What's new

Discussion Encryption Virus from Russia (Important warning)

  • Thread starter DrXthirst
  • Start date
  • Views 463
DrXthirst

DrXthirst

Join Date: March 2006
Seasoned Veteran Grammar Nazi Grizzled Veteran
Messages
1,116
Reaction score
334
Points
195
Sin$
7
I work for a local IT company and in the past month we've seen several computers with the (self-named) "Russian Encryption Virus."

It's easy to identify as when you turn on your computer and try to access any files, you'll receive a message that says they're corrupted. There will also be 3 new files both on your desktop and in your documents, a picture, a text file, and a web page -- all three are instructions on how to receive the decryption key to decrypt your files. It's very well documented, they tell you what has happened to your computer, how to fix it, what happens if you don't pay them, etc.

Here's the problem: there is no fix. We have called the FBI in regards to the multiple computers we've seen surface with the issue recently and emailed them a file from the computer. We were told that if the data was important enough, the customer should pay to have their data decrypted.

One thing we have noticed is that the encrypted files are also being uploaded to backup software like Mozy, Dropbox, Carbonite and more -- rendering their backups useless.

As of now, we're taking the hard drives out of people's computers, marking them and storing them in the event that a decryption method is found. We'll then install a brand new hard drive and install a new operating system for them, advising them to be careful what they click on.

We haven't been able to identify what the people are downloading that's causing it to spread, but this is more than I've seen in the past 8 years of IT work. Upon asking the customers what they were doing before it happened, the answers were widespread from reading emails to checking Facebook to watching YouTube, so it's up in the air.

As unfortunate as it may be, the only solution we have right now is to pay if your data is that important. We have had a company whose server was encrypted and they paid the $500, then another lady who had pictures of her children and her price was $750 because she waited longer than necessary to bring the computer in to us.

I will leave you with this -- after you pay, they add your IP address to a whitelist as to not hit it again... BUT, your ISP most likely only temporarily leases your WAN IP address (the one they whitelist) and is subject to change meaning you can be hit by them again.

The best protection that you can have is to make sure that you don't have an inefficient, economic ($20 from walmart) router, make sure that your firewall is turned on in the router, ports are being blocked, your firewall on your computer & antivirus is turned on and be careful what you download. Make sure if you download something that it's a legitimate program coming from a legitimate website. Be smart about your emails and Facebook messages, don't click on a link from someone just because you think they sent you something that says it's really cool.

Paying for the decryption key will get your data back, but nobody wants to drop $750 for no real reason and it doesn't guarantee that you won't be hit again.

Just know that different viruses seem to come and go in waves and this is the one that's hitting right now.
 
Operating System
  1. Windows
ZMOT

ZMOT

Steve Harvey
AzzidReign Jr Fabled Veteran Hardened Veteran
Messages
3,250
Reaction score
1,371
Points
445
Sin$
-7
I work for a local IT company and in the past month we've seen several computers with the (self-named) "Russian Encryption Virus."

It's easy to identify as when you turn on your computer and try to access any files, you'll receive a message that says they're corrupted. There will also be 3 new files both on your desktop and in your documents, a picture, a text file, and a web page -- all three are instructions on how to receive the decryption key to decrypt your files. It's very well documented, they tell you what has happened to your computer, how to fix it, what happens if you don't pay them, etc.

Here's the problem: there is no fix. We have called the FBI in regards to the multiple computers we've seen surface with the issue recently and emailed them a file from the computer. We were told that if the data was important enough, the customer should pay to have their data decrypted.

One thing we have noticed is that the encrypted files are also being uploaded to backup software like Mozy, Dropbox, Carbonite and more -- rendering their backups useless.

As of now, we're taking the hard drives out of people's computers, marking them and storing them in the event that a decryption method is found. We'll then install a brand new hard drive and install a new operating system for them, advising them to be careful what they click on.

We haven't been able to identify what the people are downloading that's causing it to spread, but this is more than I've seen in the past 8 years of IT work. Upon asking the customers what they were doing before it happened, the answers were widespread from reading emails to checking Facebook to watching YouTube, so it's up in the air.

As unfortunate as it may be, the only solution we have right now is to pay if your data is that important. We have had a company whose server was encrypted and they paid the $500, then another lady who had pictures of her children and her price was $750 because she waited longer than necessary to bring the computer in to us.

I will leave you with this -- after you pay, they add your IP address to a whitelist as to not hit it again... BUT, your ISP most likely only temporarily leases your WAN IP address (the one they whitelist) and is subject to change meaning you can be hit by them again.

The best protection that you can have is to make sure that you don't have an inefficient, economic ($20 from walmart) router, make sure that your firewall is turned on in the router, ports are being blocked, your firewall on your computer & antivirus is turned on and be careful what you download. Make sure if you download something that it's a legitimate program coming from a legitimate website. Be smart about your emails and Facebook messages, don't click on a link from someone just because you think they sent you something that says it's really cool.

Paying for the decryption key will get your data back, but nobody wants to drop $750 for no real reason and it doesn't guarantee that you won't be hit again.

Just know that different viruses seem to come and go in waves and this is the one that's hitting right now.
If this is the same virus I'm thinking of, it has been cracked.

https://www.decryptcryptolocker.com/
 
ZMOT

ZMOT

Steve Harvey
AzzidReign Jr Fabled Veteran Hardened Veteran
Messages
3,250
Reaction score
1,371
Points
445
Sin$
-7
I'm hoping so.
I will have one of the technicians down at our other office take a look at it, upload some files and I'll let you know.

If so, I'll PM you about where we'll go from here for helping us out! Thanks!
Good luck man. I hope it works out for you guys.
 
DrXthirst

DrXthirst

Join Date: March 2006
Seasoned Veteran Grammar Nazi Grizzled Veteran
Messages
1,116
Reaction score
334
Points
195
Sin$
7
That didn't work, none of the Kaspersky tools have worked either.
 
Top Bottom
Login
Register