Buy bitcoins using GREENDOT MONEYPAK from Doubleup115 ...

Proper Care & Feeding of your CryptoLocker Infection: A rundown on what we know.

This article is no longer being maintained, please see the new version here. Thanks.
tl;dr: I hope you have backups. It's legit, it really encrypts. It can jump across mapped network drives and encrypt anything with write access, and infection isn't dependent on being a local admin or UAC state. Most antiviruses do not catch it until the damage is done. The timer is real and your opportunity to pay them goes away when it lapses. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup, or be SOL.
Vectors: In order of likelihood, the vectors of infection have been:
  • Email attachments: A commonly reported subject is Payroll Report. The attachment, most of the time, is a zip with a PDF inside, which is actually an executable.
  • PCs that are unwitting members of the Zeus botnet have had the virus pushed to them directly.
  • There is currently one report of an infection through Java, using the .jnlp file as a dropper to load the executable.
Variants: The current variant demands $300 via GreenDot MoneyPak or 2 BTC. I will not attempt to thoroughly monitor the price of bitcoins for this thread, use Mt. Gox for the current exchange rate. Currently the MoneyPak is the cheaper option, but last week Bitcoins were. Two variants, including a $100 variant and a $300 that did not offer Bitcoin, are defunct.
Payload: The virus stores a public RSA 2048-bit key in the local registry, and goes to a C&C server for a private key which is never stored. The technical nuts and bolts have been covered by Fabian from Emsisoft here. It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif
This list of file masks may be incomplete. Trust this list at your peril. When in doubt, CryptoLocker will show you what files it has encrypted by clicking the relevant link in the virus's message.
It will access mapped network drives that the current user has write access to and encrypt those. It will not attack server shares, only mapped drives. Current reports are unclear as to how much permission is needed for the virus to encrypt a mapped drive, and if you have clarification or can test in a VM please notify me via message.
By the time the notification pops up, it's already encrypted everything. It's silent until the job is done.
Many antiviruses have been reported as not catching the virus until it's too late, including MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by reverting registry changes and removing the executables, leaving the files behind without a public or private key. Releasing the files from quarantine does work, as does releasing the registry keys added and downloading another sample of the virus.
Windows XP through 8 have all reported infections.
What's notable about this virus, and this is going to lead to a lot of tough decisions, is that paying them to decrypt the files actually does work, so long as their C&C server is up. They verify the money transfer manually and then push a notification for the infected machine to call home for the private key again, which it uses to decrypt. It takes a long time to decrypt, at the rate of roughly 5GB/hr based on forum reports. The virus uses the registry to maintain a list of files and paths, so not moving the files around is vital to decryption if you are paying them.
Also notable is that the timer it gives you to pay them does appear to be legitimate, as multiple users have reported that once the timer ran out, the program uninstalled itself. Reinfecting the machine does not bring a new timer. I was not able to verify the uninstallation of the program after the timer ran out, it appears to be dependent on internet access.
Due to the nature of the encryption, brute-forcing a decrypt is essentially impossible for now.
Removal: Removing the virus itself is trivial, but no antivirus product (or any product, for that matter), will be able to decrypt the files until the private key is found.
File Recovery: There are only a handful of options for recovering encrypted files, and they all rely on either having System Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good against this as they will commit the encrypted files to the cloud.
I had a Carbonite employee message me regarding my earlier statement that Carbonite is no good against this virus. It turns out that versioning is included in all Carbonite plans and support all agent OSes except Mac OS X which is outside the scope of this thread anyway. They have the ability to do a mass reversion of files, but you must call tech support and upon mentioning CryptoLocker you will be escalated to a tier 3 tech. They do not mention this ability on the site due to the potential for damage a mass reversion could do if done inadvertently. These are my own findings, independent of what the employee told me. Crashplan and other versioning-based backup solutions such as SonicWALL CDP should also work fine provided the backups are running normally.
Using the "Previous Versions" tab of the file properties is a cheap test, and has had mixed results. Using ShadowExplorer on Vista-8 will give you a much easier graphical frontend for restoring large amounts of files at once (though this will not help with mapped drives, you'd need to run it on the server in that case). Undelete software doesn't work as it encrypts the files in place on the hard drive, there is no copying going on. The big takeaway is that cold-storage backups are good, and they will make this whole process laughably easy to resolve.
Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.
For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here.
Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it.
Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.
Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed.
Some edits below are now redundant, but many contain useful information.
9/17 EDIT: All 9/17 edits are now covered under Prevention.
10/10 EDIT: Google matches for CryptoLocker are up 40% in the last week, and I'm getting 5-10 new posts a day on this thread, so I thought I'd update it with some interesting finds from fellow Redditors.
  • soulscore reports that setting the BIOS clock back in time added time to his cryptolocker ransom. Confirmed that the timer extends with the machine offline, but that may be cosmetic and I don't like your chances of this actually helping if your timer runs out on the server side.
  • Spinal33 reports that AV companies are catching up with CryptoLocker and are blocking websites that are spawned in the virus's domain generation algorithm. This effectively means that some people are locked out of the ability to even pay the ransom. (Technically they could, but the virus couldn't call home.)
  • Malwarebytes is claiming that MBAM Pro will catch CryptoLocker. If someone wants to test them on it, be my guest. Confirmed
  • CANT_ARGUE_DAT_LOGIC gave some insight on the method the virus uses when choosing what to infect. It simply goes through folders alphabetically and encrypts all files that match the filemasks towards the top of this post. If you are lucky enough to catch it in the act of encrypting and pull the network connection, the CryptoLocker message will pop up immediately and the countdown will begin. Helpful in determining what will need to be taken into account for decryption.
EDIT 2: We had a customer that ignored our warning email get infected so I will have my hands on an infected PC today, hope to have some useful info to bring back.
10/10 MEGA EDIT: I now have an active CryptoLocker specimen on my bench. I want to run down some things I've found:
  • On WinXP at least, the nested SRP rule is necessary to prevent infection. The path rule needs to be %AppData%\*\*.exe
  • An alternate link to the virus sample is http://gktibioivpqbot.net/1002.exe
  • Once the program runs it spawns two more executables with random names in %userprofile%. Adding a SRP to cover %userprofile%\*.exe may be desired, though this will prevent GoToMyPC from running at a bare minimum.
  • This user was a local administrator, and CryptoLocker was able to encrypt files in other user's directories, though it did not spawn the executables anywhere but the user that triggered the infection. When logged in under a different account there is no indication that a timer is running.
  • The environment has server shares but no mapped drives and the shared data was not touched, even though a desktop shortcut would've taken the virus to a share. I suspect that will be covered in the next iteration.
  • The list of masks above does not appear to be totally complete. PDF files were encrypted and were not originally part of the set of file masks. That is the only exception I noticed, everything else follows the list. Conveniently (/s), CryptoLocker has a button you can click that shows the list of files it's encrypted.
  • The current ransom is $300 by MoneyPak or 2BTC, which at the time of writing would be $280 and change.
  • Fabian reported that registry data is stored at HKCU/Software/CryptoLocker. I cannot glean the meaning of the DWORD values on files but I do notice they are unique, likely salts for the individual files. I'm curious what purpose that would serve if the private key was revealed as the salts would be useless.
  • I have confirmed the message soulscore left that setting the BIOS timer back a few hours adds an equal amount of time. No telling whether that will work once it has a network connection and can see the C&C server, though.
  • The virus walked right through an up-to-date version of GFI Vipre. It appears AV companies either consider the risk too low to update definitions or, more likely, they're having trouble creating heuristic patterns that don't cause a lot of collateral damage.
10/11 EDIT: I ran Daphne on the infected PC to get a better idea of what might be going on. lsass.exe is running like crazy. Computer's had it's CPU pegged all day. I noticed the primary executable running from %AppData% has a switch on the end of the run command, which in my case is /w000000EC. No idea what that means.
10/15 EDIT: I just wanted to thank all the redditors that have submitted information on this. I have some interesting new developments that I'll be editing in full tomorrow.
10/18 EDIT: Hello arstechnica! Please read through comments before posting a question as there's a very good chance it's been answered.
New developments since 10/15:
  • We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own, AV Comparatives is a wonderful resource.
  • We have reports of a new vector of infection, Java. This is hardly surprising as Zeus was already being transmitted in this fashion, but Maybe_Forged reports contracting the virus with a honeypot VM in this manner.
  • zfs_balla made a hell of a first post on reddit, giving us a lot of insight to the behavior of the decryption process, and answered a frequently-asked question. I'm paraphrasing below.
A file encrypted twice and decrypted once is still garbage.
The waiting for payment confirmation screen stayed up for 16 days before a decryption began, so don't lose hope if it's been up a while.
The DWORD values in the registry have no bearing on decryption. Renaming an encrypted file to one on the list in the registry will decrypt it. However, I would presume this would only work for files that the virus encrypted on that machine as the public key is different with every infection.
Adding any new matching files to somewhere the virus has access will cause them to be encrypted, even at the "waiting for payment confirmation" screen. Be careful.
Hitting "Cancel" on a file that can't be found doesn't cancel the entire decryption, just that file.
EDIT 2: I've rewritten the bulk of this post so people don't have to slog through edits for important information.
10/21 EDIT: Two noteworthy edits. One is regarding Carbonite, which is apparently a viable backup option for this, it is covered under File Recovery. The other is regarding a piece of software called CryptoPrevent. I have not tried it, but according to the developer's website it blocks %localappdata%\*.exe and %localappdata%\*\*.exe which is not necessary for the current variant and will inflict quite a bit of collateral damage. I have no reason right now to doubt the legitimacy of the program, but be aware of the tradeoffs going in.
I'm now at the 15000 character limit. Wat do?
submitted by bluesoul to sysadmin [link] [comments]

CryptoLocker Recap: A new guide to the bleepingest virus of 2013.

As the previous post, "Proper Care & Feeding of your CryptoLocker Infection: A rundown on what we know," has hit the 500 comment mark and the 15,000 character limit on self-posts, I'm going to break down the collected information into individual comments so I have a potential 10000 characters for each topic. There is a cleaner FAQ-style article about CryptoLocker on BleepingComputer.
Special thanks to the following users who contributed to this post:
I will be keeping a tl;dr recap of what we know in this post, updating it as new developments arise.
tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet. WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off. MalwareBytes Pro and Avast stop the virus from running. Sysadmins in a domain should create this Software Restriction Policy which has very little downside (you need both rules). The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup (including versioning-based cloud backups), or be SOL.
EDIT: I will be updating individual comments through the evening to flesh out areas I had to leave bare due to character limitations or lack of info when they were originally written.
EDIT 2: There are reports and screenshots regarding a variant that sits in AppData/Local instead of Roaming. This is a huge development and I would really appreciate a message with a link to a sample of this variant if it does indeed exist. A current link to the known variant that sits in Roaming would also be appreciated.
10/24/13 EDIT: Please upvote How You Can Help for visibility. If you can contribute in any of those fashions it will help all of us a lot.
11/11/13 EDIT: Thanks to everyone that submitted samples. The latest '0388' variant can be found at http://bluesoul.me/files/0388.zip which is password protected, password is "infected". Please see Prevention for updated SRPs.
submitted by bluesoul to sysadmin [link] [comments]

I'm sorry ahead of time for being a noobie

For reasons of my own making I'm forced to use Paxfull and local bitcoin. It seems to me that if I buy a green dot moneypak to green dot card, I can get the most money from selling it that way. Thoughts, suggestions. Thanks
submitted by bdubb1111 to Bitcoin [link] [comments]

Combating Cryptolocker with Python Script?

My mom's PC has been infected with a nasty Trojan called Cryptolocker.
Her small business docs are on the PC, and she's not going to pay the $400 in bitcoin they demand. Here's some info about the Trojan taken from another post
CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet. WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off. MalwareBytes Pro and Avast stop the virus from running. Sysadmins in a domain should create this Software Restriction Policy[8] which has very little downside (you need both rules). The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer[9] , go to a backup (including versioning-based cloud backups), or be SOL.
This is the Python code I think may solve the issue. I have no idea how to impliment it though. My total knowledge of Python is taking the intro course a couple months back from CodeAcademy.
The timer runs out in 90 hours. I really need help, guys.
submitted by acamu5 to Python [link] [comments]

Bitcoin BCH - YouTube Dont Fall For MoneyPack Stackz; Green Dot Moneypak instagram Scam How to Buy Bitcoin with Debit or Credit Card 10M Bitcoin.com Wallets created, Updates on local.bitcoin.com, Opinion on SilkRoad and DNM's support IRS Money Scam 2014 Green DOT Moneypak Cards

The MoneyPak card is also known as the “14-digit green dot card for inmates”. It is used to transferring money into jails to inmates. Here is how it works: someone purchases a MoneyPak card, sold in denominations between $20 and $500. As the card features the unique 14-digit number we were talking about, the buyer sends it to the prisoner, via a contraband cellphone. This way, the inmate ... How Can I Buy Bitcoin With Green Dot MoneyPak? If you want to buy bitcoin using MoneyPak then you have to find a reputable exchange or marketplace that will let you do it. How To Buy Bitcoin With MoneyPak On Paxful Summary. Create an account with Paxful. Verify your account. Go to “Buy Bitcoin” and look for MoneyPak. Open a trade with the vendor and complete the terms. Receive bitcoins ... Buy Bitcoin with Other online payment. Sign up for free Browse Offers: Bank Transfers, Online Wallets, Pre-Paid Debit Cards, Remittance, Other Payments. Browse Other Payments: Other online payment, Cashier's check, Cash at ATM, Credit card, Transferwise . Showing results 1 - 34 of 34 ← 1 → Seller ... Buy bitcoins using GREENDOT MONEYPAK with US Dollar (USD) LocalBitcoins.com user Doubleup115 wishes to sell bitcoins to you. Price: 12,867.24 USD / BTC. Payment method: GREENDOT MONEYPAK User: Doubleup115 (feedback score 98 %, see feedback) Trade limits: 5 - 2,573 USD. Location: United States. Payment window: 1 hour 30 minutes. How much you wish to buy? USD. BTC. The smallest amount you can ... MoneyPak is an excellent way to cash out of bitcoin where you then use that MP to reload a debit card or PayPal, for instance. But MoneyPak is a horrible way to try to buy bitcoins. Here's why: The problem is no commercial service can accept MoneyPak as payment for the purchase of bitcoins. Green Dot doesn't want that happening. They only allow ...

[index] [33343] [42291] [37548] [10621] [25307] [48765] [50324] [8192] [6253] [30254]

Bitcoin BCH - YouTube

════════ ️ Download ️═════════ http://bit.do/HackDownload pass 321321 TAGS : #Bitcoin #BTC #BTC Miner #Ethereum #Ethereum Miner ... Local 21 News WHP 1,556 views. 3:00. Scam Buster: Why Scammers Love Green Dot Cards - Duration: 2:03. WKRG 277,982 views. 2:03. Top 5 MIND BLOWING MAGICIAN America and Britain's Got Talent 2016 ... Cryptocurrency news, education and commentary. With a specific focus on the world's first P2P electronic cash system, Bitcoin Cash. Hayden Otto is the CEO of... Local.Bitcoin.com platform receives various updates Users can now import their reputation from LocalBitcoins. Pages are faster, and there have been multiple user interface improvements. Moneypak scams are the biggest scams involving moneypak reload packs or reload cards. These individuals presented a social experiment exposing moneypak scams...

#