Encryption Virus (Again!)


Note: To avoid the encryption virus, please don’t open attachments on emails that are generic or suspicious in anyway. Please back up all your files every week or so and then detach the backup drive. If you do get the virus, please turn off all your computers immediately and call us at Ducktoes. 403-219-3031.

Encryption Virus Strikes Again
Ducktoes has again helped a client (web design and SEO client, not IT client) recover their files encrypted by an encryption virus.  And again the client paid the ransom. They thought they could not successfully operate their business without de-crypting the files, since it would have been exorbitantly expensive or impossible to manually remake them all. They couldn’t even remember what all the files were, much less recall the content.

Try Not to Pay
If not absolutely necessary, I don’t recommend paying the ransom for decryption.  If no one ever paid the ransom, the cyber-criminals would stop creating and spreading the viruses. But in this case, I totally understand.

Employee upset after laptop gets the encryption virus.

It is a difficult decision whether or not to pay the ransom for the encryption virus.

How They Got the Virus

The clients got the virus through email. An employee opened an email attachment that purported to be an “invoice” but really contained one of the encryption viruses in the attachment.  Once opened, the encryption quickly virus spread to the client’s network and encrypted a hard drive containing all the scheduling and accounting information.

Emails floating through air as envelops. The encryption virus comes through email.

Encryption virus comes as an email attachment.

The Clients Call Ducktoes for Help
Not understanding what was going wrong with their computers, the clients called Ducktoes. They thought they were just missing a program and because of that the the files wouldn’t open.  Human dynamo and very personable manager Colin Forrest immediately went into action. He went into one of their computers remotely to check the situation out and saw the encrypted files. He recognized the encryption virus since we’ve dealt with it many times before.  The virus had changed all the Word and Excel files to the mp3 file format making them impossible to open. Colin told the clients to turn off their computers immediately.  His immediate remote call and quick thinking saved them many files.

At the time I was picking up parts at our wholesale parts supplier.  When Colin called me to tell me what was going on, I immediately drove to the clients’ office.

Emergency Onsite Call
Upon arrival, I turned off the router so the virus would not spread further and assessed the damage.  Two computers and the external hard drive were infected.  Two others had started to be infected but the files had not been encrypted yet.  I brought the computers to the shop and put them in quarantine and we were able to remove the infection.  Don’t remove the infection before you get the contact info of the cybercriminals so you can pay the ransom if you need to.  Whenever we remove viruses from an encrypted computer, we have to make sure the infected computers are in quarantine on their own separate network, because the virus spreads quickly.

Waves coffeehouse where there is a bitcoin exchange.

Where BitNational is located.

Paying the Ransom
To ransom the files I had to take cash to a bitcoin exchange office office called BitNATIONAL, located in a Waves Coffee House on 17th Ave SW and 9A St. SW.  I was a little nervous because it seemed I was dealing with the underworld.  I was.  Our long time onsite tech extraordinaire Raz Rydstrom, and one of the smartest people anywhere, met me there since he is familiar with the process. The ransom was $500 US plus the bitcoin office fee.  It totaled $770 Canadian. With labour costs, the clients had to pay around $1500 for decryption and virus removal.  It is a hefty price for opening an infected file.

A photo of Matt and bitcoin exchange office.

Here is the BitNational office.

BitNational Helps Us
BitNATIONAL has a specialized ATM called a BTM which put the digital currency on my smartphone. Two great and friendly guys Matthew Haddon owner and Jason Butler partner and employee were working that day. The other owner is Drew Glover. I found them very helpful and immediately felt less nervous.

About BitNational
There are many BTMs throughout Calgary and other Canadian cities. Find one near you.

 Jason and Matt standing by their BTM machine.

This is Jason and Matt standing by their BTM machine.

BitNational bought out another bitcoin exchange service called Bit Brains. Matt and Jason believe that bitcoin is a great investment and only starting to take off and will go up in value.

BitNATIONAL owner Jeff shows how bitcoin will take off but wearing an orange Nasa suit.

Here’s Jason in a NASA suit demonstrating how bitcoin is going to take off. They don’t have the helmet yet.

BitNational only does the currency exchange to and from bitcoin.  They are a legitimate business and not involved in any way with the cyber-criminals.  They are entrepreneurs in a pioneer sector.  BitNational-logo

A Nervous Moment
Back at the shop, we paid the ransom and then discovered that the websites to communicate with and pay the encryption virus creators had disappeared.  This caused a  panic moment for me. I had already paid the money and worried I might not be able to retrieve the decryption code since the cybercriminal’s websites had vanished. Yet one of my techs, Garett Belkie, was able to install a Tor browser and retrieve the code that way.  Then he decrypted all the encrypted files on the computers and hard drive. Our hero. (Another awesome senior tech, our data recovery and virus removal specialist.  He can get data off a stone and remove viruses in a twinkle of an eye.)

Here’s another blog post about how I personally saved a law office from a encryption virus in 2014 before most computer IT support companies even knew what encryption viruses were.  It is a very exciting story.  Lol. I was my own hero.

 

Returning the Computers
Once the files were decrypted, we removed the encryption virus and returned the computers and reinstalled everything to the network.  Tech Rey Berse and I did this together. He’s a brilliant soft spoken senior laptop tech (he specializes in hardware and circuitry, soldering and electronic circuits etc. and software, a total computer genius) and an incredible onsite tech with our onsite IT support too).

Photo of a laptop with chain and padlock symbolizing laptop virus.

Ducktoes can help your unlock your files.

Sometimes We Don’t Need the Ransom
Using guidance learned from Bleeping Computer, we have actually decrypted certain strains of the encryption virus ourselves without paying the ransom.

The Ducktoes Team is More than One Tech
You get more than the skills and knowledge of your one IT support tech at Ducktoes. You may only see one tech, but you are getting much more.  You are a getting an entire group of techs at your back that are constantly learning and upgrading our computer repair and virus removal skills.  We work together as a team to solve and prevent computer problems, so when you hire us, you are getting an entire team of problem solvers and computer experts all educated at SAIT. We are constantly researching computer issues and learning new skills, the encryption virus prevention and removal being one of them. The pool of our combined knowledge and skill makes us a formidable force against viruses and computer problems.  Among us we know hardware including difficult laptop hardware including soldering motherboards and capacitors, fixing laptop screens, jacks and video and wifi hardware, server issues, networking, virus removal, crisis prevention, backup, data recovery, and anything you throw at us.

Two techs work on computers at Ducktoes.

You get a team of computer experts at Ducktoes.

Smiles and Laughter
It was really rewarding and fun to return the computers and data all fixed and working well so our clients could return to business as usual.  Now that they are IT clients we have them backed up to the cloud with Dropbox so this will never happen again. There was a lot of smiles and laughter while we worked and finished up with them.

Encryption Virus Experts
Ducktoes Computer Services has become an expert on the encryption virus. We’re experts on removing it, de-crypting it, and preventing it. If you need help with the encryption viruses, or any virus, we’re the best choice in Calgary since we’ve specialized in virus removal and prevention for years.

If You Need Us
If you need Onsite IT support or virus removal or any computer repair or support at all, call our team at Ducktoes.  We’ll bring smiles and laughter back to your office or home.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Websites Under Siege from Hackers

 

Right now websites are under siege from hackers, who want to use your websites for blackhat SEO or to distribute malware.

Blackhat SEO hackers build pages, or edit existing pages, on your website that link to their own or client websites. Sometimes these pages will be about Viagra, other pharmaceuticals, or payday loans. Sometimes they’ll be about other subjects. depending on the client’s keywords and website. The hacked pages link back to the client’s or hacker’s websites, giving them a powerful dofollow link to help their SEO. The besieged host website is compromised, however, and can get blacklisted from Google. I’ve seen host websites so damaged they no longer functioned. In this case, the hackers changed the code so much the website no longer was visible or live, thus defeating their own purpose.

googlemalware1

Malware hackers use the website to distribute their viruses and malware. Unwitting visitors go to the website and get infected from the hacked sites. These infected sites eventually will get flagged by Google. They’ll also get blacklisted and lose their rankings if not fixed quickly.
What you need to do

  • If you have a WordPress site you need to add some security plug-ins. Two good ones are Securi and BPS Security. If you are not WordPress you can still use Securi to monitor your site.
  • Also with WordPress and for all websites make your ftp login and control panel passwords more difficult. On WordPress, I recommended that you change the default log-in from admin to something else. Don’t lose your log-in credentials or you might not be able to get back into your own site easily.

If you are already infected, Ducktoes has an effective Wordpress and website virus removal service to clean up your site. We will remove all the malware and hacked pages.  We have done this for many sites already.

If you like this post, please share on your favourite social media site below.

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Don’t Use MSE Says Microsoft

 

 A picture of the Microsoft Microsoft Security Essentials logo of a blue castle and blue flag.

Microsoft, according to this article by How-to Geek and other articles, is telling everyone not to use Microsoft Security Essentials, but to use a third party anti-virus instead. No longer concentrating on making a great antivirus, Microsoft has shifted its focus. Now Microsoft sends its anti-virus information to third party  vendors to help them be more effective.

Since 2009, MSE has not done well on anti-virus comparative tests. Virus Bulletin, Dennis Technologies, and AV-Comparatives all report that several other antiviruses out perform it.
 

Use a Third-Party Vendor

According to the article, Holly Stewart, who works at the Microsoft Malware Protection Center as a senior programmer, said “that Microsoft Security Essentials was just a ‘baseline’ that’s designed to ‘always be on the bottom’ of antivirus tests. She said Microsoft sees MSE as a first layer of protection and advises Windows users to use a third-party antivirus instead.”
 

Some Ducktoes Techs Like MSE

At Ducktoes, some techs like Microsoft Security Essentials since it has such a low footprint, which means, that unlike many other anti-viruses,  it doesn’t hog resources and  slow computers down.  They also like its easy to use interface.  However, due to the above information from Microsoft, we will no longer put MSE on client computers unless the clients ask for it,  after being informed of its relative lack of effectiveness.  The article by How-to Geek says that MSE is fine for techs and others who know what they are doing.  The How-to Geek author says, “Now, if you’re a geek like we are, MSE and Windows Defender are very usable. If you have good security practices and know what you’re doing, you can manage just fine with this lightweight option. But average Windows users don’t always follow proper security practices and should use a strong antivirus that does well in tests — as Microsoft themselves now recommend.”
 

A red mean looking virus chases a scared looking computer tower.

 

What Should You Use?

Ducktoes likes and sells Kaspersky and AVG.  We’ve been installing AVG cloud solutions to business client computers with great results.  We also recommend and sell Malwarebytes Pro  which I have on my home computer.  I use the paid version (of Malwarebytes) with free AVG (free only for home use) .  The two work very well together.

 

Ducktoes Developing Anti-Virus Cocktail

The Ducktoes anti-virus techs are developing an anti-virus cocktail to sell to our clients that will combine a few programs and browser add-ons to make a computer much more virus resistant.

Stay tuned and soon I’ll post the details of this new service.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Emergency Weekend Virus Removal at Birthday Party

Yesterday, like most Saturdays, I worked at the Ducktoes Computer Repair shop. It was still bitterly cold out, so I thought it would be a slow day. It turned out not so slow after all.  We got in a few computers and answered a lot of phone calls.

ducktoesshop

A man visiting from out of town called and said he had a virus on his laptop that had locked his screen. The virus interface, which began as soon as he logged into Windows, wouldn’t let him do anything else but stay on the page, which was the virus’s Interpol version, see below. There was no way to get around it. The text on the page said it was placed there by Interpol for crimes committed on my client’s computer. To unlock it, he was supposed to buy a gift card from Shoppers or Canadian Tire and send it to the “police.” Then they would unlock his screen. My client didn’t buy the card, he knew it was a scam, but he had only overnight before he had to fly out of YYC today for a business meeting.

Screenshot of Interpol Virus

At the computer repair shop, we’ve fixed the Cybercrime virus many times so I agreed to do it quickly. Usually we boot into safe mode with command prompt and then navigate to the flash drive from there. On the flash drive we have our most potent virus tools. Yet the Cybercrime virus had changed as it frequently does. When I tried to boot into safe mode with command prompt, the laptop rebooted immediately. Uh-oh, I said to myself. I had to think of a new solution asap. I tried Kaspersky Rescue Disk but it wouldn’t run for some reason and Avast Rescue disk, but the definitions were too old to catch the virus.

Also last night was our extended family party for my son’s 18th birthday. We were having the family over to celebrate with take-out Indian food, presents, and cake. I was under pressure.

party

What I did: I removed the hard drive, putting the tiny hard drive screws in a safe place, then put drive in a 2.5 enclosure. Then I connected it to my laptop and ran Malwarebytes Pro on it and Avast. It was not finished before the birthday party began so I let the scans run during the party. They both caught many infections. Between the meal, which was delicious by the way, and opening presents, I put the hard drive back into the laptop and it booted without the fraudulent Interpol page coming up on the desktop. Hurray!! The computer was still infected but now I had cracked the virus enough to really work on it. I ran Combofix which caught many infections in System32 deep within Windows and many other tools until the scans started running clean and then I started speeding it up. I knew it was almost fixed by the time the party was over. I wanted to dance a jig. I do love the challenge of removing a difficult virus.

This morning I’m speeding the laptop up and repairing the registry before giving it back to my client just in time for him to catch his flight.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmailby feather