Bit of fun with KEYHolder (Crypto Malware)

By | 05/12/2014

If you haven’t heard about the various crypto malware going around, I don’t know where you’ve been hiding. I don’t even like watching the news, but it’s been blasted all over.

Essentially the malware gets onto a persons machine in different ways (email, websites, USB sticks etc) and starts looking for files on the local machine and network drives. As this malware finds files it encrypts them with a public key; the private key never leaves the ‘secure’, ‘hidden’ servers so you cannot decrypt your files without paying the ‘ransom’. As any person in IT knows, if you don’t have a backup, good luck to you as there’s more than one way to lose (access to) your files.

Paying the ransom also apparently isn’t a full proof way of getting your files back, so basically delete, and recover from backup.

So to my story…

It starts with a call about a MYOB file saying it’s not a valid company file. Tried other older MYO files; same issue. Then I start seeing this “decrypt your files.html” or something of the sort. Tried to open an excel file, error…and so on. Immediately I start feeling sad.

In this circumstance, I was very happy with myself that I had been focussing a lot of attention on upgrading client backups to a real solution – ShadowProtect, NAS box, and USB drives or offsite backup rather than the old school NTBackup with tapes. I scanned all machines for malware just in case, but I had determined the PC at fault fairly quickly by use of user shares and removed various bits of unwanted programs and malware (I used MBAM, NPE, ADWCleaner and Combofix (yes, each found different things). I then proceeded to recreate the user profile on the local machine, deleted the encrypted files (well actually moved them first), mounted the backup volume and copied over last night’s backup of the files.

The antivirus was up to date, and given it’s a paid business version, I’m kind of annoyed, but I understand how hard it is to keep up with new variants.

All this while sick and on my own in the office I might add, with other thankfully unrelated phone calls pouring in, and other outside of work, work to be done. And here I was thinking it’d be a quiet, easy day and then party tonight.

Leave a Reply

Your email address will not be published. Required fields are marked *