This is the first in what is going to be series of posts on cybercrime, the web and ransomeware in particular. I hope that I get my files back, but I’m not counting on it. In any case I’m going to hit them with everything I can and bring this stuff to the light as much as possible.
This is a post series on cyber crime. For more posts click here or the cybercrime tag below.
I was stupid. I let a executable make changes to my hard drive without knowing what it was. Well to be honest, once the dialog box was running I wasn’t given much choice. I couldn’t interrupt the process and close the dialog box. In any case the ransomware did the nasty across my files encrypting almost all of them. It’s frightening when your background goes black and you see this:
@@@@@@@ NOT YOUR LANGUAGE? USE https://translate.google.com
@@@@@@@ What happened to your files ?
@@@@@@@ All of your files were protected by a strong encryption with RZA4096
@@@@@@@ More information about the en-Xryption keys using RZA4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
@@@@@@@ How did this happen ?
@@@@@@@ !!! Specially for your PC was generated personal RZA4096 Key , both publik and private.
@@@@@@@ !!! ALL YOUR FILES were en-Xrypted with the publik key, which has been transferred to your computer via the Internet.
@@@@@@@ !!! Decrypting of your files is only possible with the help of the privatt key and de-crypt program , which is on our Secret Server
@@@@@@@ What do I do ?
@@@@@@@ So , there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way
@@@@@@@ If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment
Your personal ID: F0868A2DEE40
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1 -http: //pa5subrtdppfkbqr.onion.to
2 -http: //pa5subrtdppfkbqr.onion.cab
3 -http: //pa5subrtdppfkbqr.onion.city
If for some reasons the addresses are not available, follow these steps:
1 – Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2 – After a successful installation, run the browser
3 – Type in the address bar -http://pa5subrtdppfkbqr.onion
4 – Follow the instructions on the site
Be sure to copy your personal ID and the instruction link to your notepad not to lose them.
Cry and panic. Then do what I always do and evaluate the damage and plan recovery. There’s no point in being angry and upset for very long. It doesn’t help. Google the problem and look for solutions. And don’t worry, you haven’t lost as much as it first seems.
The problem is that while many crucial files are backed up, my resume and the like, some of the backups are on old computers. So I’m not dead in the water. I also had a fair amount of copies of my pics and videos on the old computer. Which is a good thing. See the key vulnerability of any encryption scheme is the fact that the original has to be clear. if somebody has an original copy in clear, encryption doesn’t work. So even if you have some files backed up some place you should be able to get the key to all of them. Still this is more than a nuisance for the home user or small business.
So what should you do? I’m going to assume that you were as stupid as I was and had a big chunk of your stuff in open folders on one computer. At this point you can pay the Danegeld and hope or take stock, find out just how bad it is. Break it down to got to have mission necessary files, good to have but not critical and files you don’t care about. If you don’t have backups of the first category, pay. $500 is too small an amount to take the risk. If the loss in the second category, it’s iffy. If the majority of the loss in the third category, who cares.
The other thing to remember is that you are not alone. There are services out there that do recovery from this. And even if the version you got hit with hasn’t been keyed yet, it soon will be.
So there are people, even though you will never meet, helping you for no other motivation than they can make money helping people. Then there are the organizations who don’t like losing data that have every interest in making sure that date gets restored. So all is not lost. Even if the decryption isn’t available now, it more than likely will be soon.
There’s also the fact that the greatest weakness in encryption is that there has to be retrievable information and access to clear copy means that the key is right there. So it’s better to think of your files as being stored for a while, not gone. Even if they are gone, well, you have to clean up from time to time anyway. In a year you won’t care. Life goes on.
In my case, the mission critical files were my resume, which was backed up on two different memory sticks and another computer and my Solidworks files, which the malware didn’t even see. It was amazing to see my part and assembly files still there unencrypted amongst the encrypted PDF printouts. Frankly, as far as virus’ go this was fairly benign. It even seems to have deleted itself more or less once it was done. Which I’m amazed to figure out why the malware people took this long to figure out that having an executable stay resident is not a very good idea because the file can be decompiled and all sorts of interesting stuff found out about the creators.
So what can you do to prevent this sort of thing. Realistically, not much. Yes you can catch most of it with firewalls and security software, but there’s always that stupid mistake, those bad ads that never go away unless you push the button, the strange dialog box that lockup your computer. You have to be alert, but in the end there will be a slip up. The best thing you can do is make backups of your mission critical files, store your images off drive and keep copies on plug in drives. That way when the mistake happens you don’t have to panic. You may not save everything, but that’s not all bad.
Now as to whether the cyber criminals will ever pay any penalty. It’s hard to tell.
I would like to believe that these people are not as anonymous as they would like to believe, but that’s just dreaming. The only thing you can do is not pay and hope that they stop because they can’t make any money. but that’s not going to happen soon. In any case I don’t have $500 to pay them right now, so for me the point is moot. Be careful and don’t let this happen to you.