Sunday 5 March 2017
Wednesday 2 March 2016
Giving in to Cryptowall
Damage investigation.
Of those that don't, some offer appalling exchange rates or ridiculous (5 day+!) turnarounds. I tried purchasing through Cubits, but they require a video call for to chat and a copy of my passport - I personally wasn't comfortable about sharing this out to them.
The transaction id is presumable checked against the information on the bitcoins deposited into their wallet. The scammers appear to generate individual wallets for each victim. (I am currently watching the one I paid into now and will update with what happened to the coin when it gets moved).
After a nerve-racking "Pending" for 20 minutes, the payment was accepted and I was presented with the decryption key and a link to a zip file:
Decryption
The zip file contains the "decrypt.exe" application, in action this is what it looks like:
A few days ago a company laptop belonging to my employer was hit with the Cryptowall 4.0 ransom-ware. Typically when this happens we (the IT support department) salvage as much as un-encrypted data from device as is possible and combine this with any other sources of user data that we have (backups, user data on network shares, USB pens etc.) berate the user on poor security habits, and then reformat the device.
However in this case the laptop belonged to a senior member of the organisation, and with no recent backups and only a smidgen of the device data being salvageable the decision was made to do the unthinkable - pay the ransom.
This post will simply be write up of my experience recovering the data, mixed with a few thoughts along the way.
Damage investigation.
The particular variant that infected this device marked all encrypted file-names with an additional "*.mp3", so, "report.doc" became, "report.doc.mp3".
Confusingly Mp3 files were also given this additional extension,
A quick search through the users area for "*.*.mp3" got over 77,000 matches - the virus not only encrypts folders like "Documents" and "Desktop", but indeed the entire user area including the "Appdata" folder and all its sub-folders.
The ransom.
Mixed into each folder within the users area was a text document (.txt), an image (.png) and a webpage document (.html) containing instructions on how to recover the data.
Within the instructions are three .onion links which as the documents explain link to a Tor based website unique for each victim with further details on payment, here's mine:
The initial ransom is set to 1.2 Bitcoin - this automatically doubles after a week.
As you can see the scammers also include a self explanatory "Decrypt 1 file for FREE" service. This does actually work.
Also included is a "Support" page where you can supposedly contact the scammers.
Buying Bitcoin
In order to have any chance to get the files back the ransom needs to be paid. The extortionists insist upon the bitcoin crypto-currency as payment method. Purchasing bitcoin is not as easy as one may presume. Bitcoin is typically sold through web-frontended exchanges, however many of these exchanges have strict rules regarding bitcoin purchase. Most appear to have limits on first time purchases of less than 1/2btc or 1btc, this is unsuitable for us as our ransom is 1.2btc.
Eventually I found a site called "localbitcoins.com", this site facilitates the directly trade of bitcoins between site members, with the inbuilt insurance of an escrow service. Localbitcoins also includes an integrated bitcoin wallet within the account (so there's no need to make another one).
I picked the member "fatguyslim", as he was currently online, had good community feedback, was apparently based in the UK, offered a reasonable transfer rate and quoted a turnaround time of 20-30 minutes.
I picked the member "fatguyslim", as he was currently online, had good community feedback, was apparently based in the UK, offered a reasonable transfer rate and quoted a turnaround time of 20-30 minutes.
Similarly to the exchanges Fatguyslim insisted a rather draconian verification system. A photo of my driving license alongside my debit card with a handwritten message and then a personal Skype session, - one does question how a currency with a following of users who pride themselves in anonymity consents to such requirements, however, with my identification thoroughly confirmed Fatguyslim passed me the Account name for a seemingly fake business front, along with a sort code, account number and reference code.
I paid the £429 directly into this account through a bank transfer, fortunately his account supported the UK "faster payment" system, so it took less than 5 minutes for him to confirm receipt. True to his word Fatguyslim deposited the bitcoin into my localbitcoins wallet. Though the ransom was 1.2btc, I purchased 1.3btc to cover any additional fees or currency fluctuations.
Paying
With the money in my wallet I confirmed with my organisations senior that this was definitely what they wanted to do (and that I would be reimbursed regardless of the result), I filled in the form on localbitcoins to send the coin and submitted:
The fun thing about bitcoin is that by design, (although there are methods of obsficating coin locations - such as coin 'tumbling' services which perform a sort of digital money laundering service) you can actually watch and track all transactions passing through bitcoin.
If you copy the address or the wallet number from above and enter them into a site such as www.coinbase.com you should be able to see my transaction, here it is alongside the other transaction that makup the bitcoin 'block' (my transaction is highlighted in red):
With the money in my wallet I confirmed with my organisations senior that this was definitely what they wanted to do (and that I would be reimbursed regardless of the result), I filled in the form on localbitcoins to send the coin and submitted:
The fun thing about bitcoin is that by design, (although there are methods of obsficating coin locations - such as coin 'tumbling' services which perform a sort of digital money laundering service) you can actually watch and track all transactions passing through bitcoin.
If you copy the address or the wallet number from above and enter them into a site such as www.coinbase.com you should be able to see my transaction, here it is alongside the other transaction that makup the bitcoin 'block' (my transaction is highlighted in red):
In the above shot the transfer is still "unconfirmed", after 10 minutes or so the status changed to "confirmed".
As verification of payment the scammers require you to input the transaction id into their ToR web-portal:
The transaction id is presumable checked against the information on the bitcoins deposited into their wallet. The scammers appear to generate individual wallets for each victim. (I am currently watching the one I paid into now and will update with what happened to the coin when it gets moved).
After a nerve-racking "Pending" for 20 minutes, the payment was accepted and I was presented with the decryption key and a link to a zip file:
Decryption
The zip file contains the "decrypt.exe" application, in action this is what it looks like:
Once you enter the encryption key the tool lets you decrypt specific files, entire directories, or "All" which attempts to scan the entire machine for encrypted files. The "All" function seems to scan the first drive partition.
I also do not suggest ever using any system which has been compromised in this way, or that has had the decryption tool run on it. Instead I strongly recommend reformatting any media that was in any way exposed to this virus.
Final thoughts
I wasn't particularly happy about paying the ransom and decrypting the files, not just because of the £429 of wasted money, but, also because of the precedent it sets - as well as directly funding criminal, paying off ransomware in this way encourages more individuals to create more tools of this nature.
Defending against this form of virus isn't actually radically difficult, on a computer management level effective application execution restrictions and correct user privileges would have made this infection impossible.
In my opinion organisations that suffer from this form of infection repeatedly should, instead of paying up to crooks, invest the money into more effective security solutions, be that hardware, software or even just employee security training.
Notes: The true decryption keys and transaction Ids are used in this post, I don't believe posting them publicly will compromise me or my employer in any way. I have chosen not to omit them as they could potentially be useful to individuals looking to defeat this program.
I also do not suggest ever using any system which has been compromised in this way, or that has had the decryption tool run on it. Instead I strongly recommend reformatting any media that was in any way exposed to this virus.
Final thoughts
I wasn't particularly happy about paying the ransom and decrypting the files, not just because of the £429 of wasted money, but, also because of the precedent it sets - as well as directly funding criminal, paying off ransomware in this way encourages more individuals to create more tools of this nature.
Defending against this form of virus isn't actually radically difficult, on a computer management level effective application execution restrictions and correct user privileges would have made this infection impossible.
In my opinion organisations that suffer from this form of infection repeatedly should, instead of paying up to crooks, invest the money into more effective security solutions, be that hardware, software or even just employee security training.
Notes: The true decryption keys and transaction Ids are used in this post, I don't believe posting them publicly will compromise me or my employer in any way. I have chosen not to omit them as they could potentially be useful to individuals looking to defeat this program.
Subscribe to:
Posts (Atom)