cryptowall ransomware and dropbox

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

cryptowall ransomware and dropbox

Postposted on Sat Jun 07, 2014 7:36 pm

A couple of days ago I got a call from someone who had "something odd" happening on his computer. Cutting a long story short he'd been hit by ransomware and all his files were encrypted. Not I problem I thought, all the stuff that really matters is in dropbox, the PC can just get nuked.

However while dropbox allows you to restore back to previous versions there isn't a way to restore everything back to how it was at a specific time and going through each file one at a time isn't an option when you're talking about 70,000+ files!

Fortunately this exists:
https://github.com/clark800/dropbox-restore
Just give it a folder in dropbox and a date and it will delete any files created since then and roll back all files to how they were, perfect!

You need python 2.7 and pip installed.

Then use pip to install the dropbox api (pip install dropbox)

Now comes the tricky bit. Because this isn't an official app and many other people seem to have needed to use it, you have to create your own api key to run the script. To do this you have to go here: https://www.dropbox.com/developers/apps (log in)
Click the "new app" button and select these options:
API App => files and datastores => Can the app be limited... No => All file types => enter a name for the app
On the next page you get app key and secret that you paste into the restore.py script (they go in right at the top it's really obvious where).

The first time you use the script you have to visit a url in a browser to give the app access to your dropbox. That done it chugs away doing it's thing.

I suppose these ransomware things really underline the need to have some backup in place and that relying on dropbox for this job does work but isn't ideal at least not until they add something native to do this.

Hope someone finds this useful.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2268
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: cryptowall ransomware and dropbox

Postposted on Sat Jun 07, 2014 8:04 pm

Dropping an anchor here for future reference. Thanks!
BIF
Gerbil Jedi
Gold subscriber
 
 
Posts: 1573
Joined: Tue May 25, 2004 7:41 pm

Re: cryptowall ransomware and dropbox

Postposted on Sun Jun 08, 2014 2:19 pm

Good find! Bookmarking this for later reference.
Hz so good
Gerbil Elite
 
Posts: 633
Joined: Wed Dec 04, 2013 5:08 pm

Re: cryptowall ransomware and dropbox

Postposted on Sun Jun 08, 2014 2:42 pm

I'd say it is a very strong argument for having *some* sort of backup (whether Dropbox or something else) that does not reside on the same machine, and is not accessible as a normal folder share. Ideally it should be in an off-site location, to protect against fire/flood/theft/etc.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37738
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: cryptowall ransomware and dropbox

Postposted on Sun Jun 08, 2014 3:11 pm

just brew it! wrote:I'd say it is a very strong argument for having *some* sort of backup (whether Dropbox or something else) that does not reside on the same machine, and is not accessible as a normal folder share. Ideally it should be in an off-site location, to protect against fire/flood/theft/etc.



Yup. That was something beat into my brain back in 1999, when I was getting my MCSE+I for NT4 and my CNE for Netware 4.x, and 5.x, and it still holds true for home users. At a minimum, get a NAS to backup all your critical data. If it's business related (or data that's irreplaceable), you really need 3 offsite backups, because you never know if a fire/tornado/hurricane/earthquake is going to trash your location and equipment.


*EDIT*

I can't count the number of times I've had to tell customers that their data was irretrievable and they lost all their photos, music, financial records, etc. In each case, it was a harsh reality lesson, and I felt terrible having to break the bad news to them (some broke down sobbing). :(

Being proactive is the only proper course of action.
Hz so good
Gerbil Elite
 
Posts: 633
Joined: Wed Dec 04, 2013 5:08 pm

Re: cryptowall ransomware and dropbox

Postposted on Sun Jun 08, 2014 3:28 pm

I've played around with backup a lot.

After experimenting with a bunch of various setups - RAID1, rsync, git, etc, I finally settled on just outsourcing it to a cloud backup provider. All my computers sync to this one server box in my closet which then backs up to the cloud. Restore is possible from any previous version.

I personally use CrashPlan - they have an unlimited data backup plan for something like $5/mo. But there are several other very similar providers. For the price, it is well worth it.

Dropbox is very good if you really want to be able to access and share your files on the cloud. But for pure backup, I've found it to be a bit cumbersome and very expensive.

GoogleDrive is a lot cheaper. You can get 1TB for $10.
LASR
Gerbil
 
Posts: 61
Joined: Fri Jan 10, 2014 9:35 pm

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 7:22 am

Lately I've tended to set it up so backups are created on a network share with read/write access, then are later moved to somewhere that's read-only to the machine being backed up. That way it's impossible for ransomware to destroy anything but the in-progress backup.
Desktop: FX-8350 | 32 GB | XFX Radeon 6950 | Windows 7 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 8.1.1.1.1 x64
SuperSpy
Gerbil Jedi
Gold subscriber
 
 
Posts: 1593
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 7:41 am

I set this up yesterday as a test but it works rather well, a bit clunky, but it works. I'll use this for now. I may at some point switch to a cloud based solution.

Oh and ransomware can DIAF. I hope to god I never see it on my wife's or parent's computers but the chances that I will are probably 70/30. :?
(\_/)
(O.o)
(''')(''')
Wounded Warrior Project
Watch out for evil Terra-Tron; He Does not like you!
tanker27
Darth Gerbil
 
Posts: 7237
Joined: Tue Feb 26, 2002 7:00 pm
Location: Georgia

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 7:45 am

I started taking backups a little more seriously when I lost a USB thumb drive with years worth of documents, source code, images, etc. on it. But even then I was only backing up a local 1TB hard drive in a USB enclosure. It wasn't until I heard about the Cryptolocker ransomware that I decided to start using Crashplan (I actually had gotten a free year with them the year before, but hadn't used it until a few months ago). Between that and Dropbox, which is also backed up by Crashplan, I feel alot safer knowing that most of my important stuff, I think, is backed up remotely. Though I still haven't figured out what to do with my music library, which is like 30+ GB in size.
Under Construction Forever~~~
Kurotetsu
Gerbil Elite
 
Posts: 525
Joined: Sun Dec 09, 2007 12:13 pm

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 7:56 am

Kurotetsu wrote:I started taking backups a little more seriously when I lost a USB thumb drive with years worth of documents, source code, images, etc. on it. But even then I was only backing up a local 1TB hard drive in a USB enclosure. It wasn't until I heard about the Cryptolocker ransomware that I decided to start using Crashplan (I actually had gotten a free year with them the year before, but hadn't used it until a few months ago). Between that and Dropbox, which is also backed up by Crashplan, I feel alot safer knowing that most of my important stuff, I think, is backed up remotely. Though I still haven't figured out what to do with my music library, which is like 30+ GB in size.


For your music library, just get a NAS, back it up... disconnect it, and put it into the emergency bin. Cheap insurance.
The Cryptolocker ransomware is a frightening prospect for folks who are not technology savvy, like older parents. Entirely uncool.
liquidsquid
Minister of Gerbil Affairs
 
Posts: 2447
Joined: Wed May 29, 2002 10:49 am
Location: New York

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 9:07 am

I just did a little bit of reading up on ransomware -- scary stuff. Judging from the amount of money they're pulling in, you can be sure this is going to be the malware of the future.
i5 2500k - P67 - GTX660 - 840 Pro 256GB - Xonar Essence STX - Senn HD595's
The Egg
Gerbil XP
 
Posts: 478
Joined: Sun Apr 06, 2008 4:46 pm

Re: cryptowall ransomware and dropbox

Postposted on Mon Jun 09, 2014 10:47 pm

Ransomware is like Nigerian mail scams, the cost is low enough that it only takes a small percentage of goobers paying them to make it very profitable. It helps that Eastern Europe has a dangerous mix of low cost of living, few skilled-labor opportunities, and a very large military crypto skills base.
NovusBogus
Gerbil Elite
 
Posts: 520
Joined: Sun Jan 06, 2013 12:37 am

Re: cryptowall ransomware and dropbox

Postposted on Tue Jun 10, 2014 11:53 am

Paying for it is often the only chance you have unless you have recent enough backups that it doesn't matter or you are willing to take the hassle of reinstalling everything, which can take hours. That's what make it so evil. Basically, nigeria mails are loudmouths that shout bad things but unless you actually are stupid enough to buy something, basically harmless, cryptowall are hostage takers, litteraly.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3455
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: cryptowall ransomware and dropbox

Postposted on Tue Jun 10, 2014 4:32 pm

[quote="Aphasia"]Paying for it is often the only chance you have unless you have recent enough backups that it doesn't matter or you are willing to take the hassle of reinstalling everything, which can take hours. That's what make it so evil. Basically, nigeria mails are loudmouths that shout bad things but unless you actually are stupid enough to buy something, basically harmless, cryptowall are hostage takers, litteraly.[/quote]


Or you get lucky, and use the HeartBleed vulnerability to counterattack the CnC server to obtain your key. I can't find the article right now, but one victim got lucky during the counterattack and found that their key had been pre-loaded to the server during the 24hr ransom window.
Hz so good
Gerbil Elite
 
Posts: 633
Joined: Wed Dec 04, 2013 5:08 pm

Re: cryptowall ransomware and dropbox

Postposted on Wed Jun 11, 2014 12:20 pm

Hz so good wrote:Or you get lucky, and use the HeartBleed vulnerability to counterattack the CnC server to obtain your key. I can't find the article right now, but one victim got lucky during the counterattack and found that their key had been pre-loaded to the server during the 24hr ransom window.

Yeah, I used that exact story as an example in another thread here not to long ago. I was at the Checkpoint CPX in barcelona where one of the guys involved it solving it was a speaker and of course, used it as a great example of what goes on for security researchers... :D
Aphasia
Grand Gerbil Poohbah
 
Posts: 3455
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: cryptowall ransomware and dropbox

Postposted on Wed Jun 11, 2014 3:16 pm

Aphasia wrote:Yeah, I used that exact story as an example in another thread here not to long ago. I was at the Checkpoint CPX in barcelona where one of the guys involved it solving it was a speaker and of course, used it as a great example of what goes on for security researchers... :D



That's awesome! I never get to go the fun conferences.

No, TechNet and Brainshare don't count. Well, except that one Novell conference where they had a human-sized gyroscope. Good thing they kept a trash can nearby.
Hz so good
Gerbil Elite
 
Posts: 633
Joined: Wed Dec 04, 2013 5:08 pm


Return to General Software

Who is online

Users browsing this forum: No registered users and 4 guests