Results 1 to 12 of 12

Thread: DirtyDecrypt?

  1. #1
    2 Star Lounger
    Join Date
    Mar 2004
    Posts
    185
    Thanks
    37
    Thanked 1 Time in 1 Post

    DirtyDecrypt?

    I have notices coming up similar to those Susan Bradley described for CryptoLocker, but suggesting I run DirtyDecrypt to decrypt the files I never encrypted. I tried surfing and found what appeared to be widely differing info from sources I did not recognise. No mention on Mcafee, Kaspersky or a couple of virus lists. Does anyone have firm info on what is going on with dirtyDecrypt?

    Peter

  2. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Never heard of it, but a quick search seems to point to it being malware.
    Rui
    -------
    R4

  3. #3
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,794
    Thanks
    117
    Thanked 799 Times in 720 Posts
    Its part of the ransome Susan was talking about. Its the program the ransomware uses to encrypt your data files and is used to decrypt them when payment is made. From what I can tell, you can remove it but there's no fix for recovering the files short of a backup or sending payment to the author. I've read of a case where the files were decrypted after payment was made but there's no guarantee when dealing with these folks.

    Jerry

  4. #4
    WS Lounge VIP Browni's Avatar
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    1,652
    Thanks
    38
    Thanked 161 Times in 139 Posts
    Situations such as this highlight the importance of having an offline backup of your data.

    I use Skydrive to replicate a lot of my data in the cloud so I have easy access (and a possible fallback) but should this rogue get onto my PC and start encrypting files, Skydrive would detect the changes and automatically upload the changed version (I only use Skydrive as an example because I use it, I'm sure other cloud backup solutions would suffer the same issue)

  5. #5
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Quote Originally Posted by Browni View Post
    Situations such as this highlight the importance of having an offline backup of your data.

    I use Skydrive to replicate a lot of my data in the cloud so I have easy access (and a possible fallback) but should this rogue get onto my PC and start encrypting files, Skydrive would detect the changes and automatically upload the changed version (I only use Skydrive as an example because I use it, I'm sure other cloud backup solutions would suffer the same issue)
    There are backup solutions that keep previous versions of your files automatically. I use Cubby, that does it.
    Rui
    -------
    R4

  6. #6
    2 Star Lounger
    Join Date
    Mar 2004
    Posts
    185
    Thanks
    37
    Thanked 1 Time in 1 Post
    It certainly manifests as malware - I did not ask to have some files encrypted! But why is it not on the virus lists I looked at? And yes I have backups all over - system backups (two types) and data backups on multiple local drives and on the cloud. and I have removed the files that contained the 'Run dirtyDecrypt' message. And no more files containing "DirtyDecrypt" have appeared - so far. But is there something still lurking on my system that will attack more files? Note that neither MSE nor MalwareBytes AntiMalware detect anything wrong.

    jwitalka - is there evidence that these two are just variations on the same basic virus?

    Peter

  7. #7
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    If it really is malware, traditional AVs do not detect it. Only AVs with behavioral detection or HIPS would. Susan Bradley's article on this week's edition of the Newsletter talks about several cases of infection and in those the up to date AVs did not detect it - which really is the problem with blacklist based AVs,
    Rui
    -------
    R4

  8. #8
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,794
    Thanks
    117
    Thanked 799 Times in 720 Posts
    jwitalka - is there evidence that these two are just variations on the same basic virus?
    A google search for DirtyDecrypt yields a number of posts that show essentially the same characteristics as CryptoLocker.

    Fortunately, in its current state, it doesn't encrypt .tib files so Acronis True Image backups should be safe even if it can get to an Acronis backup drive. Check the following list for your backup file format:
    3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

    Unfortunately, this could change in the future as the virus add file types.

    Jerry

  9. #9
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,794
    Thanks
    117
    Thanked 799 Times in 720 Posts
    If it really is malware, traditional AVs do not detect it. Only AVs with behavioral detection or HIPS would. Susan Bradley's article on this week's edition of the Newsletter talks about several cases of infection and in those the up to date AVs did not detect it - which really is the problem with blacklist based AVs,
    Malwarebytes does detect and remove the virus but it could be too late since it might be after file encryption.
    http://blog.malwarebytes.org/intelli...-need-to-know/

    Jerry
    Last edited by jwitalka; 2013-10-27 at 12:33.

  10. #10
    2 Star Lounger
    Join Date
    Mar 2004
    Posts
    185
    Thanks
    37
    Thanked 1 Time in 1 Post
    Thanks again folks.
    I had run antiMalware (and Sopho) after the 'DirtyDecrypt" message came up, but it found nothing. Based on the info here, and the fact that no more encrypted files have turned up, I am hoping that a previous antiMalware scan removed the actual virus, and it was subsequent to this that I popped up an encrypted file.

    So - fingers crossed - I don't have this problem anymore!?

    Peter

  11. #11
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Slough, Berkshire UK
    Posts
    924
    Thanks
    55
    Thanked 52 Times in 50 Posts

    Cool

    Would be more sure if you could restore to an earlier image backup from before the events.
    Clive

    All typing errors are my own work and subject to patents pending. Except errors by the spell checker. And that has its own patients.

  12. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    Long Island, NY
    Posts
    5
    Thanks
    0
    Thanked 2 Times in 1 Post
    I had my first customer with the Cryptolocker virus (of course a week after it hits the tech news). Removed the virus, but looked all over for a solution to get back the data. I found Shadow Explorer, which allows you to recover files/folders from the Volume Shadow Copy feature in Win Vista/7/8. I was able to recover all of the customer's previously encrypted documents from before the infection. Easy to use, portable and free.

    I'm in no way affiliated with ShadowExplorer, I'm just a tech who wants to spread the word about this software for anyone hit with Cryptolocker.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •