A crypto mess.

[Ahhzz]

So, a client called this morning with my worst nightmare: "There's this crypto thing on my computer. What do I need to do?" Small company, and really nice guy. I've heard this story before, but it was false alarms, so I'm not overly stressed.

He brings the laptop, and I start it up in safe mode, command prompt, playing it safe. No mouse or keyboard control. Ok, try again, no luck, with an external mouse. Fine. Safe mode. No change... Great. Ok, I use a thumb drive to bypass the MBR, and bring it up normal mode. the background is covered with "CTB_Locker", and I get a small frisson of dread.

I tell him I'll update asap, and head for my PC. Sure enough, that's a bad thing. And, his A/V caught it afterwards, so it could be even worse... Nope, this one's got a failsafe, and if your antivirus cleans it, it does allow you one chance to hop on TOR, and pass a key to their server for payment options. Great. Ok, he has backups, I checked it several weeks back. I call, and he brings it over.

The backup hasn't run since not long after the last time I was over. Great. That's a month and a half of data lost. I run the recovery. “The backup file contains unrecognized data and cannot be used”. The small frisson turns into "Oh, fvck me. " At this point, attempting a repair tool called NTbkup, and being not-very-hopeful. The last time I had the laptop in-house, I made a full image, but that's over a year ago. This is not going to end well....

 

[Sasqui]

And, his A/V caught it afterwards, so it could be even worse...

What A/V were they using? Up to date definitions?

I still have my main rig down thanks to a crypto virus. I'm diligent about backups and didn't lose anything of importance, but what the fuck. From all my research after that, if a file has been encrypted, it's game over. How it spilled into a backup so far back is puzzling, perhaps the backup problem isn't related? When it happened to my one system, it all happened at once. Where was the backup stored?

 

[OneMoar]

So, a client called this morning with my worst nightmare: "There's this crypto thing on my computer. What do I need to do?" Small company, and really nice guy. I've heard this story before, but it was false alarms, so I'm not overly stressed.

He brings the laptop, and I start it up in safe mode, command prompt, playing it safe. No mouse or keyboard control. Ok, try again, no luck, with an external mouse. Fine. Safe mode. No change... Great. Ok, I use a thumb drive to bypass the MBR, and bring it up normal mode. the background is covered with "CTB_Locker", and I get a small frisson of dread.

I tell him I'll update asap, and head for my PC. Sure enough, that's a bad thing. And, his A/V caught it afterwards, so it could be even worse... Nope, this one's got a failsafe, and if your antivirus cleans it, it does allow you one chance to hop on TOR, and pass a key to their server for payment options. Great. Ok, he has backups, I checked it several weeks back. I call, and he brings it over.

The backup hasn't run since not long after the last time I was over. Great. That's a month and a half of data lost. I run the recovery. “The backup file contains unrecognized data and cannot be used”. The small frisson turns into "Oh, fvck me. " At this point, attempting a repair tool called NTbkup, and being not-very-hopeful. The last time I had the laptop in-house, I made a full image, but that's over a year ago. This is not going to end well....

its done there is nothing we or anybody else can do for you sorry
his option is either to pay to assholes for the decrypt key or write it all off
let this serve as a warning to keep offline backups of all your critical data and test said backups weekly

 

[Frick]

let this serve as a warning to keep offline backups of all your critical data and test said backups weekly

That was what he did if I understood it correctly.

Anyway this is a wake up call. The place where I work has some backup (the really important stuff is on external services/companies anyway), but some stuff is sure in need of backups....

 

[OneMoar]

That was what he did if I understood it correctly.

if the backups where connected to a compromised machine at any point the first thing CBT does is nuke them and render then unrecoverable most likely they have been zero-filled

 

[Ahhzz]

What A/V were they using? Up to date definitions?

I still have my main rig down thanks to a crypto virus. I'm diligent about backups and didn't lose anything of importance, but what the fuck. From all my research after that, if a file has been encrypted, it's game over. How it spilled into a backup so far back is puzzling, perhaps the backup problem isn't related? When it happened to my one system, it all happened at once. Where was the backup stored?

He was using AVG, full version. I just helped him get it running properly again a few months ago. I think the backup is unrelated, altho the "My documents" that I manually pushed there 2 months ago "just because" are encrypted as well. No, I think it was just bad timing, and somehow his backup drive got turned off. If it was the older Crypto, there's a possible decrypter out there, but this this one is a Game Over scenario...

its done there is nothing we or anybody else can do for you sorry
his option is either to pay to assholes for the decrypt key or write it all off
let this serve as a warning to keep offline backups of all your critical data and test said backups weekly

No, I know. I didn't come looking for help. It was a more a Monday-morning-bitch session Not going to be a good day.... *sigh*

 

[OneMoar]

it really baffles me how people end up with this crap on there machines
I literally quit using AV/Firewalls 5 years ago
the only form of protection I use is ghostly/Adblock+ and if I am super paranoid I disable scripting ...

 

[Frick]

it really baffles me how people end up with this crap on there machines
I literally quit using AV/Firewalls 5 years ago
the only form of protection I use is ghostly/Adblock+ and if I am super paranoid I disable scripting ...

I actually thank the maker everyday people in general are not like you.

 

[Ahhzz]

It doesn't really baffle me so much as bemuse me. I've not had an Antivirus for longer than I remember. I did run ZoneAlarm before they sold out, and I've used Comodo since then, but on my newest server pc, I haven't loaded anything. some people just can't not click on an attachment in an email, just in case.....

 

[OneMoar]

It doesn't really baffle me so much as bemuse me. I've not had an Antivirus for longer than I remember. I did run ZoneAlarm before they sold out, and I've used Comodo since then, but on my newest server pc, I haven't loaded anything. some people just can't not click on an attachment in an email, just in case.....

its a matter of basic netsense
don't run strange binarys
don't download attachments from people you don't know
don't install random browser toolbars
ect ect
I am sure some idiot will chime in about how you only need to visit a compromised url to be infected and that's a load of whorseshite
that is a terrible terrible infection vector for a would be attacker and if you are stupid enough not to recognize a "shady" site at a glance then you deserved to get whammed

 

[Sasqui]

altho the "My documents" that I manually pushed there 2 months ago "just because" are encrypted as well.

Fuck

 

[Ahhzz]

Fuck

Exactly....

Update. Using ntbkup, I am able to see the files and folders that are available on the backup. The bad news is that it goes in alphabetical order. And while I have the "c:\documents and settings\user\desktop...\", it appears to have failed somewhere in the middle of "c:\documents and settings\user\local settings\application data\temporary internet files\content.ie5\..." which means it never made it to the "M"s.... No "My documents".... I think it really is a Monday.

 

[OneMoar]

Exactly....

Update. Using ntbkup, I am able to see the files and folders that are available on the backup. The bad news is that it goes in alphabetical order. And while I have the "c:\documents and settings\user\desktop...\", it appears to have failed somewhere in the middle of "c:\documents and settings\user\local settings\application data\temporary internet files\content.ie5\..." which means it never made it to the "M"s.... No "My documents".... I think it really is a Monday.

don't attempt to work on backups using the compromised system jesus ....
move the backups to a isolated non networked machine preferably a VM
CBT will nuke any backups it can get its hands on the AV isn't gonna stop it it will also spread to any connected storage media including network shares
it is one of the better written pieces of ransomware treat it like nitroglycerin

 

[Moofachuka]

dunno, try this https://noransom.kaspersky.com/ might have a chance :/ GL

 

[Ahhzz]

don't attempt to work on backups using the compromised system jesus ....
move the backups to a isolated non networked machine preferably a VM
CBT will nuke any backups it can get its hands on the AV isn't gonna stop it it will also spread to any connected storage media including network shares
it is one of the better written pieces of ransomware treat it like nitroglycerin

<----- not a complete moron. I'm working on a computer that I just reloaded last week for a client. Easy enough to wipe out and reload, and my thumb drive is waiting for a format as soon as I'm done moving files to the "recovery" box. I'm using a standalone "ntbkup" program, open source, designed to pull the data out, as much as possible. thanks for the input tho.

dunno, try this https://noransom.kaspersky.com/ might have a chance :/ GL

thanks, saw that earlier, but this one is specifically CTB-Locker (that's an A/V company attempting to make some cash dealing with preventing it, but no real popups,a nd they do have a good detailed explanation ). This Guy broke it apart, and discovered that once the app encrypts the data, the Master key is no longer located on the computer, and can't be reverse-engineered from the "freemium" option to decrypt 5 for free. Thanks tho

 

[Moofachuka]

<----- not a complete moron. I'm working on a computer that I just reloaded last week for a client. Easy enough to wipe out and reload, and my thumb drive is waiting for a format as soon as I'm done moving files to the "recovery" box. I'm using a standalone "ntbkup" program, open source, designed to pull the data out, as much as possible. thanks for the input tho.


thanks, saw that earlier, but this one is specifically CTB-Locker (that's an A/V company attempting to make some cash dealing with preventing it, but no real popups,a nd they do have a good detailed explanation ). This Guy broke it apart, and discovered that once the app encrypts the data, the Master key is no longer located on the computer, and can't be reverse-engineered from the "freemium" option to decrypt 5 for free. Thanks tho

sorry couldn't help...

If your client ever restores his stuff, make sure he gets malware bytes installed. I heard somewhere this can detect crypto/ransomwares before they trigger. (premium version not the free version though)

 

[Ahhzz]

sometimes they are quicker about this sort of thing than the A/V companies. I've got several clients that run MBAM, from back before they stopped the Lifetime License. Unfortunately, this client wasn't running that. Data recovery is looking pitiful. It looks like there are files on the desktop that I can get, but most of the rest of his data will have to be recovered from over a year ago when I made a full backup to this drive and an image on our shop drive.

I dread making this phone call....

 

[OneMoar]

sometimes they are quicker about this sort of thing than the A/V companies. I've got several clients that run MBAM, from back before they stopped the Lifetime License. Unfortunately, this client wasn't running that. Data recovery is looking pitiful. It looks like there are files on the desktop that I can get, but most of the rest of his data will have to be recovered from over a year ago when I made a full backup to this drive and an image on our shop drive.

I dread making this phone call....

nothing you did if he gets pissy let me know it was his fault

 

[Sasqui]

nothing you did if he gets pissy let me know it was his fault

I doubt that'll make them feel any better :/

 

[rtwjunkie]

sometimes they are quicker about this sort of thing than the A/V companies. I've got several clients that run MBAM, from back before they stopped the Lifetime License. Unfortunately, this client wasn't running that. Data recovery is looking pitiful. It looks like there are files on the desktop that I can get, but most of the rest of his data will have to be recovered from over a year ago when I made a full backup to this drive and an image on our shop drive.

I dread making this phone call....

It's tough having to convey bad news, especially about something as big as this is for your client.