Older report from Dell but I just came across it while trying to build a list of strong use-cases for butts: http://www.secureworks.com/cyber-threat-intelligence/threats/cryptowall-ransomware/ "Based on post-mortem data collected by researchers, CryptoWall has been less effective at producing income than CryptoLocker. Both malware families accepted payments via Bitcoin, with 0.27% of CryptoWall victims and 0.21% of CryptoLocker victims paying ransoms in bitcoins. CryptoLocker also accepted MoneyPak, and an additional 1.1% of victims paid ransoms using pre-paid MoneyPak cards. As of this publication, CryptoWall has only collected 37% of the total ransoms collected by CryptoLocker despite infecting nearly 100,000 more victims. CryptoWall's higher average ransom amounts and the technical barriers typical consumers encounter when attempting to obtain bitcoins has likely contributed to this malware family's more modest success. Additionally, it is likely the CryptoWall operators do not have a sophisticated "cash out" and laundering operation like the Gameover Zeus crew and cannot process pre-paid cards in such high volumes." TL;DR fiat beats butts even in the realm of ransomware. So I'm back to just claiming it's only marginally useful for drugs.
Backup your data now: New, more powerful ransomware using Tor spotted in the wild | Cybercrooks call the crypto-malware CTB-Locker (Curve-Tor-Bitcoin Locker) available in English and Russian, making countries that use those languages the prime targets for attackers.
I work for a company that provides IT support for several hundred different clients. One of our clients' servers was infected with a variation of Crypto-locker, a piece of malware that encrypts the data on the device. The group behind the attack demand $700 in bitcoin for the key necessary to decrypt the data. We have decided to pay the ransom, as some of the data on the server was not being backed up. I have a Coinbase account, and a decent amount of experience with buying bitcoin through Coinbase, but we need this taken care of ASAP. I’ve heard of lcoalcoins, but how reliable is that? My question amounts to, what is the safest way to purchase this volume of bitcoin by the end of the day? Also, any experience with variations of cryptolocker would be helpful. I guess they have no reason not to give us the key after we pay the ransom, but who know, right?
Have a customer hit with a Crypto virus on the 11th only just told us today. Able to retrieve company files from shadow copies on NAS but PC running QuickBooks is past point of no return. First question is, files have .smile at the end, does anyone have any ideas what virus may have infected the system? Second question, customer is prepared to pay ransom, against my advice he emailed them and they want .5 of a bitcoin. I'm not advocating this but he wants to try. What's the safest way to buy Bitcoin? We know and he knows he should have backups in place, he was meant to take manual backups of QuickBooks but for whatever reason it did not happen, I'm not looking to portion blame and lesson has been learned. Just looking for some guidance and advice on options. Thanks guys. EDIT: Thanks for all the input, everyone has been so helpful. We managed to figure out the virus was one of two MedusaLocker or GlobeImposter 2.0. Neither have a public decrypter and unlikely to be one due to a unique key assigned to each encrypted PC. Determined that source was an email with a zip file disguised as a .odt file. Police were called but referred to a site already recommended on this post. No cyber cover in insurance. Most files now recovered but some that can't and deciding whether to pay ransom or rebuild files. Post has been really helpful, wish I could share the amazing chocolate truffles that were supplied as a thanks.
Adoption in France: starting next year, you'll be able to pay in Bitcoin in 25000 stores
Article in french 20minutes is one of the most read website in France Major brands in France will be accepting payments in Bitcoin (more cryptos will be accepted in time) as of next year. Decathlon, Sephora, Boulanger, Foot Locker, etc... will accept payment in Bitcoin through EasyWallet app.
My first experience buynig bitcoin no paxful, I hope people can learn from my experience.
So as a Crypto/bitcoin newbie, I decided to get my feet wet, and wanted to buy some bitcoins, after doing some research I have signed up on Paxful. I found a seller who is selling 10 usd worth of bitcoin and accepting paypal. so I decided to give it a go. although he was listing the markup lower than most other listing(red flag number 1). After i click on buying, i get sent to this chat/trade room, first thing I see is to read the seller's instruction and follow them, and then upload picture of proof that I pay. Then on the right hand side on the chat, his status say to whats app on a certain number if he is not replying. which i followed, he then message me back after a while on whatsapp, asking if i was ready to trade, i said yes. (the first trade where I added him has ended due to time expiry) then he produced a new trade on pax, which i clicked in, as isaw the max value goes to 60 usd, I said, let's just do 60 then. he said ok, proceed to give me e-mail address on whatsapp for paypal ,which i proceeded with. Then the red flag start coming out, at first he said can't pay to my wallet,( i am trying to use a keepkey, as i said newbie here) and ask me if it was a blockchain wallet, so i opened 1 up, and then gave him the address. He then tell me Pax has limited his transaction to 100 USD worth bitcoin everytime for some reason, which is happening to him a second time now. so ask me to send over additional money and he will send the bitcoin so i don't have to wait. This was a huge red flag for me, and I said I won't, and the only way is if he opens up another trade on pax, I will pay there, he refuses and said Pax coin locker limit etc etc, which I don't really know what it is. So after him trying to attempt to get more out of me for 30 mins, he gave up. Then went on the pax trade chat room where i uploaded picture of payment and said to cancel trade as he never got any money, never talked to me. And said I am scamming him. So i had to start a dispute case, his response in there is just he never chated with me and non status change before, As i put in the chat room waiting for moderator, i just told them to check his activity within 2 hours of that trade. Then this morning,I checked my e-mail realized the closed trade had a link that was sent to my e-mail for record as it showed that instruction to message them on whatsapp, i quickly posted on the trade room, and when i click in, I realize that person changed the account name, so I am guessing what happen is they have someone else open the first trade using let's say John Doe, then after I added him on watsapp as per instruction, they have another person use that name to open another trade, so it is 2 different accounts, so when i try to dispute it, it looks like I am lying if they purely checked on the second username. Awaiting decision and response from pax, I have sent in all proofs, and e-mails. I told the scammer that to be honest, if he was patient and let the first trade completed, I would've lost a lot more once that trust was built. so a 60 usd lesson for me. So i hope other people especially newbies like myself be very very careful, as it looks like they have a scamming ring going on, as their trade history are all small amount with other new accounts within same days or so to boost trading record. And Yes I know i made a lot of mistake in this transaction, so I am not asking for people to pity, but hope this post serves as reminder that these platforms are not perfect yet, and still a long way to go for trading on it.
Non, 25 000 commerces n’accepteront pas les paiements en cryptomonnaie en France en 2020
Non, 25 000 commerces n’accepteront pas les paiements en cryptomonnaie en France en 2020
A l’occasion de Paris Retail Week, qui a débuté ce mardi 24 septembre, une dépêche sur un nouveau produit de Global P.O.S et reprise dans les médias laisse à penser qu’une trentaine d’enseignes vont accepter les paiements en cryptomonnaie dès 2020. L’Usine Digitale a pu s’entretenir avec le dirigeant de Global P.O.S, Stéphane Djiane, qui revient en détail sur sa plate-forme, en phase expérimentale. AUDE CHARDENON | PUBLIÉ LE 24 SEPTEMBRE 2019 À 15H57 Les magasins Boulanger, Foot Locker, Décathlon, Conforama, Intersport (et bien d’autres) vont-ils accepter les paiements en cryptomonnaie dès l’année prochaine ? C’est ce qu’une dépêche, reprise par bon nombre de médias, explique ce mardi 24 septembre 2019, laissant entendre qu’un déploiement massif est en cours. Ainsi, selon une information publiée tôt ce matin, 25 000 points de vente en France accepteront le paiement par crypto-actifs dès 2020. Cette dépêche fait suite à une annonce, au premier jour de la Paris Retail Week, de Global P.O.S, un spécialiste de dématérialisation des remboursements des titres prépayés et du paiement digital. Dans un communiqué, Global P.O.S et ses partenaires annoncent néanmoins autre chose : ils font évoluer leur plate-forme d’acceptation de paiement, Easy2PlayPayment, afin de pouvoir y intégrer les paiements en cryptomonnaies dans les boutiques physiques. UN DISPOSITIF FLUIDE POUR LES COMMERÇANTS Plus précisément, Global POS s’est appuyé sur ekino, Octo Technology, Smartchain, Havas Blockchain, Fidal, Deskoin et Savitar pour mettre à disposition des commerçants une solution leur permettant d’accepter le paiement en crypto-actifs. Ensemble, ils ont travaillé à l’ajout d’un module, et non des moindres, à Easy2PlayPayment. “Le travail d’écriture de la cryptomonnaie prend du temps, explique Stéphane Djiane, fondateur et dirigeant de Global P.O.S, à L’Usine Digitale. Il fallait un process fluide, mais également un outil permettant de garantir la conversion de bitcoins en euros”. La solution s’inscrivant dans le cadre légal défini par la loi Pacte, ce sont les plates-formes d’échange qui sont en charge de la conversion des cryptomonnaies en euro. Grâce aux différents connecteurs compatibles avec les solutions Nepting et Famoco, des PME, restaurants et indépendants pourront accepter les paiements en cryptomonnaies. Par ailleurs, la solution plug and play ne change pas les habitudes des consommateurs et des enseignes. Le dispositif permet donc à un commerçant de recevoir un paiement instantané effectué via l’application Easywallet, que l’utilisateur doit télécharger au préalable. Lors de la transaction, le coût de la transaction lui est signalé, et l’acheteur valide son achat. Un QR code est généré sur le smartphone, que l’hôte ou l’hôtesse de caisse doit scanner pour valider le paiement, qui s’effectue en temps réel, et en euros dans la caisse du commerçant. Les transactions seront pour le moment limitées à 1 000 euros, sous forme de bitcoins, mais l’objectif est d’ouvrir la solution à d’autres cryptomonnaies dans le futur. CE SONT LES ENSEIGNES QUI VONT DÉCIDER Si Global P.O.S indique dans son communiqué que “25 000 points de vente pourront désormais accepter les paiements en cryptomonnaies”, il fait référence à son portefeuille de clients et à leur réseau physique. L’éditeur de logiciel, qui compte parmi ses clients une quarantaine d’enseignes dont Boulanger, Foot Locker, Décathlon, Conforama, Maison du Monde, Intersport, Cultura, Norauto ou encore Sephora, espère bien les convaincre d’adopter ce nouveau moyen de paiement. Il est sans surcoût pour les commerçants, Global P.O.S se rémunérant par commission de 1 à 3% de la transaction selon le taux de change. Mais rien n’indique que ces retailers adopteront avec certitude cette brique technologique. “Nous la rendons disponible aux enseignes, qui vont décider, ou pas, de l’utiliser”, poursuit Stéphane Djiane. Une réalité bien différente de celle décrite par la dépêche publiée ce matin, qui indique que les acheteurs pourront régler leurs achats de cette façon dès 2020 dans 25 000 points de vente en France. 4 MILLIONS DE FRANÇAIS DÉTENTEURS DE CRYPTOMONNAIES Si la technologie est extrêmement intéressante, on est très loin d’un déploiement à grande échelle et à court terme. Disponible au premier trimestre prochain, elle est actuellement en phase expérimentale chez 5 enseignes, dont les noms ne sont pas précisés, et ce jusqu’à la fin de l’année. “Les enseignes sont à l’écoute car les cryptomonnaies font régulièrement l’actualité, analyse Stéphane Djiane. Pour autant, elles ont besoin d’être accompagnées avant de prendre la bonne décision. Notre but est de leur faire comprendre qu’aujourd’hui, un commerçant ne peut se permettre de refuser un moyen de paiement”. Selon l’étude Kantar TNS 2018, plus de quatre millions de Français possèdent des cryptomonnaies. Reste à savoir si comme moyen de paiement, elles peuvent s’installer durablement dans leur quotidien. AUDE CHARDENON @ChardenonA https://www.usine-digitale.farticle/non-25-000-commerces-n-accepteront-pas-les-paiements-en-cryptomonnaie-en-france-en-2020.N887659 CQFD
Much as I hate to feed them I am in the position of having to pay the ransom for a crypto locker. Basically, the customer hadn't been rotating their backups so both their onsite backup and the offsite (external USB) has been encrypted. Last good backup is over 6 months old They've been hit by this - https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/ We are still trying to identify if it came in through us/webroot etc. However, regardless of the infection vector, has anyone any experience of actually paying the ransom and getting their files decrypted? Update: We paid, and getting hold of that much bitcoin in one go is hassle! looks like it worked but we've not tested the vhd's yet as we want to get a backup off before spinning them up. Update 2 - just been sent a link to this - https://www.nomoreransom.org/en/decryption-tools.html - worth knowing for anyone in my position in the future!
Major France Retailers To Accept Crypto Payments From 2020
Decathlon Along With Other 30 Retailers Will Accept Crypto Payments From 2020 At More Than 25,000 Sales Points Despite the crypto sector still being in its early phases of maturing, French retailers are mass adopting the cryptocurrencies as a new way of making payments. By Q1 of 2020, more than 25,000 point-of-sales at over 30 retail merchants will be available for customers. Some of the retailers include giants like Decathlon, the home decore store Maisons Du Monde and the perfume outlet Sephora. Other companies that are placed on the list include Boulanger, Foot Locker, Conforama, and Global POS. The participating retailers will use Global POS’ Easy2Play and EasyWallet services. The expected launch of the system is set to take place no further than Q1 of 2020, but initial tests may happen even sooner. “Retailers’ business as usual model will not be affected by the implementation. The exchange will carry the conversion of cryptocurrencies into fiat”, was stated during the Paris Retail Week. French retailers unite for crypto adoption amid the long-awaited Libra launch, scheduled for 2020. The stablecoin, developed by Facebook and their partners may provide a positive push towards even greater crypto adoption by merchants. GlobalPOS, which claims to be a leader in the area of dematerialized payments, stated that retailers could join in “the universe of the 3.0 economy without risks”. Stephane Dijane, GlobalPOS founder, added that initially, the platform will support Bitcoin only, with plans for broader crypto acceptance in the months following the launch. Based on research documentation, three to six percent of France’s population owns or is willing to own cryptocurrencies. For Grégory Hervein, the co-founder of cat and dog products business Mustaches, the adoption of crypto is a challenge. “We are all aware of the expectations the public has when it comes to cryptocurrencies. We are sending a message to the whole community by adopting cryptocurrencies”, Hervein added. Retailers’ main concerns are about crypto volatility, as the crypto sector matures. Bitcoin, for example, recorded lows of $9,427.99, and highs of $10,873.82 over the past month.
France: 25,000 Major Retail Stores To Accept Bitcoin In 2020
News by Cointelegraph: Marie Huillet By early 2020, support for Bitcoin payments will be launched at over 25,000 sales points for 30 French retailers, including sportswear giant Decathlon and cosmetics store Sephora. French crypto news outlet Cryptoglobe reported the development, announced during Paris Retail Week, on Sept. 24.
25,000 retailers to enter Economy 3.0 via Bitcoin
The new cryptocurrency payments system is launching via a partnership between point-of-sale technology provider Global POS, the EasyWallet application and payments platform Easy2Play. While payments will be made in Bitcoin (BTC), funds will be automatically converted into euros at the moment of sale. Conversion services are to be provided by two partners, Deskoin and Savitar, both of whom are currently applying for Digital Asset Service Provider accreditations under France’s PACTE Act. Alongside Decathlon and Sephora, well-known retailers signing on to the initiative include Boulanger, Foot Locker, World House, Intersport, Cultura, Maisons du Monde and Norauto. Stéphane Djiane, CEO and founder of Global POS, has given a statement proposing that:
“This is an important symbolic step in the evolution of payment methods in France. However, more than a symbol, what we bring to 25,000 outlets is the ability to safely enter the world of Economy 3.0.”
After Bitcoin, altcoins could be next
By enabling consumers to use their cryptocurrency holdings at physical retail locations within a legalized and regulated framework, the initiative aims to broaden adoption beyond the currently estimated 4 million French crypto owners. While Bitcoin remains the sole cryptocurrency on the cards for now, Dijane has indicated the platform intends to roll out support for altcoins in the future. In January of this year, a handful of tobaccos shops in Paris started to sell Bitcoin, notwithstanding mixed messages from local regulators and the central bank.
I paid a school shooter my son hired on the deep web.
Part 1 I’ve been reading the comments and frankly I think some of your responses are sad. For one, my son was thirteen. Implying that I wouldn’t know how to use a computer is hilarious. I’m thirty-four. I’ve been online longer than my son had been alive. That’s the difference between my generation and yours. When I did all my crazy stuff online, there wasn’t such a thing as social media. Let’s just say that if you had been running around on the old Yahoo Chat user rooms or played around on Freednode IRC that you would have run into more than one woman like myself that had been a bit of an exhibitionist in college. I spent three days going through my son’s computer offline. I learned a lot. He kept a detailed journal. Six students and three staff members died in the shooting. With the exception of my son, I think every single one of them deserved to die. The students had been bullying my son. The teachers had been turning a blind eye to the abuse. However, the school counselor was the worst of the bunch. John Garrett had been counseling my son online. David kept logs of all of his DM’s. It didn’t take much reading to find out that Mr. Garrett was grooming my son for a different kind of abuse. John Garrett had manipulated my son into performing lewd acts on webcam. The sick fuck had convinced my son that it would build his self-esteem. What started with nude selfies or the occasional cam show turned into David performing on livestreams for rooms full of anonymous pedophiles who would tip him with Bitcoin and other assorted crypto-currencies. I accessed his Bitcoin wallet and found that these men had paid my son a sum in excess of four Bitcoin. Feel free to check the conversion rate on that one. That was simply my son’s cut. From reading the chat logs, I can only surmise that John Garrett was keeping the larger portion of these tips for himself. Somewhere along the way a few students at his school figured out that my son was a homosexual. Apparently my son had expressed a crush on a local boy who did not share his affection. These idiot kids proceeded to push him into lockers or call him a faggot. When my son would bring this to the attention of his teachers, they’d do nothing. This led to my son talking to John Garrett. If JeffTK hadn’t already seen to his death, I’d have already spent an evening or two peeling the skin from John Garrett’s dick with a potato peeler. If you haven’t guessed already, I’m not posting these updates in real time. Over the course of the last few weeks I have become a bitter woman. I’ve been using my son’s Adderall to stay awake and my husband’s vodka to take the edge off. I’ve already catalogued all of the information on my son’s desktop. I used the funds from his BitCoin wallet to procure a new laptop and I’ve spent my days at home diving into the world John Garrett had introduced him to. Once I was fairly certain I had familiarized myself with enough of the details I went back to that private IRC server with my own screen name. I messaged JeffTK and asked for a QR code I could use to send him the remaining payment. No questions were asked and I sent him the five-thousand dollars my son owed him. What followed was a conversation that read like this: PoesMom: So how does this work? Can I give you another list of names? JeffTK: A list of names? For what? PoesMom: Cute. My son was short-sighted. It didn’t take me long to figure out most of his viewers were associates of John Garrett. JeffTK: We are well aware of that situation. PoesMom: How long did you have a RAT on his system? JeffTK: Long enough. I assume you have three names for me? PoesMom: Four. JeffTK: Four? PoesMom: Four. Andrew Rubens, Sterling Rutherford, Malcolm Turner, and Glenn Wade. JeffTK: Who is Glenn Wade? PoesMom: Glenn Wade is a poster on Reddit who encouraged my son to kill himself. JeffTK: This will cost you more than you have. PoesMom: I’m sure we can work something out. JeffTK: I’m sure we can. Three men who worked as school counselors at various local schools would be having a very bad week. One internet troll would be having a very bad day. Even after dumping all of my son’s crypto-currency I would still be in debt to these men for more than ten-thousand dollars. I didn’t care that people were going to die. Any sympathy I had for the world died with my son. No sooner than I had secured this deal though, I received a phone call. I answered and a very familiar voice said, “Mom, what have you done?” Three weeks of hatred fell away as the tears poured from my eyes. I replied, “David baby? Is that you?” “Why mom? Why are you doing this?” David said in a concerned tone. I shot back, “They took you away from me baby. I’m going to make them pay for it in blood.” I stared down at the cordless handset and realized that it was off. I had been awake for longer than a week. It was becoming harder and harder to distinguish what was real and what was just another hallucination brought on by lack of sleep. I stared at the handset and cried all over again. My son was gone. He had spent the last months of his life being violated and abused by those he was supposed to trust the most. Worst of all, instead of coming to me, he choose to die. No one was going to come out of this sitting pretty. I popped three more pills and chased it with a mixture of sprite and vodka. It wasn’t long before I received a DM that read, “You ready to earn the rest of that money?” Part 3
[Task] Forget Cash Back Cards - "Bitcoin Back" Up To 30% Launches At Walmart, Safeway, Foot Locker, Hilton Hotels and More...
Just announced 'Earn Bitcoin back' rewards program - Up To 30% - Beating Cashback Cards By A Long Shot: If you're the kind of person who buy groceries, shoes, clothes, and occasionally travels and stay in a hotel - you can now turn these purchases into Bitcoin earning moments. The retailers include Safeway, Walmart, Foot Locker, Groupon, Hilton Hotels, Princeline, Hotweire, Sams Club, Finish line and a whole lot more you can view on their site. Try it out and start off with your first credit of $10 BTC! Full info @ http://Lolli.GlobalCryptoPress.com
Pick apart my idea - Contracts for Leasing Hardware?
The only other example of this business model that comes to mind are the "cloud mining" companies that were popping up in 2017 during the crypto bull run. Examples are Genesis Mining and Hashflare. These companies would buy and manage their own hardware required to "mine" crypto currencies, and investors would pay them for the rights to some of their hardware. Therefore these investors were essentially leasing out the hardware, and had to pay a flat upfront fee and a daily maintenance cost, and could keep any profit that was leftover after the coins had been mined. This business model completely removes the market risk (bitcoin price risk) from the equation for the company, since they were marking up their hardware in the initial flat fee PLUS it had a 2 year turn around on the contract, so another investor could pay the same amount of money for hardware that was already paid off by the previous owner. On top of that, the variable costs for the company were all covered through the daily maintenance fee, which was a flat fee not linked to the market either. So company was able to take advantage of the "gold rush" by brokering these mining contracts to investors who thought they would earn a 300% ROI in year one. Now, if I were to apply this business model say in a vending machine type business (or locker rentals), what would the downsides be? From my due diligence, as long as you could PROVE that there is enough demand for the vending machines/lockers to be profitable, could I not create lease contracts that I could market to universities, businesses etc, where they would then assume the market risk and make a profit or not, and I just collect the initial flat fee + monthly variable costs (with a markup of course)? Please let me know your thoughts and looking forward to the discussion.
Adding more products/services to existing Business
Looking for some guidance My brother owns a welding/fabrication shop that is an LLC, and we are looking to expand or add to the business to invest more into it (Less than 10 employees right now) For example we were thinking about adding an Amazon locker to the main office or outside for 24/7 access, this may help get the business more recognized in the area, fortunately we do not really need the extra business we are fairly busy all year, but we do sell propane and small products here and there that help out, and if people come to pick up a package and realize they can fill their propane here or order parts, etc this could help boost fast sales that do not require much labor For example a couple years ago we bought some bitcoin mining rigs and added them to the business, we didn't make too much profit, but it was rewarding, and we gained lots of knowledge about crypto currencies and investing Are there any other tech side hustles that we could invest some money into and sell a new product or service? TL;dr we have extra money to invest in a new tech/service/product, to add to current welding business any suggestions?
Grinler of Bleepingcomputer for his Software Restriction Policy which has been adapted for new variants
Anonymous Carbonite rep for clarification on Carbonite's mass reversion feature.
Anyone else that's sent me a message that I haven't yet included in the post.
I will be keeping a tl;dr recap of what we know in this post, updating it as new developments arise. tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet. WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off. MalwareBytes Pro and Avast stop the virus from running. Sysadmins in a domain should create this Software Restriction Policy which has very little downside (you need both rules). The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup (including versioning-based cloud backups), or be SOL. EDIT: I will be updating individual comments through the evening to flesh out areas I had to leave bare due to character limitations or lack of info when they were originally written. EDIT 2: There are reports and screenshots regarding a variant that sits in AppData/Local instead of Roaming. This is a huge development and I would really appreciate a message with a link to a sample of this variant if it does indeed exist. A current link to the known variant that sits in Roaming would also be appreciated. 10/24/13 EDIT: Please upvote How You Can Help for visibility. If you can contribute in any of those fashions it will help all of us a lot. 11/11/13 EDIT: Thanks to everyone that submitted samples. The latest '0388' variant can be found at http://bluesoul.me/files/0388.zip which is password protected, password is "infected". Please see Prevention for updated SRPs.
Proper Care & Feeding of your CryptoLocker Infection: A rundown on what we know.
This article is no longer being maintained, please see the new version here. Thanks. tl;dr: I hope you have backups. It's legit, it really encrypts. It can jump across mapped network drives and encrypt anything with write access, and infection isn't dependent on being a local admin or UAC state. Most antiviruses do not catch it until the damage is done. The timer is real and your opportunity to pay them goes away when it lapses. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup, or be SOL. Vectors: In order of likelihood, the vectors of infection have been:
Email attachments: A commonly reported subject is Payroll Report. The attachment, most of the time, is a zip with a PDF inside, which is actually an executable.
PCs that are unwitting members of the Zeus botnet have had the virus pushed to them directly.
There is currently one report of an infection through Java, using the .jnlp file as a dropper to load the executable.
Variants: The current variant demands $300 via GreenDot MoneyPak or 2 BTC. I will not attempt to thoroughly monitor the price of bitcoins for this thread, use Mt. Gox for the current exchange rate. Currently the MoneyPak is the cheaper option, but last week Bitcoins were. Two variants, including a $100 variant and a $300 that did not offer Bitcoin, are defunct. Payload: The virus stores a public RSA 2048-bit key in the local registry, and goes to a C&C server for a private key which is never stored. The technical nuts and bolts have been covered by Fabian from Emsisoft here. It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif This list of file masks may be incomplete. Trust this list at your peril. When in doubt, CryptoLocker will show you what files it has encrypted by clicking the relevant link in the virus's message. It will access mapped network drives that the current user has write access to and encrypt those. It will not attack server shares, only mapped drives. Current reports are unclear as to how much permission is needed for the virus to encrypt a mapped drive, and if you have clarification or can test in a VM please notify me via message. By the time the notification pops up, it's already encrypted everything. It's silent until the job is done. Many antiviruses have been reported as not catching the virus until it's too late, including MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by reverting registry changes and removing the executables, leaving the files behind without a public or private key. Releasing the files from quarantine does work, as does releasing the registry keys added and downloading another sample of the virus. Windows XP through 8 have all reported infections. What's notable about this virus, and this is going to lead to a lot of tough decisions, is that paying them to decrypt the files actually does work, so long as their C&C server is up. They verify the money transfer manually and then push a notification for the infected machine to call home for the private key again, which it uses to decrypt. It takes a long time to decrypt, at the rate of roughly 5GB/hr based on forum reports. The virus uses the registry to maintain a list of files and paths, so not moving the files around is vital to decryption if you are paying them. Also notable is that the timer it gives you to pay them does appear to be legitimate, as multiple users have reported that once the timer ran out, the program uninstalled itself. Reinfecting the machine does not bring a new timer. I was not able to verify the uninstallation of the program after the timer ran out, it appears to be dependent on internet access. Due to the nature of the encryption, brute-forcing a decrypt is essentially impossible for now. Removal: Removing the virus itself is trivial, but no antivirus product (or any product, for that matter), will be able to decrypt the files until the private key is found. File Recovery: There are only a handful of options for recovering encrypted files, and they all rely on either having System Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good against this as they will commit the encrypted files to the cloud. I had a Carbonite employee message me regarding my earlier statement that Carbonite is no good against this virus. It turns out that versioning is included in all Carbonite plans and support all agent OSes except Mac OS X which is outside the scope of this thread anyway. They have the ability to do a mass reversion of files, but you must call tech support and upon mentioning CryptoLocker you will be escalated to a tier 3 tech. They do not mention this ability on the site due to the potential for damage a mass reversion could do if done inadvertently. These are my own findings, independent of what the employee told me. Crashplan and other versioning-based backup solutions such as SonicWALL CDP should also work fine provided the backups are running normally. Using the "Previous Versions" tab of the file properties is a cheap test, and has had mixed results. Using ShadowExplorer on Vista-8 will give you a much easier graphical frontend for restoring large amounts of files at once (though this will not help with mapped drives, you'd need to run it on the server in that case). Undelete software doesn't work as it encrypts the files in place on the hard drive, there is no copying going on. The big takeaway is that cold-storage backups are good, and they will make this whole process laughably easy to resolve. Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running. For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here. Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it. Making shares read-only will mitigate the risk of having sensitive data on the server encrypted. Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed. Some edits below are now redundant, but many contain useful information. 9/17 EDIT: All 9/17 edits are now covered under Prevention. 10/10 EDIT: Google matches for CryptoLocker are up 40% in the last week, and I'm getting 5-10 new posts a day on this thread, so I thought I'd update it with some interesting finds from fellow Redditors.
soulscore reports that setting the BIOS clock back in time added time to his cryptolocker ransom. Confirmed that the timer extends with the machine offline, but that may be cosmetic and I don't like your chances of this actually helping if your timer runs out on the server side.
Spinal33 reports that AV companies are catching up with CryptoLocker and are blocking websites that are spawned in the virus's domain generation algorithm. This effectively means that some people are locked out of the ability to even pay the ransom. (Technically they could, but the virus couldn't call home.)
Malwarebytes is claiming that MBAM Pro will catch CryptoLocker. If someone wants to test them on it, be my guest. Confirmed
CANT_ARGUE_DAT_LOGIC gave some insight on the method the virus uses when choosing what to infect. It simply goes through folders alphabetically and encrypts all files that match the filemasks towards the top of this post. If you are lucky enough to catch it in the act of encrypting and pull the network connection, the CryptoLocker message will pop up immediately and the countdown will begin. Helpful in determining what will need to be taken into account for decryption.
EDIT 2: We had a customer that ignored our warning email get infected so I will have my hands on an infected PC today, hope to have some useful info to bring back. 10/10 MEGA EDIT: I now have an active CryptoLocker specimen on my bench. I want to run down some things I've found:
On WinXP at least, the nested SRP rule is necessary to prevent infection. The path rule needs to be %AppData%\*\*.exe
Once the program runs it spawns two more executables with random names in %userprofile%. Adding a SRP to cover %userprofile%\*.exe may be desired, though this will prevent GoToMyPC from running at a bare minimum.
This user was a local administrator, and CryptoLocker was able to encrypt files in other user's directories, though it did not spawn the executables anywhere but the user that triggered the infection. When logged in under a different account there is no indication that a timer is running.
The environment has server shares but no mapped drives and the shared data was not touched, even though a desktop shortcut would've taken the virus to a share. I suspect that will be covered in the next iteration.
The list of masks above does not appear to be totally complete. PDF files were encrypted and were not originally part of the set of file masks. That is the only exception I noticed, everything else follows the list. Conveniently (/s), CryptoLocker has a button you can click that shows the list of files it's encrypted.
The current ransom is $300 by MoneyPak or 2BTC, which at the time of writing would be $280 and change.
Fabian reported that registry data is stored at HKCU/Software/CryptoLocker. I cannot glean the meaning of the DWORD values on files but I do notice they are unique, likely salts for the individual files. I'm curious what purpose that would serve if the private key was revealed as the salts would be useless.
I have confirmed the message soulscore left that setting the BIOS timer back a few hours adds an equal amount of time. No telling whether that will work once it has a network connection and can see the C&C server, though.
The virus walked right through an up-to-date version of GFI Vipre. It appears AV companies either consider the risk too low to update definitions or, more likely, they're having trouble creating heuristic patterns that don't cause a lot of collateral damage.
10/11 EDIT: I ran Daphne on the infected PC to get a better idea of what might be going on. lsass.exe is running like crazy. Computer's had it's CPU pegged all day. I noticed the primary executable running from %AppData% has a switch on the end of the run command, which in my case is /w000000EC. No idea what that means. 10/15 EDIT: I just wanted to thank all the redditors that have submitted information on this. I have some interesting new developments that I'll be editing in full tomorrow. 10/18 EDIT: Hello arstechnica! Please read through comments before posting a question as there's a very good chance it's been answered. New developments since 10/15:
We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own, AV Comparatives is a wonderful resource.
We have reports of a new vector of infection, Java. This is hardly surprising as Zeus was already being transmitted in this fashion, but Maybe_Forged reports contracting the virus with a honeypot VM in this manner.
zfs_balla made a hell of a first post on reddit, giving us a lot of insight to the behavior of the decryption process, and answered a frequently-asked question. I'm paraphrasing below.
A file encrypted twice and decrypted once is still garbage. The waiting for payment confirmation screen stayed up for 16 days before a decryption began, so don't lose hope if it's been up a while. The DWORD values in the registry have no bearing on decryption. Renaming an encrypted file to one on the list in the registry will decrypt it. However, I would presume this would only work for files that the virus encrypted on that machine as the public key is different with every infection. Adding any new matching files to somewhere the virus has access will cause them to be encrypted, even at the "waiting for payment confirmation" screen. Be careful. Hitting "Cancel" on a file that can't be found doesn't cancel the entire decryption, just that file.
EDIT 2: I've rewritten the bulk of this post so people don't have to slog through edits for important information. 10/21 EDIT: Two noteworthy edits. One is regarding Carbonite, which is apparently a viable backup option for this, it is covered under File Recovery. The other is regarding a piece of software called CryptoPrevent. I have not tried it, but according to the developer's website it blocks %localappdata%\*.exe and %localappdata%\*\*.exe which is not necessary for the current variant and will inflict quite a bit of collateral damage. I have no reason right now to doubt the legitimacy of the program, but be aware of the tradeoffs going in. I'm now at the 15000 character limit. Wat do?
Mike Hearn, Chair of the Bitcoin Foundation's Law & Policy committee is also pushing blacklists behind the scenes
Bitcointalk discussion: https://bitcointalk.org/index.php?topic=333824.msg3581480#msg3581480 Hearn posted the following message to the legal section of the members-only foundation forum: https://bitcoinfoundation.org/forum/index.php?/topic/505-coin-tracking/ If you're not a member, you don't have access. I obtained this with the help of a foundation member who asked to remain private. He's promoted blacklists before, but Hearn is now a Bitcoin Foundation insider and as Chair of the Foundations Law & Policy committee he is pushing the Foundation to adopt policies approving the idea of blacklisting coins. I also find it darkly amusing that he's now decided to call the idea "redlists", perhaps he has learned a thing or two about PR in the past few months. All Bitcoin investors need to make it loud and clear that attacking the decentralization and fungibility of our coins is unacceptable. We need to demand that Hearn disclose any and all involvement with the Coin Validation startup. We need to demand that the Foundation make a clear statement that they do not and will not support blacklists. We need to demand that the Foundation support and will continue to support technologies such as CoinJoin and CoinSwap to ensure all Bitcoin owners can transact without revealing private financial information. Anything less is unacceptable. Remember that the value of your Bitcoins depends on you being able to spend them.
I would like to start a discussion and brainstorming session on the topic of coin tracking/tainting or as I will call it here, "redlisting". Specifically, what I mean is something like this: Consider an output that is involved with some kind of crime, like a theft or extortion. A "redlist" is an automatically maintained list of outputs derived from that output, along with some description of why the coins are being tracked. When you receive funds that inherit the redlisting, your wallet client would highlight this in the user interface. Some basic information about why the coins are on the redlist would be presented. You can still spend or use these coins as normal, the highlight is only informational. To clear it, you can contact the operator of the list and say, hello, here I am, I am innocent and if anyone wants to follow up and talk to me, here's how. Then the outputs are unmarked from that point onwards. For instance, this process could be automated and also built into the wallet. I have previously elaborated on such a scheme in more detail here, along with a description of how you can avoid the redlist operator learning anything about the list's users, like who is looking up an output or who found a match. Lately I was thinking about this in the context of CryptoLocker, which seems like it has the potential to seriously damage Bitcoin's reputation. The drug war is one thing - the politics of that are very complex. Extortion is something else entirely. At the moment apparently most people are paying the ransom with Green Dot MoneyPak, but it seems likely that future iterations will only accept Bitcoin. Specifically, threads like this one concern me a lot. Summary: a little old lady was trying to buy bitcoins via the Canada ATM because she got a CryptoLocker infection. She has no clue what Bitcoin is beyond the fact that she needed some and didn't know what to do. The risk/reward ratio for this kind of ransomware seems wildly out of proportion - Tor+Bitcoin together mean it takes huge effort to find the perpetrators and the difficulty of creating such a virus is very low. Also, the amount of money being made can be estimated from the block chain, and it's quite large. So it seems likely that even if law enforcement is able to take down the current CryptoLocker operation, more will appear in its place. I don't have any particular opinion on what we should talk about. I'm aware of the arguments for and against such a scheme. I'm interested in new insights or thoughts. You can review the bitcointalk thread on decentralised crime fighting to get a feel for what has already been said. I think this is a topic on which the Foundation should eventually arrive at a coherent policy for. Of course I know that won't be easy. -Mike Hearn
Gavin Andresen presents his take on the newly formed "Blockchain Alliance"
There has always been a split among bitcoiners on how best to interact with regulators and law enforcement. There is the "ignore them, they're illegitimate. Honey Badger don't care" side. And there's the "engage them, educate them, show them the positive benefits to balance the negatives that are, otherwise, probably the only thing they see" side. I still think engaging is the best strategy. Yes, there will be more failures like the BitLicense, but overall I think every positive interaction with law enforcement or regulators helps move opinions from "Bitcoin is Evil and must be eliminated" towards "Bitcoin is an innovative technology that should be allowed to grow." And no, I don't think "we" will compromise the technology or our deeply held beliefs because we interact with "them." At least, I know I won't. If you are worried that talking to the FBI about the latest version of CryptoLocker might corrupt your morals, then great-- nobody will twist your arm to participate.
I agree with Gavin that engagement is preferable. I've met many regulators and had some productive conversations...particularly globally. The regulators in Massachusetts for example are pretty reasonable to speak with. I was not a fan of engaging with Lawsky because I think he had bad faith. My concern with this new Blockchain Alliance is that the agencies have generally bad track records and also, they are not lawmakers or regulators...just enforcers. So no amount of convincing will get them to relax, consider or change policy. A couple examples: Fed enforcement agencies target legal pot businesses in Colorado, despite Colorado voters deciding this should not be criminal. Another example: the DHS/ TSA was recently involved in prosecution of a gay male prositution ring in NYC. This is a massive stretch from anything which could be claimed to "protect us from terrorism" and the type of thing which would be harmful if these agencies want Bitcoin traced and tracked for this purpose. I [have] many members of law enforcement in my family. They are generally hard working, good people. But above all else they follow orders and the code is more based on chain of command than a moral code. I know very little about the program / alliance overall -- hopefully I'm wrong.
Abstract: Bitcoin, a decentralized cryptographic currency that has experienced proliferating popularity over the past few years, is the common denominator in a wide variety of cybercrime. We perform a measurement analysis of CryptoLocker, a family of ransomware that encrypts a victim's files until a ransom is paid, within the Bitcoin ecosystem from September 5, 2013 through January 31, 2014. CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground. For those who do everything via mobile devices, including crypto-trading, Edge is the ideal Bitcoin wallet solution offered through Google Play and the App Store. For example, a variant known as “CTB-Locker” creates a single file in the directory where it first begins to encrypt files, named, !D