Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine. anyone who has encountered this and how did you solve it? [image: Inline image 1]
Make sure users are not using administrative accounts when browsing and using their emails. The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files. On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com {FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
undelete the deleted files. how can this be? On Fri, Feb 6, 2015 at 5:34 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
Make sure users are not using administrative accounts when browsing and using their emails.
The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files.
On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
-- Kind Regards, Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
http://it.slashdot.org/story/15/01/07/0513203/inside-cryptowall-20-ransomwar... On Fri, Feb 6, 2015 at 7:58 PM, wa via skunkworks <skunkworks@lists.my.co.ke
wrote:
undelete the deleted files. how can this be?
On Fri, Feb 6, 2015 at 5:34 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
Make sure users are not using administrative accounts when browsing and using their emails.
The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files.
On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
-- Kind Regards,
Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@gisho, that was a very interesting read, thanks for sharing! On Sat, Feb 7, 2015 at 1:12 AM, gisho via skunkworks < skunkworks@lists.my.co.ke> wrote:
http://it.slashdot.org/story/15/01/07/0513203/inside-cryptowall-20-ransomwar...
On Fri, Feb 6, 2015 at 7:58 PM, wa via skunkworks < skunkworks@lists.my.co.ke> wrote:
undelete the deleted files. how can this be?
On Fri, Feb 6, 2015 at 5:34 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
Make sure users are not using administrative accounts when browsing and using their emails.
The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files.
On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
-- Kind Regards,
Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
That is really scary. On Sat, Feb 7, 2015 at 1:16 PM, Peter Karunyu via skunkworks < skunkworks@lists.my.co.ke> wrote:
@gisho, that was a very interesting read, thanks for sharing!
On Sat, Feb 7, 2015 at 1:12 AM, gisho via skunkworks < skunkworks@lists.my.co.ke> wrote:
http://it.slashdot.org/story/15/01/07/0513203/inside-cryptowall-20-ransomwar...
On Fri, Feb 6, 2015 at 7:58 PM, wa via skunkworks < skunkworks@lists.my.co.ke> wrote:
undelete the deleted files. how can this be?
On Fri, Feb 6, 2015 at 5:34 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
Make sure users are not using administrative accounts when browsing and using their emails.
The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files.
On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
-- Kind Regards,
Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Kind Regards, Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these. On Sat, Feb 7, 2015 at 2:12 PM, wa via skunkworks <skunkworks@lists.my.co.ke
wrote:
That is really scary.
On Sat, Feb 7, 2015 at 1:16 PM, Peter Karunyu via skunkworks < skunkworks@lists.my.co.ke> wrote:
@gisho, that was a very interesting read, thanks for sharing!
On Sat, Feb 7, 2015 at 1:12 AM, gisho via skunkworks < skunkworks@lists.my.co.ke> wrote:
http://it.slashdot.org/story/15/01/07/0513203/inside-cryptowall-20-ransomwar...
On Fri, Feb 6, 2015 at 7:58 PM, wa via skunkworks < skunkworks@lists.my.co.ke> wrote:
undelete the deleted files. how can this be?
On Fri, Feb 6, 2015 at 5:34 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:
Make sure users are not using administrative accounts when browsing and using their emails.
The Malware deletes files, as it encrypts the others, you can decrypt some and undelete the deleted files.
On 2/6/15, wa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Guys i have encountered this ransomware in two different cases but cant see to find a solution to it. I have tried using standalone antivirus apps but they cant heal the encrypted files the only option was to do file restore and format the infected machine.
anyone who has encountered this and how did you solve it? [image: Inline image 1]
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com
{FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
-- Kind Regards,
Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Kind Regards,
Walter Nyamweya, Cell: 0725 011 515 Skype: wanangu
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
On 09/02/2015 08:35, geoffrey gitagia via skunkworks wrote:
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these.
This is bad advice IMO. Automatic backups are fairly easy to setup and paying the ransom shouldn't even be considered.
@Mark thats probably the best , but i was talking of being proactive and how not to get hit , but also remember some ransonware can lay in wait till its activated (delayed attack) https://forums.malwarebytes.org/index.php?/topic/134999-quick-qustions-about... https://nakedsecurity.sophos.com/2013/11/04/cryptolocker-ransomeware-crooks-... http://www.reddit.com/r/Malware/comments/2tgqp8/new_software_to_detect_encry... On Mon, Feb 9, 2015 at 9:25 AM, Mark Kipyegon via skunkworks < skunkworks@lists.my.co.ke> wrote:
On 09/02/2015 08:35, geoffrey gitagia via skunkworks wrote:
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these.
This is bad advice IMO.
Automatic backups are fairly easy to setup and paying the ransom shouldn't even be considered.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
here is a sure way of doing it http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-... On Mon, Feb 9, 2015 at 9:51 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:
@Mark thats probably the best , but i was talking of being proactive and how not to get hit , but also remember some ransonware can lay in wait till its activated (delayed attack)
https://forums.malwarebytes.org/index.php?/topic/134999-quick-qustions-about...
https://nakedsecurity.sophos.com/2013/11/04/cryptolocker-ransomeware-crooks-...
http://www.reddit.com/r/Malware/comments/2tgqp8/new_software_to_detect_encry...
On Mon, Feb 9, 2015 at 9:25 AM, Mark Kipyegon via skunkworks < skunkworks@lists.my.co.ke> wrote:
On 09/02/2015 08:35, geoffrey gitagia via skunkworks wrote:
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these.
This is bad advice IMO.
Automatic backups are fairly easy to setup and paying the ransom shouldn't even be considered.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
-- GG
Is it possible to share how the two machines were infected? On Mon, Feb 9, 2015 at 11:18 AM, geoffrey gitagia via skunkworks < skunkworks@lists.my.co.ke> wrote:
here is a sure way of doing it
http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-...
On Mon, Feb 9, 2015 at 9:51 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:
@Mark thats probably the best , but i was talking of being proactive and how not to get hit , but also remember some ransonware can lay in wait till its activated (delayed attack)
https://forums.malwarebytes.org/index.php?/topic/134999-quick-qustions-about...
https://nakedsecurity.sophos.com/2013/11/04/cryptolocker-ransomeware-crooks-...
http://www.reddit.com/r/Malware/comments/2tgqp8/new_software_to_detect_encry...
On Mon, Feb 9, 2015 at 9:25 AM, Mark Kipyegon via skunkworks < skunkworks@lists.my.co.ke> wrote:
On 09/02/2015 08:35, geoffrey gitagia via skunkworks wrote:
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these.
This is bad advice IMO.
Automatic backups are fairly easy to setup and paying the ransom shouldn't even be considered.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
-- GG
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Most of the forensics i have been in, the executable came via email, from server in Nigeria. Once the user clicks it, the malware quietly executes and starts its operation, which runs for a while. Its mostly phishing, as the initial attack vector. On 2/10/15, christian kisutsa via skunkworks <skunkworks@lists.my.co.ke> wrote:
Is it possible to share how the two machines were infected?
On Mon, Feb 9, 2015 at 11:18 AM, geoffrey gitagia via skunkworks < skunkworks@lists.my.co.ke> wrote:
here is a sure way of doing it
http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-...
On Mon, Feb 9, 2015 at 9:51 AM, geoffrey gitagia <ggitagia@gmail.com> wrote:
@Mark thats probably the best , but i was talking of being proactive and how not to get hit , but also remember some ransonware can lay in wait till its activated (delayed attack)
https://forums.malwarebytes.org/index.php?/topic/134999-quick-qustions-about...
https://nakedsecurity.sophos.com/2013/11/04/cryptolocker-ransomeware-crooks-...
http://www.reddit.com/r/Malware/comments/2tgqp8/new_software_to_detect_encry...
On Mon, Feb 9, 2015 at 9:25 AM, Mark Kipyegon via skunkworks < skunkworks@lists.my.co.ke> wrote:
On 09/02/2015 08:35, geoffrey gitagia via skunkworks wrote:
Best way to deal with crypto ware ... pay the guy , decrypt , painfully backup each file and folder to a clean drive (this step makes sure you dont copy over the infecting file) , format your drive , restore only important files from the backup drive ... Please note that not many antiviruses (if any) know how to deal with these.
This is bad advice IMO.
Automatic backups are fairly easy to setup and paying the ransom shouldn't even be considered.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- GG
-- GG
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester jgichuki at inbox d0t com {FORUM}http://lists.my.co.ke/pipermail/security/ http://chuksjonia.blogspot.com/
participants (7)
-
christian kisutsa -
geoffrey gitagia -
Gichuki John Chuksjonia -
gisho -
Mark Kipyegon -
Peter Karunyu -
wa