Jump to content
Sign in to follow this  
six_ten

Black Powder -- Cryptowall

Recommended Posts

Back up your hard drive often.

Yesterday I received three emails from Bohemia Interactive: two copies of one titled "Letter to Contestants" and one from Jan Kunt titled "Make Arma Not War - Total Conversion Submission" containing a secure attachment. As a matter of course I never open attachments, even from family and friends, unless I am expecting them. At about 8:30 pm I clicked on this one though, and read the email about setting up Dropbox access to submit my Black Powder mod. I then played a bit of Epoch with a friend, but noticed my computer was grinding slow and the game was dragging.

I closed ARMA, started a couple of security checks, and discovered some unusual files that had loaded about the time I'd read the BI emails. I do not know whether they were infected or if the payload launched coincidentally at that time. I cleared out the odd files, stopped the activity, began cleaning up the mess. I searched for the names, found the kind of infection, and breathed sigh of relief that I'd caught it in time before it did any damage, because this is a nasty one: it uses RSA encryption to encrypt your data then demands a ransom starting at $500 to send you the key to decrypt.

It is now just after 3 am and until 15 minutes ago I thought I had dodged a bullet, that is until I happened to check my email and found that all my archives are now in machine language and Chinese. I started checking other folders, then, holding my breath, checked my mod folders, all my configs are encrypted. 3591 of my other directories are now encrypted. The only saving grace is that my soon-to-be-published book on the American Revolution (3 years of work to date) survives untouched as far as I can tell.

I've been working on my mod around the clock in every moment of free time, well over a thousand hours to date. I have been so busy that I didn't make time to back up my hard drive. I suggest everyone make time for it.

I am still not sure the extent of the damage. I'll not pay any ransom. I will restore and reconstruct what I can, and if able I will still submit the Black Powder mod. The timing sucks as I only really had time in the next week or two for final polishing, but this is the circumstance.

I'm gonna brew a pot of coffee and pour some scotch then get to work rewriting.

Six_Ten

A sample of my Model 1768 Short Land Pattern Musket config: such nice code XD

ª%Ú\bÓvH T2ÃpµñéæÒ„µ½ü/yìǃÂâUc{Nn¨ùŠui§ÜÚ—¡°Qìü÷=õç²äãFÂeå؃PÆòQMÂL™Âë‰Ã¤o¥»¿×fŽ#‡¨›«‘‚ÜÓyx“³yí+E‚:éùèIý Â@'r¨˜T[ÜìUª"Ñ^qTð×n,„Ÿ3ÇŽU¼Qô8}Å &_ÌÆ,œþ"¤:øÈ!x:æò

Share this post


Link to post
Share on other sites

ye, seems like you got infected with some crypto-malware ... majority of the crypto-malwares gets sooner or later reverse engineered and most of data can be restored

it's highly unlikely you got infected by email from us

Share this post


Link to post
Share on other sites
ye, seems like you got infected with some crypto-malware ... majority of the crypto-malwares gets sooner or later reverse engineered and most of data can be restored

it's highly unlikely you got infected by email from us

I did, it appears to be Cryptowall (and yes, I'm still trying to mitigate the damage now at 7:19 am having begun around 9 pm last night). It seems to use RSA encryption and therefore unbreakable during my lifetime. Part of the attack involves deleting System Restore and Shadow Volume data, so there is no recovery possible.

I've just run across this http://www.infoworld.com/article/2689332/security/malvertising-campaign-delivers-digitally-signed-cryptowall-ransomware.html Describes the use of legitimate certificate digital signature, which is what I clicked on in the email from Jan.

Share this post


Link to post
Share on other sites

Hey there,

I am really sorry this happened to you and I hope you manage to get your data back.

The email did come from me, but the attachment is just a secure signature certificate file (your email client should recognize it as such and should not even list is as an attachment. If anything it should help the email client verify the source of the email, because it is tied to my email address), so I do not believe my email was the source of the infection. To be sure I rechecked my ESET antivirus settings (and it is updated, with email client integration enabled) and I have run several tests with negative results. I am running more in-depth scans now, so I will let you know if anything pops up.

By the way, the link you posted only mentions that the malware binaries were digitally signed with valid certificates (the malware creators stole or purchased valid certificate to sign their binaries) - not that the email signatures were used to distribute them.

Share this post


Link to post
Share on other sites
Hey there,

I am really sorry this happened to you and I hope you manage to get your data back.

The email did come from me, but the attachment is just a secure signature certificate file (your email client should recognize it as such and should not even list is as an attachment. If anything it should help the email client verify the source of the email, because it is tied to my email address), so I do not believe my email was the source of the infection. To be sure I rechecked my ESET antivirus settings (and it is updated, with email client integration enabled) and I have run several tests with negative results. I am running more in-depth scans now, so I will let you know if anything pops up.

By the way, the link you posted only mentions that the malware binaries were digitally signed with valid certificates (the malware creators stole or purchased valid certificate to sign their binaries) - not that the email signatures were used to distribute them.

Jan,

I appreciate that. Thanks. I included the link just to illuminate the methods they're using. I will be glad for any information about this. At this point I just want to recover my work. Your email did contain a secure signature certificate file, correct? I hesitated before clicking it but went ahead. I still don't know the source, I do want to track it down and if there's a problem I don't want anyone else to get it.

Share this post


Link to post
Share on other sites

the email was signed, without any attachment, but from what you wrote it seemed that your email client did interpret the signature as an attachment rather than part of the email as most clients do.

Share this post


Link to post
Share on other sites
Jan,

I appreciate that. Thanks. I included the link just to illuminate the methods they're using. I will be glad for any information about this. At this point I just want to recover my work. Your email did contain a secure signature certificate file, correct? I hesitated before clicking it but went ahead. I still don't know the source, I do want to track it down and if there's a problem I don't want anyone else to get it.

Try this. I've had some success with it with other people's infections.

https://www.decryptcryptolocker.com/

Its a legit site:

News post - http://www.pcworld.com/article/2462280/cryptolocker-decrypted-researchers-reveal-website-that-frees-your-files-from-ransomware.html

Worth a try at least.

Share this post


Link to post
Share on other sites

Will someone please PM the Dropbox information to me; it was contained in the previously mentioned email which I cannot access as it was encrypted with my other files. In spite of the destructon of most of my files I would like to enter what I've managed to salvage.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×