Ransomware: It’s Christmas

This is a post series on cyber crime. For more posts click here or the cybercrime tag below.

I got the best thing to happen to me this year.  Kaspersky  released an updated Rannoh decryptor. I’m running it now and it seem to be working.

https://support.kaspersky.com/viruses/disinfection/8547#block3

Update:
Sorry this is on Monday, but between Christmas, Family and running Rannoh on several passes, I didn’t get any blogging done.  The software works.  Most of my files are now decrypted and I suspect that the ones, with an exception I will note, were trashed when the ransomware encrypted the files in the first place.  I’ve noticed that the same files in multiple folders did not decrypt.  Well the error rate is low enough to be acceptable and with thousands of read, encrypt, save, read decrypt, save, the error rate will show up.

That isn’t to say that Rannoh is perfect.  Perhaps my biggest peeve is that it’s all or nothing.  You can’t use it to scan individual folders and drives. And setting up for a scan is  not intuitive.  I understand that Rannoh is free and done by the people at Kaspersky on a part time basis.  The user interface still does need work.  The big peeve, and more than likely this is an issue with the algorithm that the ransomeware uses rather than the decryptor is that files under 9 kb or so do not seem to decrypt.  I’ve seen this happen across several file formats and every file that has a small file size did not decrypt.

In any case, some file recovery is better than losing everything.  In the long run,  getting back together is the important thing.  Now I can move forward with the various blogging projects that were trashed by this.  I now have access to thousands of pictures that I didn’t last week.

One thing that’s rather important.  Before doing any updates on your OS or malware software  after you’ve been hit with ransomware make sure that you keep a copy of the ransom note on a separate SD card, thumb drive or removable disk.  The  security update might see the ransom note as a Trojan file, which it is, and delete all of them. The problem is that those files contain your public key and you need that key to decrypt.  So save a copy off the computer until the time comes so it’s available when you need it.

What have I learned from this.  Well the first is to maintain backups and keep them separate from the computer.  I was lax and kept my backup removable drive plugged in because it was convenient.  Well it was convenient for the ransomware too.  90% of what was encrypted was stuff in my case, was never going to be edited, so why not dump it onto DVDs, the same DVD’s that I have sitting right next to the computer.  I went through months of anguish because I didn’t do a roundtuit.  The last is don’t despair or panic.  There are people like Kaspersky  working making it easy to decrypt the stolen files.  You will get your stuff back.  Unless the situation is urgent, don’t pay up.  Before you do, check with bleeping computer and other places that I’ve listed in this series to see it a decryptor is already available.  The crooks are depending on you panicking. So don’t.   Just be aware that the internet is a bad neighborhood and take precautions.  And do not despair.

This post has excellent advice on hardening yourself against ransomware.

https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/

The week in ransomware:

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s