Bitcoin Forum

Hello, guys !
Please help with in fighting the virus.

At the wife at work the server and other computers picked up a virus similar to WannaCry
(All except the wife's computer, to which I installed Comodo)

The server is a laptop without antivirus and firewall.
All important information is stored on the server.

https://s24.postimg.org/r98r5x6v9/image.png (https://postimg.org/image/47s60677l/)

Bitcoin address and email:
1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
wowsmith123456@posteo.net

Oh my, that seems really serious. Is it just that the computers at your work are infected, or is this virus spreading throughout the country? We may not be able to help much in this but I think this is a serious issue and I suggest you to report this crime for investigation.

Depending on your country, you should call and ask for help/file a complaint.  :-X :-\

Is there a time limit to this? ???

Shit! Sorry to hear this man. Ransomware has been around for a while now, this may not be a WC variant as much as a predecessor. Pray it's an old one; some of the encryption has been broken on the oldest ones, and there may be a utility to help you recover your data.

If it's a business, they need to report this to the authorities, for the sake of investigation and liability. As for the terminals, it is unfortunate, but the data is most likely gone. Really hoping they were using back ups.

What are the IT guys saying, or, no ITs at this particular job? (May be a small company, but if they are all using terminals, somebody is fixing them).

Time constraints do not seem to exist.

Yes, it's business, but it's so small a company that they do not have a IT specialist.
Rare copies are rarely made.
I told them for a long time to buy a normal server and install a firewall.
Here it is the price of carelessness. Work completely stopped, all in shock

You need to hurry up and seek professional help.
Have you tried contacting your anti-virus customer support ? Approached any computer security professionals yet ?
You can also get in touch with the dude who mitigated the last major ransomware attack.Look up for his information,you can find him on twitter.

They may have to hire a specialist; paying the ransom may not give their data back.

Make a copy/clone of the HDDs, in case anything goes wrong it'll reduce the risk to get the data deleted.
Research on ransomware / virus related forums, some older variants already have recipes the decrypt/recover the data.
All this needs some knowledge and a lot of time to research and try.

Yup this Ransomware thing is kinda spreading and victimizing companies that don't have proper securities or sometimes victimizing home desktop by locking and spreading their bitcoin wallet so the people would rather put up the sum that they want, well I think the best hackers can really debunk it but I don't know where to find one so good luck with that.

Yes it looks like you are not the only one. Now I am starting to feel afraid too...
https://pbs.twimg.com/media/DDVEfmzVoAAImWa.jpg:large

... Not sure whether I wanna laugh or I wanna cry...

So it seems like this is another ransomware attack, different soup, same ingredients, mostly likely a similar virus. Anyone have advice on what to do? (E.g. Backup files...)

The twitter page here is having a commotion there right now.
https://twitter.com/hashtag/petya

The best thing to do will be to wait for an official national announcement as you are not the only one. Hopefully someone will be able to solve this again.

Do you remember from what file you got the virus? Anything you've opened that you shouldn't have?
Possibly some attachement from an e-mail or something?

If you're lucky, there are decryption key's available for that type of ransomware, but I can't identify it from that screenshot.

Oh boy. Are you from the eastern europe? It looks like a Wannacry variant is spreading fast in parts of Russia and Ukraine:

http://www.financemagnates.com/cryptocurrency/news/cyber-security-experts-say-bitcoin-ransomware-behind-attack-russia-ukraine/

Notice how the picture looks like yours and this other russian guy here:





A good reminder to backup your data immediately, starting by your bitcoin private keys. In fact, im going to do that right now.

Dude, what a beast. They already got their first Bitcoin from 8 victims.

https://image.prntscr.com/image/c-psbM-RRXub1B9MTZUIZg.png

https://bitref.com/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

I don't know if after paying it actually works, I mean the virus is probably still there, and can attack any time.  :-\ Nothing is safe on the internet... :(

Let this be a warning to everyone to make regular backups of ALL their data. DO NOT simply overwrite your previous backups with new backups,

because you may have to go back a few to get the data without the Ransomeware attached. I keep several sets of backups on DVD's of my most

precious files. I would not use external harddrives to backup my data, because these can be infected too. Large backups can be split over several

DVD's.  ;)

Yeah looks like this is another Wannacry variant, called 'Petya', it's a pretty big story on most mainstream news websites.

https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe
https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

Certainly don't pay, it's not likely that your files will get released.

does it actually encrypts the files or just threatens as a fake warning ?
i have never came in contact with infected machine.

try removing hdd and using it on another machine as  a secondary, even better use it on linux machine., if files are not already encrpted then get backup and do full system reinstall.

The firm should pay up the $300 ransom and hopefully they will get their data back. Then they should hire an IT guy who is able to set up a server that is not residing inside a laptop in the first place.

Dumb question: if the attackers address is known couldn't their plans be ruined by dusting the address?

They just send it there and then hide the sends under another address.
Most likely a mixer service address so not to be detected where they eventually end up.

Oh no this is terrible. I hope this doesn't cause problems for bitcoin. It's on mainstream news here in the uk. But I think mostly Ukraine and Russia affected.

It seems pretty immature they cannot make unique address for each infection right? It would be much easier that way, then no communication would be necessary.

I think it is useless to try to do something to fight with this virus. Reinstall your windows if it doesnt work than yu can try to do smething with your bios system, but all the data will be deffinetly lost :P Unfortunatelly bitcoin transactions are invisible and fraud couldn`t be found =)

I would imagine having the infection calling back to a central server to get keys would be a big weakness, and if the program generated private keys they would have to be sent back to the center somehow.

A server without a antivirus and firewall, really? it is like making love with a prostitute with (you know). I am not being rude but it so careless and too confident at the same time.

Even me when I am with your situation and having a important files there I will be devastated, maybe face the consequences dude and pay that virus and hope to gain access again with your server.

The main issue is here,no antivirus and firewall,majority of people try to reduce their expense without using them and they really do not understand the risk they are taking and the expense they have to encounter when something goes wrong,you have to hire a specialist to recover the files and restore the server ,there is no other way for these sort of mess.

It's not that much, considering that they must have spent endless resources to pull such massive attacks... one starts to wonder how lucrative this is for the bad guys.

The fact that they are bothering to do this to get a couple BTCs I think shows that states and hackers in general are trying to amass as much BTC as possible they all know 1 BTC will be very valuable in the next decade so I expect more and more warfare like this with states attacking each other to steal as much as possible BTC from rivals, so keep your coins safe.

This is probably going to be your best bet as the $300 amount is pretty low in all honesty and if the encryption / hacker people aren't going to be dicks and would want to just give your stuff back once they've received payment then you should be all fine and dandy, though first you may want to see how much one of those data recovery people cost before going through with payment. I highly doubt that the recovery of the data is going to cost less than $300 though, so that's probably going to be your call on if you want to feed the virus and roll the dice or roll the dice with people who'll try to get your data back.

Good luck!

My friend who works for an advertising agency in South Africa had the same message pop up in his machine

In my eyes this means that they don't really intend to recover the data if somebody is paying the ransom.
But I see a lot of desperate people thinking "let's pay and hopefully... ". Hopefully what? There are free programs that can protect the computers.
If I would make such ransomware I would not even bother to make an encryption that can be decrypted. One direction "encryption" is cheaper.

This server should've been kept offline if you are storing allot of important data on it, since the risk of any of these or a malware is high.
Fixing this isn't something that can be done through guiding online, I suggest visiting a specialized Hardware store and asking about what can be done, and if the data can be extracted from the server or something like that.

This is risky considering there is useful data in there, I seen allot about wanncry malware before and if the system isn't constrained with time or risk of deleting the data intentionally I would send this to a specialist (which is still cheaper than the ransom and more trustworthy, since the malware might not work and release the data even after paying).

I am sorry to heard that there is still viruses like that. I am not sure if i can help. I would recommend for you to reinstall and delete all files from your personal computer, but problem is that you have information on it. Maybe you could contact some people from your government, because maybe you are not alone with that problem, and maybe they could help you solve it.

The heck, I feel sorry about it man. But because your laptop doesn't have any protection such as antivirus and firewall, you were being penetrated easily by that ransom ware. Hate this people who doesn't want to work hard and just hostaging files of innocent people that are working very well. I have read somewhere about bypassing this but it's for wanna cry and I forgot that tutorial already, it should be found in google.

This virus can't be uncripted, no way to do that, even if someone pay them

Doesn't anybody else think doing business with anyone from Ukraine is a red flag?
I wouldn't want to do any online transaction with them in receiving anything online like links, files or even pics from them.
There is a potential of getting this virus as it has not been contained yet with over 13,000 pc infected reported just yesterday.

Just reformat your laptop and install Operating System to erase that malware on your laptop, these is why some computer technician advice put your files on drive D for encase of trouble you just can reformat your drive C and your laptop is good as new again like nothing happen because your files is safe in drive D. Just ignore that ransomeware payment, and be sure to install antivirus and antimalware after finish installing OS.

How do you know? Can you provide an evidence for your claim?

I found this info on how to protect your computer from the encryption:


Source: https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how

I created perfc.dat in the C:\Windows\ just in case, but I'd like to see the comments from people who know better than me in this regard.

If this is an attack like ransomeware, you may be advised to report the case to the police. Before the virus was scattered with a wide computer network.
Especially for PC / Laptop that is still clean, immediately update your operating system and update antivirus.

If you type the words "kill switch for wannacry ransomware" into google, you will find the repair command.  It is now public knowledge, hope this helps!
Good luck.

This is not wannacry OP's talking about. It's called Petya, or rather “NotPetya” as some researchers call it. This virus is more powerful then wannacry  was.

I found this peace of information that might be of help:



Source:
http://indianexpress.com/article/technology/tech-news-technology/petya-ransomware-cyber-attack-not-wannacry-same-lock-and-demand-tactic-4726781/

They had already reported there is no kill switch for this one.
This is a new strain and is a more sophisticated variant of the first version of the virus.

As more time passes a new and more powerful version of this virus will be created by more than just hackers. More than likely organized crime units and possibly the mafia in other countries will start using this when they realize they could somehow  make billions with this and topple governments with sort of software if engineered properly.

It seems that in the future corporations will have to keep their computers offline. There is a system protection of sensitive sites. The user is forbidden to access the Internet and run removable media.

That would be a disaster for those who work in the offices, hopefully it won't run to that. What corporations really lack are good system administrators who's awareness about newest viruses is always up to date.

This gotta stop! this is because of the high price of bitcoin that is why people are doing such crime and I think the victims are all bitcoin users, and I think they are choosing targets with IP that have bitcoins transaction I guess, well I think this guys are a real genius in hacking things but I am not encouraging them to really sunk into such criminal act, and instead of using their skills for good they are using it in a bad ways!

Petya was a terrible ransomware as wannacry, it both exploit smb v1 vulnerabilities at windows system. However fix for this kind of malware was around for more than 3 months.

And there are some procedure to battle this malware.

And if it a server system. Primary to have a better anti malware.

And dont forget to put your first defense firewall. Which filter session or packet before reavh your network.

All infected device should be isolated to network to stop spreading of the infections.

Well, mate, if you are not joking I think you are wrong. Most of the people who's computers were infected had no idea about Bitcoin. They are federal employees, or government workers if you want, and those people are clueless in most cases. That's why it was explained to them how to use Bitcoin in the section "How Do I pay?".

Private Decryption Key For Original Petya Ransomware Released

The creator of the Petya ransomware, Janus has released the master decryption key. This key can decrypt all the files that have been encrypted by all three versions of Petya, red, green, and yellow. This key is unusable against the modified version of Petya, Notpetya that targeted computers of critical infrastructure and corporations in Ukraine as well as 64 other countries.

http://thehackernews.com/2017/07/petya-ransomware-decryption-key.html?m=1

https://twitter.com/JanusSecretary/status/882663988429021184

The best method IMO to get help would be going to a specialized professional in computer and IT (There are plenty of shops for fixing programs and corrupted PC's), although it might not be easy but their might be a way to extract the needed information out of it.
Paying is a wrong thing to do IMO, since it would encourage these people to do that again and again.