Crash course in encryption virus’
What a night, I had a client call yesterday saying that he had clicked on a link in an AusPost email for a delivery receipt. This is a great example of paying attention to what is in front of you, he was unable to view the link on his iPhone as it restricted the site so he forwarded the email to his work PC and clicked it there even though if you looked at the link that shows when you hover over the email it was to a site called sleeze .com. Anyway back to the files, all the photos, documents and zip files on his computer were encrypted and there was a pop-up showing a link to click to pay $600 to get the documents back. This should have been blocked by the antivirus, but in my research I have found that this variant is less than 3 days old and there are no virus signatures to detect it.
Now that I had determined what it was I needed to work out what to do about it, I was sure that I didn’t want to pay the criminal responsible for recovering his data, the forums on bleepingcomputer.com shed a lot of light to enable me to pin-point the exact infection and devise a strategy first was to look for existing back-ups and recover the data which on first inspection looked like they have been encrypted also, there was another option to pay a trusted third party for a repair which sounded like it was related to the original criminal but was ultimately someone trying to help and needing to cover their costs. So after sending some requests for help and searching high and low for a solution I went to bed at midnight only to hear my phone buzz as I lay down from the other room. This presented another paid option to repair but with still no guarantee of success I had another look at the machine only to find an un-encrypted backup that was so large that maybe the file had not been processed.
With a solution now in sight and a new surge of energy I started making backups of everything so that I could go back to the current point if needed, while backups ran I had a short kip to ensure that I was still firing on all cylinders and have now got the system fully running with an up to date backup restored, minor tweaking required to get it to boot, and will return the computer to the client later this morning once I am certain I am able to get it all working.
NOTE: Before clicking any links hover your mouse over them and read the text in the status bar, usually at the bottom of the screen.
Keep an eye on your antivirus program to ensure it is running and update.
Pay for an antimalware scanner separate if your antivirus does not do this task.