ok. bear with me, I’m weak on encryption knowledge.
Are you saying that the act of decrypting the files doesn’t actually happen on the local machine, instead is pushed to the C&C, decrypted, then sent back to the local machine?
My assumption was that they were pulling down the private key and decrypting on the victim machine…even though that is far and wide against encryption best practices.
From what I understand about this is you get infected -> Files get encrypted with a public key generated from C&C -> when you pay to decrypt it sends down the private key from C&C which decrypts the files locally.
We’ve had students pay for these types of schemes before…It’s 50/50 if your bank/CC company will redeem you the money. Once student was out $80.
Get a amex they will drop any charge for any reason
In this specific case people had luck working with moneypak directly saying money was redeemed by the wrong person
300 is cheap if it’s all your shit anyways
ok, yeah i see what you’re saying. The point is, you would never see the private key unti they’ve already got your money. We’re on the same page now.
Yes pretty much you’re fucked
And when the C&C server gets killed you’re fucked
And if you uninstall it or av removed it after encryption you’re fucked
It’s really great design from a money making point of view and it’s being added onto other malware already as an additional thing that gets installed
We have departments lining up to pay these people
Lots of “ID 10 T” users over there at Duke, huh?
We do a lot of security awareness and phishing stuff and we try not to blame users
All this money gets spent on security and compliance you can’t expect users to be experts in malware detection.
It’s funny the number of technical people we pop doing phishing attacks on large companies.
Obviously there are sole exceptions straight up downloading Keygen.exe and running but most of the time it’s browser or third party based vulnerabilities
It’d really about building a defendable network that can mitigate threats or at least contain and allow easy detection
It’s a numbers game. Awareness works, but in the end a few people will always end up clicking. If the message ends up in thousands of inboxes, even if 1% of people click, you still just infected 10 machines. You cannot get 100% of people to NOT do it. It’s unrealistic. What else is unrealistic? 100% detection rates on A/V, 100% detection rates on email spam filters, etc…
It’s not the users’ faults that they are CONSTANTLY under attack… They’re just trying to get their jobs done.
The best part of all of this? October is National Cyber Security Awareness Month, and we have been constantly going around to different work areas warning people about phishing attempts…
Government shut down awareness is canceled
HAHA http://www.staysafeonline.org/ncsam/ Is still up (unlike NIST, but I doubt NCSA is a gov’t org anyways). We’re still rolling with the activities that we had planned. I would venture to guess that most organizations (I know mostly of EDUs only) are still rolling with their plans.
I’ll update this thread too when I get the results. I expect the guy paying to sweat it out for 2+ days while it decrypts then all good and forgotten…till the next infection. LOL
Try this after his shit decrypts
Find out what software is outdated
Well he has admin account with no password, when I saw that a lil red flag went up. haha
It installs in user space and is usually the result of a phish. No vuln needed. Just a click-happy user.
Little more info. Looks like my Group Policy for this, should help.
TraderBASE has a coworker get this and the person paid to decrypt guess it worked.
And we have our first customer to get hit. It managed to find their external drive with all their business documents too.
Kapersky has a tool out that is supposedly able to decrypt. We’ve not tried it yet…
Every drive attached to the machine is fair game
Someone try the kapersky tool http://support.kaspersky.com/viruses/deblocker