Ransomware Crooks Offering Customer Service

Ransomware Crooks Offering “Customer Service”

UPDATE: 11/14/2013

The CryptoLocker Decryption Service allows victims to check the status of their “order” (the ransom payment) and complete the transaction. I am not making this up!

Those who paid the ransom (with either Green Dot cards or Bitcoins), but did not get the decryption key — or got one that didn’t work — can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps from two Bitcoins to 10. At today’s market value, that’s nearly $4,000. And Green Dot is not accepted with this extended-deadline service.
CryptoLocker crooks launch new ‘customer service’ website for victims | Herb Weisbaum | NBC News contributor.

More info:

CryptoLocker Crew Ratchets Up the Ransom–krebsonsecurity.com

BleepingComputer.com CryptoLocker Ransomware Information Guide and FAQ


Ransomware 2.0 Comes to America

by Rob Cheng

This month, we were in Berlin for the VB100 and there was a presentation about Ransomware. As reported earlier this year, ransomware is alive and well in the US in the form of the DOJ and FBI viruses. The news is that the virus mafia has created a new version of ransomware more treacherous than the DOJ and FBI viruses. Instead of locking the computer and demanding payment, the virus first encrypts important files on the target computer, and then demands payment not for the computer but the data. At the time, the researchers reported that the virus was isolated to Russia. As soon as we returned from our trip, I discovered that our researchers had found the virus in the United States.

We have checked our statistics and we have found at least 6 instances of ransomware in the month of September alone. The binary is not signed nor is the vendor or product fields populated. We refer to these viruses as anonymous. The file names appear to be random characters that are either 4, 15 or 16 characters and the file size varies and hovers around 300K. The only telling sign is that it installs in the roaming directory as opposed to one of the Windows or browser temporary directories.

We ran the virus on a test machine and before it delivers it messages, it spends hours encrypting files. The virus ranges from 0 to 50% processor utilization and the hard drive light is blinking although not pegged. During this time, it is possible to continue normal operations although performance suffers. Once the encryption process is finished, it delivers its payload.

I have talked to technicians in various parts of the US and they all know that there is a new threat upon us. Unfortunately once the computer has been infected and the files have been encrypted, there is little technicians can do. This is different than ransomware 1.0, or other strains of viruses. Prior to ransomware 2.0, if you have been infected, security software could remove the virus, and restore normal operations of the computer. In the security business, we call it remediation. With ransomware 2.0, there is no way to remediate the encrypted files. Worse yet, if the virus is removed from the system, there is no way to pay the ransom, so the files at that point are lost forever.

trayMake sure the Super Shield logo is present and green in the system tray to avoid Ransom Ware.

I hope this is a wake up call for the entire security industry. The industry has been over focused on remediation instead of prevention. The only solution for ransomware 2.0 is to make sure the viruses never runs on the target machine. Remediation is futile.

Ransom ware 2.0 is a polymorphic virus which means that it escapes the traditional black list detections.

Note to PC Matic users. Because PC Matic’s security, called Super Shield, uses a white list and a black list, you are protected from ransomware, but you have to make sure Super Shield is properly enabled.

Video: Step by step instructions for how to install and enable Super Shield.

 1,071 total views,  1 views today

(Visited 1 times, 1 visits today)

12 thoughts on “Ransomware Crooks Offering Customer Service”

  1. Corky Rathbun encryption is worthless if the malware is accompanied by a key logger. In this case, you may as well be typing your key directly onto a cracker's system. Dependable backups remain the only way to ensure your data is safe.

  2. I should have added: you should have 2 backups for all of your data. Only connect your backup drive(s) when backing up. And never try to backup an infected system (that's also part of the reason that you should have 2 backups, 1 done occasionally, and 1 done every time you put something valuable on your PC).

  3. This is a real threat. BACK UP YOUR FILES , including ALL pictures, music and documents to a SEPARATE portable hard drive or sd card or USB stick. ANYTHING will do. Just don't let them get your stuff!!! There is no repair as of yet. Only prevention.

  4. I ended up acquiring the Ransomware 2 version in late September…it started from an original email (POP3) I acquired linked to a finance website. A second email subject line stated “Oops! sent the wrong link!” by an email addressee that had the same addressee as the original, but with a couple of numbers attached to the name of the person. The email text was exactly identical to the first email. So was the “text” used for the link (for a downloadable PDF file).

    Thank God I had backed up my files to my DropBox on a weekly basis.

    After clicking the errant link, the errant ‘shield” came up, and I figured I could use uninstall, and/or any number of virus protectors I had on my computer–but they failed to start or even update…this ransomware also invades the bios and in “safe” mode. I could not even do a virus check from a flash drive (could not amend bios startup to access flash drive first). The ransomware prevents online downloads, and disallows any command or execute files. Family pictures and other documents were compromised and shown as having the virus.

    I accessed another computer to virus check my DropBox with five iterations of five different virus check programs, and found none. I had to completely reformat my computer to start over–it took three days, but I am back to where I was.

    I used to conduct a virus & system check weekly; now I do it daily, with a back up to DropBox once those virus/system scans are complete. I also have three “real time” virus checkers. I used MalwareBytes, TrendMicro “Housecall,” MS Security Essentials, and Advanced System Care Pro 7 to get me where I am at now.

    Advice: triple check, then backup, backup, backup to a secure online cloud server…(I am not using IMAP email–sorry, we lose a lot of electricity where I am at, and I need access for work).

  5. The easy fix for any type of malware remains using an image backup system. If your system becomes compromised, it takes minutes to restore everything to pre-infected state. Pay decent software now, or pay much more later on to start from scratch.

  6. Is this just another way to market Super Shield? What makes it sacred among the other white guards? I hate to sound cynical, but I heard this kind of story about Y2K, the end of Win95, Win98 the first "spyware" which wasn't new at all, and lots more, and if I had bought all those needless softwares, I wouldn't be able to afford this computer. BTW, the DOJ/FBI/NSA aren't viruses. They are reading our e-mails and the contents of our computers under color of "law". (WHAT law? We aren't in a state of Declared War…)

  7. BigWillystyle Andthe IllComunication

    good question. its like taking a proverbial step back into vista how we had to "Okay" every little thing we did.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.