1. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,420
    NYC
  2. Tony Cole

    Tony Cole Level 27

    May 11, 2014
    1,619
    3,430
    Emergency medicine ST3
    UK
    Windows 10
    Kaspersky
    So, cruelsister this is a new one starting in the wild?
     
    Der.Reisende likes this.
  3. Tornado

    Tornado New Member

    Nov 22, 2015
    1,080
    3,722
    Undisclosed
    Der.Reisende and XhenEd like this.
  4. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,420
    NYC
    It was initially discovered in Germany (the original ransom message was in German) at the very end of October.

    As the malware began appearing in the USA in late November an English translation was added (at 1:17 of the video look to the upper right of the Ransom screen- you have an option of choosing the message to be displayed in either German or English); also USA servers to download the "decrypter" were added- the server used in the video was from New York). They seemingly are still modifying the original ransomware as a number of different variants are popping up including a new one that is VM aware (by using the GetTickCount win32 API).
     
  5. SloppyMcFloppy

    SloppyMcFloppy New Member

    Sep 12, 2015
    601
    1,251
    Earth
    All these malware creators should go to hell.
     
  6. done

    done Level 5

    Mar 19, 2015
    216
    474
    I'm working on windows 7 pro that was caught by a ransomeware. the system had eset smart security on it. I ran scans with eset boot cd and msert.exe but non of them detecting it. I had to remove it manually by renaming the file and deleting the tasks.

    the problem is that all the file were encrypted with no way to restore it. It even encrypt all the files on system restore
    anyone have an idea how to get these files back.

    thanks
     
    Der.Reisende likes this.
  7. Tony Cole

    Tony Cole Level 27

    May 11, 2014
    1,619
    3,430
    Emergency medicine ST3
    UK
    Windows 10
    Kaspersky
    #7 Tony Cole, Dec 3, 2015
    Last edited: Dec 3, 2015
    So VM aware what does that mean, it will not run, or trash the system? I've read that you can either pay, or if you are an IT expert join their program. Such lovely people.

    Cruelsister, you have mentioned on many occasions that virtualization is the way forward, is that also for home users - I've been looking at FireEye Endpoint Security, is that any good?
     
    Der.Reisende and done like this.
  8. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,420
    NYC
    Tony- There is a misconception regarding VM aware malware, in that many think that it will break out of containment. This isn't the case at all- the malware instead will query the environment that it is running in, and if it is determined that it's in a VM it will just shut down. It does this in order to make the user think it is harmless so that he (and certainly not a "she"!) will then run it on a real system and get infected.

    Malware can use numerous methods to detect VM's- from simple things like looking for running processes of stuff like Vbox or VMware to things like a Chimera variant did: it measures the time lapse (via GetTickCount) between a series of actions and if they are slower than expected (as VM's are less powerful than actual machines) it will terminate.

    About FireEye- it is certainly extremely good but as it works through an appliance and one must pay for multiple seats it really is a Corporation only product (and quite expensive). For Home users Comodo is in my opinion the best choice as with the proper settings it will just "Do" and not "Ask". Make no mistake- Comodo can also be breached- but only with extreme difficulty and under certain circumstances. AV products are a great deal easier to bypass.


    Done- Some Encryptors are poorly coded and actually store the encryption key on your computer where it can be fished out; but these are rare and you would have to know exactly what your infection was. But generally if you had System Restore turned off and don't have any external backups your files are lost. I'm really sorry.
     
  9. done

    done Level 5

    Mar 19, 2015
    216
    474
    Thanks for your answer and help
    It is a customer machine that I'm trying to recover. system restore was not turned off but the virus encrypted all the previous versions as well. I've never seen a ransomeware that manged to encrypt previous versions.

    I'm going to try diskdiger I had luck with it once

    Thanks for your awesome work

    Regards
     
    Der.Reisende likes this.
  10. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,420
    NYC
    I hope that UAC was either turned off or at less than Default. This will allow many things to trash Restore points. Another possibility is malware that works like my Chaos scriptor by ignoring UAC altogether; that would be very, very bad.
     
    Der.Reisende likes this.
  11. done

    done Level 5

    Mar 19, 2015
    216
    474
    Now I think I understand what happened
    The files of the crypto were created on May 2015 and I have restore point of June to August 2015
    conclusions: the infection was on May this year, they occasionally used the computer until August and left it a side until now. all the restore point were created after the infection thats why previous version were infected

    And yes UAC is disabled however now we know why the restore point were infected.

    Now I found it hard to understand how come eset does not have it on his database after 6
    months

    Kind Regards
     
    Der.Reisende likes this.
  12. Der.Reisende

    Der.Reisende Level 32
    Trusted AV Tester

    Dec 27, 2014
    2,198
    23,472
    Tax Officer
    Germany
    Windows 10
    Norton
Loading...
Similar Threads Forum Date
Keys to Chimera crypto ransomware allegedly leaked by rival crime gang News Archive Jul 27, 2016
Chimera Crypto-Ransomware Wants You (As the New Recruit) General Security Discussions Dec 6, 2015
Video Review Avast vs new Ransomware Video Reviews Wednesday at 9:31 PM