Houston Cryptolocker, Teslacrypt and Ransomware Removal

Houston Cryptolocker, Teslacrypt and Ransomware Removal

URGENT ACTION!

If you have been hit by Cryptolocker, Teslacrypt, or any other form of Ransomware, it is crucial that you enlist a computer security specialist ASAP to help you get your data back. 

For immediate assistance, call Innovativ IT at (832) 429-5220.  Their computer security specialists, experienced in successfully recovering data from ransomware attacks, can help to get your data back.  DO NOT DELAY in calling if you are currently infected, time is of the essence.

 

If you are infected, it is essential that you take the proper steps, in the proper order, to ensure that you get your data back.  Before you begin the recovery process, you must make sure that your (recovery) environment is setup properly, and that it is stable; you only get one shot to if you choose to pay to decrypt. 

Restoring from a backup is ideal, but if there is no current backup, then paying the ransom is the only way to recover the data and get your systems back up and running.  It is also imperative that you take action immediately, as time is now your biggest enemy, in terms of getting your data back.

 

What is Ransomware?

Ransomware (From Wikipedia, the free encyclopedia) is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. Some forms of ransomware systematically encrypt files on the system's hard drive, which become difficult or impossible to decrypt without paying the ransom for the encryption key, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as atrojan, whose payload is disguised as a seemingly legitimate file.

While initially popular in Russia, the use of ransomware scams has grown internationally;[1][2][3] in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012.[4] Wide-ranging attacks involving encryption-based ransomware began to increase through trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities,[5] and Cryptowall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.[6]

 

What is Cryptolocker?

CryptoLocker (From Wikipedia, the free encyclopedia) is a ransomware trojan which targets computers running Microsoft Windows.  CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.

Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break.  Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up.

 

What is TeslaCrypt?

TeslaCrypt is a ransomware trojan which targets computers with specific computer games installed.[1][2][3][4] Newer variants of the malware also infect computers without these games.

Upon infecting a computer, the malware searches for 185 file extensions related to 40 different games, which include the Call of Dutyseries, World of WarcraftMinecraft and World of Tanks, and encrypts them. The files targeted involve the save data, player profiles, custom maps and game mods stored on the victim's hard drives. Newer variants of TeslaCrypt are not focused on computer games alone but also encrypt, among others, Word, PDF and JPEG files. The victim is then prompted with a ransom of $500 worth ofbitcoins in order to obtain the key to decrypt the files.[2][5]

Although resembling CryptoLocker in form and function, Teslacrypt shares no code with CryptoLocker and is developed independently. The malware infects computers via the Angler Adobe Flash exploit.[2][6]

Even though the ransomware claims TeslaCrypt uses asymmetric encryption, researchers from Cisco’s Talos Group later found out that symmetric encryption is used and Cisco developed a decryption tool for it.[7] This "deficiency" has been fixed in version 2.0, rendering impossible to decrypt files affected by TeslaCrypt-2.0.[8]

By November 2015, security researchers from Kaspersky had been quietly circulating that there was a new weakness in version 2.0, but without letting the malware developer to learn about it and fix the flaw.[9] As of January 2016, a new version 3.0 was discovered that had fixed the flaw.

 

The Damage is Real!

The FBI, during a nine-month period in 2014,  1,838 complaints about ransomware, and the agency estimates victims lost more than $23.7 million, The Washington Post reported. 

There have been many cases across the United States of America, as well as cases with huge impacts from Cryptolocker in Houston, Texas.  Some cases are as small as one laptop, while others have completely shut down corporate networks and applications such as their Email and major ERP applications and accounting packages such as (SAP, MAS, QuickBooks, Peachtree, etc.).  Teslacrypt is the latest edition to the ransomware family, is now in the wild, infecting computers and corporate networks.  There have been numerous cases reported of Teslacrypt in the Houston area, reportedly keeping one oil and gas company completely down for more than a week.

 

How Can I Protect Myself?

If you have not been infected, but wish to make sure that you’ve taken the necessary precautions, make sure that you have these areas covered:

  • Verify that you have good, and current anti-virus running on all of your computers
  • Make sure you have nightly backups, backing up locally (to a secured location) and to the cloud
  • Use good SPAM filtering software or service
  • Configure DNS (Domain Naming System) to defeat ransomware

If you would like help, or more information on how to protect yourself from Cryptolocker and other forms of ransomware, call Innovativ IT (URL) at 832-429-5220 to speak to a computer security specialist.