Jump to content


Welcome to DBSTalk


Sign In 

Create Account
Welcome to DBSTalk. Our community covers all aspects of video delivery solutions including: Direct Broadcast Satellite (DBS), Cable Television, and Internet Protocol Television (IPTV). We also have forums to discuss popular television programs, home theater equipment, and internet streaming service providers. Members of our community include experts who can help you solve technical problems, industry professionals, company representatives, and novices who are here to learn.

Like most online communities you must register to view or post in our community. Sign-up is a free and simple process that requires minimal information. Be a part of our community by signing in or creating an account. The Digital Bit Stream starts here!
  • Reply to existing topics or start a discussion of your own
  • Subscribe to topics and forums and get email updates
  • Send private personal messages (PM) to other forum members
  • Customize your profile page and make new friends
 
Guest Message by DevFuse

Photo

New Internet Scam - ‘Ransomware’ Locks Computers, Demands Payment


  • Please log in to reply
31 replies to this topic

#1 OFFLINE   Nick

Nick

    Keep going - don't give up!

  • DBSTalk Club
  • 21,352 posts
  • LocationThe Beautiful Golden Isles of Coastal Georgia
Joined: Apr 23, 2002

Posted 27 August 2012 - 10:58 AM

New “drive-by” virus on the Internet carries fake threat and fine —purportedly from the FBI.

From www.FBI.gov:

Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money

08/07/12—The IC3 has been made aware of a new Citadel malware platform used to deliver ransomware named Reveton. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user’s IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.

To unlock the computer, the user is instructed to pay a fine to the U.S. Department of Justice using a prepaid money card service. The geographic location of the user’s IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar, do not follow payment instructions. Infected computers may not operate normally. If your computer is infected, you may need to contact a local computer expert for assistance to remove the malware.

It is suggested that you:

■File a complaint at www.IC3.gov.
■Seek out a local computer expert to assist with removing the malware.


Image of fake FBI notice here

.


~ 12 Year Anniversary ~
Charter Gold Club Member
DBSTalk Club ~ 21k Club
Top 10 Poster

.


...Ads Help To Support This SIte...

#2 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,483 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 27 August 2012 - 11:35 AM

It looks like this uses things like the BlackHole exploit pack. Of course this just adds to the need to keep things up to date. Windows patches, Java, Acrobat and Flash etc etc.

Secunia has a nifty program called PSI, which looks at all the programs on a system and identifies the ones that are out of date. It really helps keep up on security updates.

#3 OFFLINE   AntAltMike

AntAltMike

    Hall Of Fame

  • Registered
  • 2,943 posts
  • LocationCollege Park MD (just outside Wash, DC)
Joined: Nov 20, 2004

Posted 27 August 2012 - 12:37 PM

Once installed, the computer freezes and a screen is displayed warning the user they have violated United States federal law. The message further declares the user’s IP address has been identified by the Federal Bureau of Investigation as visiting websites that feature child pornography and other illegal content.


Aw, shucks, my computer screens have been displaying warnings like that for years. They even use the same language that's been on the arrest warrants.

Edited by AntAltMike, 27 August 2012 - 01:34 PM.


#4 OFFLINE   billsharpe

billsharpe

    Hall Of Fame

  • Registered
  • 2,306 posts
  • LocationSouthern California
Joined: Jan 25, 2007

Posted 28 August 2012 - 11:33 AM

The clue here is "ransomware lures the victim to a site."

The lockup is not automatic.

People need to pay attention.

Thanks for the warning, though...
Bill

Family room: Sony Bravia KDL-40SL130
Living room: Sceptre 32 inch

#5 OFFLINE   SayWhat?

SayWhat?

    Know Nothing

  • Registered
  • 5,698 posts
Joined: Jun 06, 2009

Posted 14 February 2013 - 09:49 AM

An operation to break up a ransomware network estimated to be worth one million euros a year has been successful.

European police agency Europol says that Spanish police, working alongside the European Cybercrime Centre (EC3), have broken up a gang which allegedly ran a ransomware scheme which demanded money from online users in 30 countries.


http://www.zdnet.com...ice-7000011302/
Help stamp out Twits and Twitterers!

HD, SchmacHD!! Just be glad you've got a picture at all.

#6 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,483 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 14 February 2013 - 11:28 AM

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.

#7 OFFLINE   SayWhat?

SayWhat?

    Know Nothing

  • Registered
  • 5,698 posts
Joined: Jun 06, 2009

Posted 14 February 2013 - 12:02 PM

No doubt the bots are still active some where.

They'll have to kill those and distribute the unlock keys so people can clean their machines.
Help stamp out Twits and Twitterers!

HD, SchmacHD!! Just be glad you've got a picture at all.

#8 OFFLINE   ghontz1

ghontz1

    AllStar

  • Registered
  • 59 posts
Joined: Mar 25, 2010

Posted 15 February 2013 - 11:44 PM

Boot up in safe mode and use system restore. Worked for me after one of my nephews somehow caused my PC. to become infected. Make sure to run malwarebytes and scan for viruses after you do system restore to make sure it's gone for good.

#9 OFFLINE   wingrider01

wingrider01

    Hall Of Fame

  • Registered
  • 1,764 posts
Joined: Sep 09, 2005

Posted 16 February 2013 - 06:03 AM

Not saying that these shouldn't be prosecuted, but of course someone else just pops up. From watching the Tech Guy a weekend or two ago, people were still getting hit with this type of thing very recently.


why prosecute - I here that tehre are plenty of open suites at GTMO

#10 OFFLINE   wilbur_the_goose

wilbur_the_goose

    Hall Of Fame

  • Registered
  • 4,418 posts
Joined: Aug 16, 2006

Posted 16 February 2013 - 09:54 AM

They're becoming more sophisticated. New variants encrypt the victim's hard drive and you don't get the encryption key without payment.

Booting into safe mode won't do squat for this attack vector.

#11 OFFLINE   houskamp

houskamp

    Hall Of Fame

  • Registered
  • 8,636 posts
Joined: Sep 14, 2006

Posted 16 February 2013 - 01:18 PM

fdisk always works ;)

AKA: SMOKE
MRV was all that's left on my wishlist (wishlist done) :D


#12 OFFLINE   wingrider01

wingrider01

    Hall Of Fame

  • Registered
  • 1,764 posts
Joined: Sep 09, 2005

Posted 16 February 2013 - 05:28 PM

fdisk always works ;)


move all user profiles, public profiles off the c drive to another drive, image the boot drive then if anything happens pull the drive and put a new one in, then restore the image.

#13 OFFLINE   Marlin Guy

Marlin Guy

    Hall Of Fame

  • Registered
  • 2,122 posts
Joined: Apr 08, 2009

Posted 16 February 2013 - 07:17 PM

I've seen them change attributes and make the files hidden, but I have not seen a single one that encrypted the users' data.

Show me
Team Mexico Pork Cloud

#14 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,483 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 16 February 2013 - 09:00 PM

Here's an article from Sophos, though they say only the first 10% of the files were encrypted in this case.

http://nakedsecurity...ck-demands-120/

Older Krebs column
http://voices.washin...victim_fil.html

But if Wilbur_The_Goose says they are becoming more sophisticated, then that's cause for concern.

Edited by dpeters11, 16 February 2013 - 09:05 PM.


#15 OFFLINE   Marlin Guy

Marlin Guy

    Hall Of Fame

  • Registered
  • 2,122 posts
Joined: Apr 08, 2009

Posted 18 February 2013 - 11:40 AM

First article is 3 years old and the second one is 5 years old. :nono:

Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.

I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.
Team Mexico Pork Cloud

#16 OFFLINE   SayWhat?

SayWhat?

    Know Nothing

  • Registered
  • 5,698 posts
Joined: Jun 06, 2009

Posted 18 February 2013 - 12:09 PM

An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.

According to the report, upon execution, the malware randomly spawns either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is apparently where things take a turn for the interesting.

First the malware generates a unique computer ID, then it uses that ID and the fixed string “QQasd123zxc” to produce an encryption key with crypto API functions like “advapi32!CryptHashData” and “advapi32!CryptDeriveKey” so that the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.

Next, a second key is created using “advapi32!CryptGenKey.” Blinka explains that this function will create a random key each time it is used and cannot be recreated (unlike the first). From here, an RSA 2 blob is exported from the second key and encrypted by the first before being encoded by base64 and send back to the C&C server, paired in the attackers database with the computer ID.

Lastly, the list of files that the malware wants to encrypt is determined, and they are encrypted by “advapi32!CryptEncrypt” using the second key before the well-known ransom note shows up on a victim’s locked screen.


http://threatpost.co...tim-data-013013
Help stamp out Twits and Twitterers!

HD, SchmacHD!! Just be glad you've got a picture at all.

#17 OFFLINE   SayWhat?

SayWhat?

    Know Nothing

  • Registered
  • 5,698 posts
Joined: Jun 06, 2009

Posted 18 February 2013 - 12:15 PM

Some of the newer versions ‘lock’ the computer by encrypting key parts of the operating system and making it unusable. But, continued Corrons, “As some antivirus could break the encryption and release the files, the criminals changed to a more sophisticated technique using server-based encryption; and the only way to decrypt files in this state is to get the key from the criminals. So even if you remove the infection, you have still lost all your information.”


http://www.infosecur...n-the-increase/


Also see: http://blogs.avg.com...rive-encrypted/

Edited by SayWhat?, 18 February 2013 - 12:24 PM.

Help stamp out Twits and Twitterers!

HD, SchmacHD!! Just be glad you've got a picture at all.

#18 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,483 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 18 February 2013 - 12:57 PM

First article is 3 years old and the second one is 5 years old. :nono:

Ransomware attacks are prevalent and some are sophisticated, but the vast majority of them simply try to trick the user into paying a fee to remove viruses that were never there to begin with.

I've been cleaning them up for years, and I've never seen one from which I couldn't retrieve the customer's files.


Ok, agreed those are a few years old, but does show that the issue did exist then, and there is no evidence that they don't do it anymore. It might be more targeted, in a spearfishing attack.

#19 OFFLINE   wilbur_the_goose

wilbur_the_goose

    Hall Of Fame

  • Registered
  • 4,418 posts
Joined: Aug 16, 2006

Posted 19 February 2013 - 01:39 PM

Encryption Ransomware:
"Pay up or we’ll notify the police!

Variants of this malware are infecting computers in Europe and they are devilishly sophisticated. They encrypt all the files on the hard drive. This prevents the owner from accessing them until the ransom is paid to get the decryption key.

“The bad guys have improved the nastiness of this attack,” said Chester Wisniewski, a senior security advisor at SophosLabs. “They basically steal all of your documents and lock them in a vault. And only they have the key.”

From http://www.nbcnews.c...sticated-969766
-----------
Obviously, there's no "vault". They attackers are the only ones with an encryption key.

Earlier variants used symmetric encryption, which is relatively easy to break. These use asymmetric encryption, which uses a public/private keypair. These are a helluva lot more difficult to break - actually impossible using the technology that most of us can get our hands on

#20 OFFLINE   dpeters11

dpeters11

    Hall Of Fame

  • DBSTalk Club
  • 13,483 posts
  • LocationCincinnati
Joined: May 30, 2007

Posted 20 February 2013 - 09:58 PM

Looks like today's "Security Now" podcast with Leo Laporte and Steve Gibson is one where they talk to Brian Krebs, and partially deals with ransom ware. Krebs has been able to infiltrate this underground.




Protected By... spam firewall...And...