A New Year Brings With It New Ransomware

It's a new year so naturally a new ransomware infection has been found attacking computers and networks.  PClock has been discovered masquarading as CryptoLocker.  See image below.  PClock attempts to name itself CryptoLocker, more as a scare tactic than anything, however it has been named PClock from the project name found in it's executable file.

 

It is not currently known how PClock is distributed. Once installed it attempts to only encrypt certain files types, specifically photos, videos, word processing and spreadsheet files. After encryption is complete PClock changes your desktop background to the ransom screen and provides a 72 hour count down clock for the victim to pay the 1 Bitcoin ransom.  Bitcoin is down a bit today, currently trading at 1 Bitcoin to $267.23 USD.

PClock regularly queries blockchain.info to determine if your payment has been received.  If a payment is received it then automatically transforms itself into the decryptor and prompts you to decrypt your files.

Interestingly if you do not pay within the 72 hours you receive a file, last_chance.txt, that tells you to download the malware again and claims to give you an additional 3 days to pay.  I have not seen any security firms who have actually tested that particular "feature".  

 

Aside from calling itself CryptoLocker and using a shield as it's image PClock and CryptoLocker don't have much in common.  In fact PClock has a very important difference from CryptoLocker, thanks to the hard work of some in the technology security industry at Emsisoft you won't need to pay to decrypt your files, nor have an enterprise backup running.  This is generally not the case with most ransomware infections, however in this case Emsisoft has called PClock "quite primitive by nature" and it's creators "amateurs at best."  Emsisoft has been able to provide a decryptor saving anyone unlucky enough to get this infection.  

Read more about PClock on Emsisoft.com.  Or if you need a help using the decryptor call you local IT support.

Read more...

The New And Improved CryptoWall 2.0

  • Published in Backups

Albeit improved in all the wrong ways.  

CryptoWall 2.0 is ransomware that falls into the same category as CryptoLocker, CryptorBit, TorrentLocker, the original CryptoWall, etc.  As one would expect with anything labeled 2.0 there have been improvements made to the original CryptoWall, in this case making it all the more insidious.

The original CryptoWall has made plenty of trouble for network administrators, encrypting local data and any data found across network shares.  There had been some loopholes network admins were using to recover the files without paying the ransom, including using data recovery to recover the original unencrypted files that CryptoWall had deleted.  However, with CryptoWall 2.0 the malware developers have made changes to make things harder on their victims.

(It's terrible, calling them developers as it almost gives them professional legitimacy. Admittedly they do consider this their job and as I've discussed before it is a very profitable endeavor.)

Changes included in CryptoWall 2.0 include unique wallet IDs for each victim to send ransom payments to, use of their TOR gateway, secure deletion of original [now] encrypted files, and a pretty handy FAQ / set of Instructions, which both covers what has happened to your computer and how to fix the problem.  Interestingly the Instructions make it sound like these guys are hear to help and not like they are the ones who caused the problem in the first place.

Here is a Bleeping Computer image of the Instructions.  Click here to read the full article on Bleeping Computer.Image from Bleeping Computer  

Always the recommended option for businesses is having a True Enterprise Backup, which allows for multiple copies your backed up material to be stored.  For many this has meant that yes the backup that happened last night was just a backup of the encrypted files, but the previous version from 3 nights ago is unencrypted.

Read more...
Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

8755 Technology Way

Suite J

Reno, NV 89521

Log in or Sign up