to deliver the news but it's 
critical. Now more than ever before.


Couple of things. I'd save the data - LATER you might be able to get the 
drive unlocked. Don't allow them to waste the money on the unlock. The 
way I understand it, it's infrequent that they actually unlock it. In 
fact, by now the point at which they could be contacted might have been 
already shut down or compromised (more likely) by other 'hackers'. Just 
do not give in to paying. Better to wait. JMHO.


I got lucky with a client that got hit with this, about a year earlier I 
really was adamant that they get into some sort of automated backup. 
They took an online (sorry, CLOUD) backup that I was able to resell. It 
paid for itself FOUR times over (so far)! Anyway, sorry for you & client



On 7/18/2018 3:00 PM, Thane K. Sherrington wrote:
I know someone with no backups who recently had his entire computer 
encrypted with the .arrow variant of Dharma (.cezar Family).  (BTW, this 
isn't me.)


There is apparently no way to decrypt without paying the ransom or 
recovering deleted files.


So two questions:

1)Does anyone know if the ransomware encryption encrypts the file to a 
new file, then deletes the old one (giving me the possibility of deleted 
file recovery)?  If so, what software is recommend for an Windows NTFS 
system (so far, Recuva and R-Studio have found squat).


2)If he decides to pay the ransom and take his chances, what are legit 
sites to purchase bitcoin (never done that before)?


T

Re: [H] Ransomware, File Recovery, Bitcoin, Oh My!

[Scott Sipe]

My office was hit by this exact same kind of attack. It came in through RDP
over a nonstandard port. Started encrypting a multi-terabyte network share
before I physically pulled the plug. Luckily had a backup from 24h before.
Lesson: RDP exposed anywhere on the internet is NEVER safe. All covered
with VPN and IP restrictions now.

Sigh.

Scott

On Wednesday, July 18, 2018, lopaka polena  wrote:

> I do use RDP frequently but never through default ports. Bummer there's no
> way to fix it without paying and no guarantee even if you pay. I still do
> hardcopy backups onto blu-ray discs at times because I can't afford to lose
> certain things to NAS failure or malware
>
> lopaka
>
> On Wed, Jul 18, 2018 at 5:14 PM, Thane K. Sherrington <
> th...@computerconnectionltd.com> wrote:
>
> > There are a whole bunch of free decryptors available, but not for this
> > variant.  Basically, when the criminal group gets taken down, often they
> > get the key and then the AV company makes a freeware program for people.
> > Very nice of them.
> >
> > Some useful pages I've found during this mess:
> >
> > https://id-ransomware.malwarehunterteam.com/index.php
> >
> > https://heimdalsecurity.com/blog/ransomware-decryption-tools/
> >
> > T
> >
> >
> > On 18-Jul-18 6:50 PM, lopaka polena wrote:
> >
> >> https://support.kaspersky.com/viruses/utility
> >>
> >> Never tried any of these but did read an article where they tested some
> of
> >> these and were able to recover some users files
> >>
> >> lopaka
> >>
> >> On Wed, Jul 18, 2018 at 2:30 PM, Winterlight <
> winterli...@winterlight.org
> >> >
> >> wrote:
> >>
> >> )Does anyone know if the ransomware encryption encrypts the file to a
> new
> >>>
>  file, then deletes the old one (giving me the possibility of deleted
>  file
>  recovery)?  If so, what software is recommend for an Windows NTFS
>  system
>  (so far, Recuva and R-Studio have found squat).
> 
>  I am surprised it encrypted the entire drive. Everything I have read,
> or
> >>> been told it involved the user files. I have never heard of a single
> >>> instance where the victim was able to recover their files without the
> >>> key.
> >>> I have read about people who pay up but still don't get the key which
> >>> didn't surprise me. Even large companies, hospitals, and government
> >>> agencies have been unable to overcome this, and usually pay up. I bet a
> >>> lot
> >>> of IT employees loose there jobs over being so unprepared to deal with
> >>> this.
> >>>
> >>> 2)If he decides to pay the ransom and take his chances, what are legit
> >>>
>  sites to purchase bitcoin (never done that before)?
> 
>  I have read that the ransom note often tells the victim how to go
> about
> >>> getting and transferring bit coin. Which make a lot of sense given that
> >>> bit
> >>> coin is so esoteric and most of the victims are naive about basic PC
> >>> stuff.
> >>> I have also heard of bit coin machines in places like NYC.There are
> legit
> >>> banking sites on line to do this... I would Google it. I understand
> that
> >>> I
> >>> think it is Citibank that now deals with bitcoin.
> >>>
> >>> Sorry I don't have the answers you are looking for and too bad they
> can't
> >>> put these criminals in prison for a very long time.
> >>>
> >>>
> >>
> >
> >
> >
>