CryptoLocker news

Okay folks, here we go again. More ransomware is spreading and it can hit you. [Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.]

Ransomware/Malware that encrypts your data and tries to sell it back to you, or else, is not new. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

Enter the latest Menace – CryptoLocker. If you have become seriously infected and do not take IMMEDIATE remedial steps, there is, sadly, not much you can do [unless you have full ‘offline’ backups as I am always ranting about] but pay up!

This is getting some recent much needed attention by the press. Here is a recent short article. A Google search will turn up hundreds more.

The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

  • Stay patched. Keep your operating system and software up to date.
  • Make sure your anti-virus is active and up to date.
  • Avoid opening attachments you weren’t expecting, or from people you don’t know well.
  • Make regular backups, and store them somewhere safe, preferably offline.

Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup!!

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. An unsuspecting computer user will either get an email purporting to be from their bank, friends, Facebook or a host of other fake senders or be asked to click on a pop up in a Website. The person thinks it’s legitimate, clicks on it and before they know it the virus is installed on their computer which encrypts their data. The person will be given a time period, for instance 72 hours, to make a payment in exchange for the key to decrypt all the data. Refuse and the data on the hard drive will be gone forever.

These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please make sure that your antivirus/malware software and systems are up to date. And for Pete’s sake do NOT open attachments from the likes of those listed. IF you think you need to track something go to the ‘front door’ of the shipping company or bank and login/track there.

Once YOU infect yourself (yes, it is an action taken by the user that starts the infection!!) [Like any other piece of malware, common sense goes a long way. The critical thing is it’s not going to install files by itself. You have to initiate some action.] you will soon probably see a screen that looks like this:

CryptoLocker-thmb

Examples of known CryptoLocker email subjects include:

USPS – Your package is available for pickup ( Parcel 173145820507 )

USPS – Missed package delivery ("USPS Express Services" <service-notification@usps.com>)

USPS – Missed package delivery

FW: Invoice <random number>

ADP payroll: Account Charge Alert

ACH Notification ("ADP Payroll" <*@adp.com>)

ADP Reference #09903824430

Payroll Received by Intuit

Important – attached form

FW: Last Month Remit

McAfee Always On Protection Reactivation

Scanned Image from a Xerox WorkCentre

Scan from a Xerox WorkCentre

scanned from Xerox

Annual Form – Authorization to Use Privately Owned Vehicle on State Business

Fwd: IMG01041_6706015_m.zip

My resume

New Voicemail Message

Voice Message from Unknown (675-685-3476)

Voice Message from Unknown Caller (344-846-4458)

Important – New Outlook Settings

Scan Data

FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]

Payment Advice – Advice Ref:[GB2198767]

New contract agreement.

Important Notice – Incoming Money Transfer

Notice of underreported income

Notice of unreported income – Last months reports

Payment Overdue – Please respond

FW: Check copy

Payroll Invoice

USBANK

Corporate eFax message from "random phone #" – 8 pages (random phone # & number of pages)

past due invoices

FW: Case FH74D23GST58NQS

Symantec Endpoint Protection: Important System Update – requires immediate action

What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

Users who are infected with the malware should IMMEDIATELY consult with a reputable security expert to assist in removing the malware. And should NOT attempt to mitigate or in anyway try to ‘fix’ the issue themselves – this will only insure the loss of data!!

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. There are methods that can/may be used to recovery you ‘Shadow Copies’, but this often times requires an expert.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

So to summarize the very first line of defense is to have good computing common sense and usage. Second if my usual mantra FULL IMAGE BACKUPS ON A REGULAR BASIS TO EXTERNAL/REMOVABLE MEDIA. I can’t say this enough. And I’m sure to get the calls from folks who are screwed. I sympathize, a little anyways.

Okay end rant. Be safe. Peace all.

Windows 8.1 is here

Windows 8.1 is here just a year after Windows 8. This update—free to existing Windows 8 users. The update is simple and hassle free through MS update.

I’d recommend it to anyone who has Windows 8 to make it more easily navigable and user friendly. Especially those of us in the business desktop world.

Some reasons to update can be found here.

Another pretty good review article is here.

Terrifying new Ransomware

This is here some scary sh%t.
I know I sound like this guy

the-sky-is-falling-2

about backing up your entire systems to ‘offline/removable’ media but I’ll keep on saying it.

This nasty is spreading fast on corporate networks. Scary thing is it still uses social engineering and poor user training/safety methods to launch/install. It usually arrives as an email attached archived zip file with an executable inside that should have been a dead giveaway that this message was malicious and was in no way legitimate. But sadly most people have not been properly educated on computer safety or are just plain lazy and don’t think to look at what they are doing. But once installed it can wreck havoc on a company.

Please develop and use some kind of offline full system backup plan for your personal and especially your business.

Do not think or rely on ‘cloud based’ backup system to protect you from this type of attack. Think about it, your now encrypted files would be uploaded to the cloud and overwrite your original/good ones.

I’ve written so many times about the need for offline backups you can just look through my blog and find more info about that.

Be safe folks!

Adobe Hacked (again)

Yay another security hack. 🙁

If you have an Adobe Account Please login to their site and change your Password. You may have already received notice to reset them, if so please do!

I’d suggest if you have any payment information associated with any Adobe account/login you remove it! You can read from Adobe about it here.  And some more (and scarier) details from some other tech sites like this one  or this one.

My drumbeat. Backup with Images folks!

Once again I’ve had the frustration of dealing with failed hardware. The system was highly customized with special settings and configurations to enable unique line of business applications and data, plus the ‘regular’ business applications such as MS Office (with custom CRM databases) multiple email accounts and other applications installed after the system was first ‘fired up’. It was an HDD drive failure on a two month old HP laptop.

HP’s solution is to ‘just send the whole thing back and we’ll put the new HDD in with the ‘factory image’. A ‘factory image’ is what the new Laptop ships with; as if you just bought it. None of my installed applications, settings or files would/will be there. Meaning I’d have to finish the initial setup, update the Operating System to a Windows 8 Pro version (the ship version was Home Premium), install MS Office 2013 Pro (again from the MS Store – it didn’t come with system), install all the other business applications required for this user – 4+ separate ones each requiring special configurations to work with Windows 8, AND then get all the files and settings (like email accounts etc.) configured. Oh and of course there would be about a day and half worth of Windows and Application Updates and Patches to apply. Then hope that it all works as it did.

Had this system been IMAGED, I would have been able to remove the dying/dead drive, run down to the local PC store (Fry’s) and buy a replacement drive, install a clean/new one and restore that image to the new drive. The system would then be as it was when the image was created, apps, files, settings and all. Only time would have been the physical HDD removal and replacement and the time it takes for the image restore – that total time would probably have been only one day more or less.

I propose this to all of my clients. But for some reason they often don’t see the value till it’s too late. No matter my insistence. It is usually a, ‘yea, we’ll do that soon..just not now….. Sometimes it’s the capital cost (actually less than $200.00) or time (really very little – to install and setup). But in the end I guarantee that it will always cost more if they are out of business.

However in this case there was no image backup. The system was as a point where it was un-repairable via HP or MS Windows recovery tools and would not boot. I had to remove the HDD, place it in one of my HDD docks and use advanced disk recovery (forensic) tools just to get access to the data. I was then able to copy off nearly all the data to another drive. Note that I recovered data NOT the working system. So all the documents and files this person had are still accessible. But otherwise quite useless with out the applications and Operating system to use them.

I constantly hear the commercials for the many online backup services and their BS promises on the TV and radio. My clients do too. And they like most people do NOT understand that there is a WORLD of difference between a file backup and a full system backup that will enable complete system recovery; Operating System, Applications, Settings and all. It’s good to use some of these services to backup your documents and files (I do and recommend some – see my previous articles on cloud storage). But you must understand that if you SYSTEM fails you need some kind of system recovery, not just files.

I cannot state it emphatically or enough, PLEASE USE SOME KIND OF DISK IMAGING SOFTWARE TO CREATE YOUR BACKUPS!!

I have written many, many times about this. You can read here and here.

My go to imaging software is Acronis True Image. The cost is nominal (right now only $79.00 U.S. for the Home Premium version that includes ‘Universal Restore’. You can check out there deals here. Add to that the low cost of External USB HDDs – less than $100.00 U.S. in most cases, and you can assure that you will NOT be out of business longer than a day or two at most. VS having a to wait for a manufacturer to send out replacement part( s) , re-install and configure everything and HOPE it all works as it did.

Well there you go just another rant after spending a few whole days working my tail off to help one of my clients. Sigh..

Get even more Dropbox space right now.

I use Dropbox to synch some files between computers, devices and the web. Nothing very sensitive but it’s great for photos, tech documents and files and other items. It’s also great for sharing items with others; I can upload something, share it (Dropbox gives a link to ‘share’) I then send that link to those I wish. Pretty cool.

Right now, and I don’t know if it’s a fluke or not, you can get up to 50GB of space just by doing a few things! If you have an account log into it and go here [get space] or create an account, go through the walkthrough (they’ll add space just for doing that) then go to the ‘get space’ link.

  1. Tell them why you like Dropbox.
  2. Let them tweet about you.
  3. Tweet about them.

Just doing these three things got my storage size to 52GB!!

I don’t really tweet much except for tech posts, so I could give a rip about them tweeting to my feed. You may care, I don’t. Also, for my personal ID security and safety, all my login credentials are very different and not connected in anyway for every online service I use.

I do also use other cloud services too (Google Drive, Skydrive etc.) but I’ve posted before about those already too.

Well hope you get your space while the getting is good.

Wi-Fi connection issues with Smartphones and devices

Just thought I’d pass this on to those with Smartphone activation or Wi-Fi issues.
About a month ago I had LOADS of problems trying to get two new Samsung Galaxy S4 phones activated.

My Wi-Fi would drop off after just a few moments or minutes at the longest. After a few days, I started to RMA and send back two phones trying to get them to work. Besides some issues with flashing firmware, which I resolved, I could not get the phone(s) to finish setting up because of the data connection problems.

Then I chatted with another geek like me on a tech forum and he said he had problems with his phones on one of his home’s routers.
And, because his Wi-Fi kept disconnecting it caused all kinds of problems during setup. His ‘solution’ was to get a new wireless router.

Since I can’t let things like this beat me I decided to do even more research.
His comment about the router got me to thinking about the routers in my place.
So I turned off the old Linksys with customized DDWRT firmware and tried connecting to my DLink DIR655. Nope. Still had issues with losing connectivity. And I could not finish activating/updating phone.

So, following up on the ‘connection/Wi-Fi’ premise I did some more searching and found two articles.
First one is here.

Key for me in this article was this one line,
"The company suggested that customers using the DIR-655 or the DIR-855 could mitigate the problem in the meantime by logging into the web interface and disabling the Wireless Multimedia Extensions (WME, also known as Wi-Fi Multimedia or WMM)."

I made that one change – disable WMM on the DLink, and the phone stayed connected to WiFi! I was able to finish the carrier/phone activation and commence synching!

The other article, here, mentions upgrading firmware on the DLink:
Haven’t tried the new firmware for the DLink but I probably will soon enough. Here’s to hoping all goes well.

So now here is a catch. iOS 6 (iPhone) supposedly requires WMM compliance. However some are saying that they too get much better speeds and stability by disabling this setting too. You can read about that here. So if you have an iDevice you might want to check into this setting on your router.

Well good luck. Hope this helps some of you all.

Nandroids and other backup tips

Hey folks another reminder please backup your digital data. I know most people don’t think about this till it’s too late. Don’t be one of those. Not a week goes by that I don’t hear from someone who’s ‘lost it all’ and had no backup. Or worse thought they had a backup but never verified it and found it wasn’t usable.

I’ve written many times before on the why’s, and how to’s; here is a great write up

And for backing up your iDevice read here. My go to tool for all things iDevice is still DiskAid . If you don’t want to use that and iTunes, at least use Time Machine and iCloud!

To backup Android devices I use two tools. One is Titanium Backup Pro. [It requires Root access if you don’t know what that is and why you should have it, check here. You can learn how to root your particular device and add a custom recovery on XDA (more at bottom). Titanium benefits and functions are also explained in my other post above.

The other method I use regularly with my Android devices is to create Nandroid backups.

What just what IS a Nandroid? It is a full backup of the partitions on your device’s NAND flash (NAND actually stands for NOT AND,which in simple terms means an electronic gate). Basically a backup of your phones hard drive if you will… The Nandroid backup is a snapshot of your device (it means everything on your phone – your apps, data, your current ROM and even the kernel is backed up) at the time you do the back up. If you restore the back up, it changes your phone BACK to that state. Again I will mention my love of disk images in disaster recovery – done right it is by far the best solution to complete recoverability of data AND system(s) to a point in time.

To create a nandroid you will need a Rooted device, of course, and a ‘custom recovery’ such as ClockWorkMod (CWM) or other recovery such as Team Win Recovery Project (TWRP). So make sure prior to this you have a rooted device and custom recovery on your device.

Here is a Great walkthrough of how to use Android recovery (there TWRP) to backup/create nandroid on the Samsung Galaxy S4. This recovery is very similar to CWM (Clockwork Mod) in functionality but has a few more options and is, of course, touch based; which can save wear on your hardware buttons. The method is virtually the same across android devices.

The king of Android how-to’s is Tim Schofield (QbKing77) check out his various vids here.

This guys also has loads of good vids for various Android devices you may wish to check out here.

Little hack for G4 Sprint http://www.youtube.com/watch?v=AYTis-i7HA4 that will give you the ability to use your phone as a HotSpot (note that this may be against the Terms Of Service and you could be cancelled for abusing this! So use at your own discretion)

If you’d like to get to learn more about your Android device you should really check out XDA Developers Forum and site. Here is their introductory video. If you spend just a little time there you will surely learn a whole lot about your device and how to really unleash it’s full potential.

Oh, and if you do go there and check out the site keep in mind the pointers from this video!

 

Using Google’s Two Step Verification

If you don’t know what 2-Step Verification is here is a simple explanation: The two-step system uses both a password and a numerical code tied to your mobile phone, which can be sent by Google via SMS or generated by a smartphone app. Either way, it means a prospective hacker would need to obtain both your password and your phone to access your account.

I’ve been aware of Google’s two-step verification system for some time, but I felt my very strong password, the fact that I don’t use that password anywhere else and that it could not be ascertained by usual social engineering methods, was more than adequate protection. I was also concerned the system might be a hassle to use since I routinely sign in from so many different computers and locations. I already do use a password manager (KeePass) that requires not only a master password but I also use a key file too. [There are other very effective password managers out there I suggest you use one. Ars has a good article about that here.]
But with the massive increase in hacking and high jacking of information and the advancement of brute force cracking technologies and techniques I felt it was time to get onto the 2-step wagon.

Also I suggest that if you use Yahoo mail for anything you migrate towards Gmail or some other ISP. Yahoo has one of the worst records for email security. They are  hacked all the time! One recent article is here.
And for petesake please do NOT ‘link’ your Facebook account with Yahoo – that too is a major source of hacked Facebook account activity. If you currently have it linked I suggest you separate it. You can read how here and here.

So here is a brief explanation of how to enable 2-step verification. I will also link to some other resources on how to enable and use it at the bottom. If you find this too complicated or too much of a hassle you can always disable it very easily.

So let’s get started. Login to your account and go to Account then. Security

image

In the Security list you’ll see 2-step verification. This is where you can ‘turn it on’ and edit the settings.

image

Printable backup codes. Warning: If your phone is unavailable, these codes will be the only way to sign in to your account. Keep them someplace accessible, like your wallet, desk drawer or other safe place. Printable backup codes.

image

Here click on ‘Show backup Codes’

image

I printed out a set and put them someplace safe. I also saved them to a text file and imported and copied that text file of codes into my Password management application – KeePass.

If you click on the Application Specific Passwords you can create them for you other applications like Outlook, iMail, ThunderBird etc. Just give it some useful name, click on ‘Generate Password’ and then make sure to copy (or right down) that password – it is only shown once! I just copied each one to a text file so I could then paste them into the proper field (password) on my Outlook/configuration setups.

image

Some other links and info.

Here’s Google’s info page. And more here.

Setting up Mac Mail.

Setting up Outlook.

One more thing to consider if you’re a paranoid guy like me. I have all my browsers set to delete Internet history, cache and cookies when I close my Browsers AND I also run CCleaner many times a day to clean out temp files. Doing this will clear out the 2-Step ‘security token’ so you must manually enter some specific cookies to NOT be deleted in your browser and/or CCleaner.

To create ‘safe cookies’ in Firefox here is a good article. For Chrome go here and read the ‘Make exceptions for cookies for specific websites. The method is just about the same for InternetExplorer and Safari.

For CCleaner you can add the cookies to keep manually. Read here.

The actual cookie names you need to keep are here:

accounts.google.com
accounts.youtube.com
google.com
mail.google.com
apis.google.com
0.docs.google.com
docs.google.com

Hope this helps some. Peace out.

Windows 8.1 news

If you are buying a new PC or laptop and you’ve been holding off because of the new Metro interface you might be in luck.

It looks like Microsoft is pulling a ‘New Coke’ here and admitting that the ‘Metro’ desktop and lack of ‘Start’ button was a VERY BAD MOVE. Especially for those in the business community.

I got this deal earlier this year and it’s still a great one. For those looking for a powerful Windows PC laptop that could easily replace an older high end workstation this is a pretty good choice.
I wrote an article about my original selection, purchasing and finally, my adventures in ‘downgrading’ it to Widows 7 Pro/Enterprise here. Many of the things I do with my system cannot be done efficiently, or at all, from the silly ‘Metro’ interface. And other applications simply wouldn’t run properly.

With Windows 8.1 (which it will release mid to late summer, it is said that Microsoft is going to bring back the traditional ‘Boot to Desktop’ feature along with the much missed ‘Start Button’. It looks like the start button will most likely look like the ‘Windows Charm’ in Windows 8.1 but it hopefully will be there. You can read about that here and here.

IF you are stuck with Window 8, don’t want to go through the hassle of downgrading it, and can’t wait for Microsoft to ‘fix it’, there is a fantastic solution to bring back the old Window 7 interface. It’s called Start 8 by Stardock Software It’s a great app and only costs $4.99 USD. It’s the first thing I install on clients Windows 8 machines when they tell me they can’t handle the Windows 8 Metro interface.

Peace, and be safe.