New Crypto Variant (original article from 2015)

So, in case you haven’t been following, there have been several variants of the crypto viruses … I have been at the forefront for killing them at my office when our clients get them … so in a nutshell here’s what to watch for with the older variants …

What does it infect?
Essentially, anything it can access through a drive letter (IE, C: D: E: etc…) and has read/write permissions. This includes USB and network drives. As far as files, it will go after most common formats: JPG, GIF, DOC, DOCX, XLS, XLSX, PDF, and so on; some variants have gone after QBW files as well.

What does it do?
When it attacks a drive, it randomly pushes down the folder tree and encrypts files of the type(s) it is programmed to do, leaving behind a useless copy and a love note (usually starting with DECRYPT_something) asking you for money for the decryption code. I don’t know anyone who has paid this NOR do I recommend it. Now for the nasty part … later versions also destroy previous versions and restore points either on completion of the malware encryption or during the process. Why does this matter? You’ll see below.

What are the signs?
Well the first one is random files showing up that start with DECRYPT_blah blah blah … if you see those, shut your computer down ASAP! If you are on a network (IE, you’re at work, have network resources connected like mapped drives) or you have any USB drives connected, REMOVE THEM! Unhook the network cable (looks like a fat phone cable) and/or your USB drives. If you are at home, call an computer shop or if you want to attempt it, try and kill it yourself (bleeping has some good info on it.) If you are at work, let your IT folks know (hope you weren’t doing anything you shouldn’t have been, they are gonna wanna know how this got in the door!) Other signs include (these are more for IT folks): lots od DLLHOST processes using tons of memory, lots of HD access and overhead with little to no app activity, random crashes of Explorer, AV mysteriously being shut off.

What to do if you have it?
I hope you have backups! So, if you have it, either bring the computer to a repair shop or let your IT folks handle it. If you want to do it yourself, fine. Just be aware, if the virus has not encrypted everything yet, the longer the computer is running the more likely you are to lost more data. So, let’s assume its dead now. Good for you! You can attempt to do a system restore to a point PRIOR to your infection (I would go at least 1 day back.) This will restore any damaged Windows files. As for your documents, pictures, etc… you can use Previous Versions to roll them back (again, I’d go back 1 day.) You can get to previous versions from the properties menu of any file/folder. Right click, properties, Previous Versions tab. If you don’t have anything listed (none available) or nothing prior to the infection (this goes for restore points to) then the malware has wiped those. Best thing you can do (again hope you had backups) is wipe/reload the machine to ensure no corruption and restore your files from a backup.

Why am I telling you this now?
A new variant. Does all of the above BUT it drops HELP_ files on the DESKTOP ONLY! It also hijacks your background wallpaper. Still digging into it so not sure what else has changed but one of the primary detection methods was DECRYPT_ which no longer seems to be valid.

Leave a Reply

Your email address will not be published. Required fields are marked *