back to article Top QLD sex shop cops Cryptowall lock; cops flop as state biz popped

Cryptowall attackers are smashing businesses in the Australian state of Queensland, according to the owner of a Townsville sex shop which has paid $1,058 to ransomware attackers to have its files unlocked. The third iteration of the dangerous ransomware hit Sweethearts, which describes itself as Queensland's oldest sex shop, …

  1. Old Handle
    Unhappy

    Ah, that would be $1,058 Australian, of course.

    I was momentarily excited that three bitcoins was worth that much (I've still got a few laying around). No such luck.

  2. Drew 11

    Never run a mail client with preview switched as default.

    1. Charles 9

      It wouldn't matter. This sounds like spear phishing as the infected e-mail looked convincingly like business correspondence (an application), which meant the only way to be sure is to see it, and since the mere seeing of it can trip the exploit...

      And yes, HTML is becoming more and more necessary for e-mail as there are some things that just can't be conveyed easily through variable text that can appear any sort of way at the other end. Now, if e-mail clients were restricted to low-version HTML and no remote components, we can still enjoy most of the cake.

      1. Kye Macdonald

        Seek job applicants come in on emails that contain no html at all. They are plain text with 2 links in them back to the seek page with the CV and cover letter attached (if the applicant decided to send one). It would be very very easy to bodge something that looks identical.

        I doubt very much that just seeing the email will trigger the exploit. More likely the attached files were really .zip or .exe and were run.

        1. Anonymous Coward
          Anonymous Coward

          I'm still trying to figure out your instructions so what hope job-applicant. You do know that any web/HTML link can take you to Internet hell, right? Right? I see not.

      2. I. Aproveofitspendingonspecificprojects

        This sounds like the major break that computer manufacturers have been dying until. The old you need to use a spare computer trick. I wonder if it will ever catch on before the industry dies or will people start using old mobile phones and bury it?

        Oohhh. What if they create separate accounts and use them with different user sign in identities?

        That's it, I am selling all my IBM shares. Any body want to buy some?

    2. Anonymous Coward
      Anonymous Coward

      Never run a mail client with preview switched as default.

      Maybe mail wasn't the source. I know of another recent case in north Queensland where the infection came from a Flash advert on a legit business site.

    3. Phil O'Sophical Silver badge

      Never run a mail client with preview switched as default.

      Never run a mail client on your main system. That's what the office laptop is for.

      .

      1. Stoneshop
        Holmes

        LAN

        So the server will be safe then until some miscreant develops malware that scans the local network and spreads to whatever systems it finds that can be infected.

        Oh, wait...

  3. Cpt Blue Bear

    Time to move to North Queensland and set up as a general tech

    "It could be possible to restore from backups but the tech says drives have to be fully formatted otherwise files may be re-encrypted."

    Clearly, there aren't decent ones in the area.

    1. PrivateCitizen

      Re: Time to move to North Queensland and set up as a general tech

      Clearly, there aren't decent ones in the area.

      Apparently not and not just for that howler either.

      It seems that a number of small businesses have saved $300 on a NAS and $300 on a bit of tech advice to run their backups..... then are whining that their tightfisted approach to what appears to be a business critical system has cost them $1000.

      Shocking approach to IT.

  4. Kye Macdonald

    Must be a hell of an exploit to be able to execute code from a preview pane and get out into the wider system.

    Seriously is that even possible these days? I haven't seen a remote execution on preview for outlook since about '04. I suspect what has happened is they have received a file called resume.docx.exe or something similar and run it.

    1. Dr Trevor Marshall

      I get lots of that spam

      Resume.doc.exe? No, my logs are just full of incoming Resume.doc and Resume.zip. Nothing complex, like a double extension. But I am using Eudora here. HTML is only enabled when I request it enabled -- on a message by message basis. And the ZIPs get sent to 7-Zip by default, not Windows.

    2. Anonymous Coward
      Anonymous Coward

      Easy. HTML is enabled for the Outlook preview pane. That preview pane HTML then connects to the Internet and pulls back the malware.

      Unless you have some very good Web proxies and mail servers and content inspection firewalls all filtering this shit out, you are going to get owned.

    3. Cpt Blue Bear

      "Must be a hell of an exploit to be able to execute code from a preview pane and get out into the wider system."

      Nah, all of these things I've seen are just an executable attachment masquerading a document. Ten will get you twenty he opened an attachment named resume.exe or something similar.

  5. Spaceman Spiff

    4 words - backup, backup, backup daily!

    And do that to an off-line device, not the cloud. Cloud services can be compromised. Get a 2-3TB sata or usb 3.0 disc, and backup all your data there daily. Myself, I do a system bit-image backup of hte system drive so I can restore the entire operating system if necessary, and bit-image backups of the data drives. These can be easily compressed when doing the backup to take less space than the original drives. If you don't, then you are subject to this sort of ransomware.

    1. Stoneshop

      Stale data

      Next thing that will happen, if it doesn't already, is that this kind of malware will just sit there, hidden, for a month or two, and then activate. Even if you have a backup regime with sufficient generations that you can re-create an uninfected system, and you have a way to tell, your business data will be rather fscked.

    2. PrivateCitizen
      Boffin

      Get a 2-3TB sata or usb 3.0 disc, and backup all your data there daily.

      A reasonable idea as long as A) this is enough and B) you have the time and patience to do this.

      A 1TB back up would take around an hour to complete each day and this doesnt include the time required to test the validity etc. If you are a business which pretty much runs on emails, purchase orders and contracts this will probably be enough (especially if you only backup diffs) but if you need to back up any types of content then you might discover 3 TB is insufficient pretty quickly.

      I agree it needs to be off-line as if the device is connected at the time the ransomware is running, you can say bye bye to all the backed up data as well.

      1. Adrian Midgley 1

        Rsync: less time by far

        If you backup version changes using rsync rather than copying the whole lot it will take little time.

        Apple's TimeMachine does something similar but doesn't play nicely.

    3. Cpt Blue Bear

      "4 words - backup, backup, backup daily!"

      And fer Christ's sake don't give users write access to the backup. There are good reasons why all those Unix (and its bastard offspring) systems have a dedicated backup user...

      And don't rely on a single copy, keep a historic copy or two. Storage is cheap, a lot cheaper than the ransom.

  6. Anonymous Coward
    Anonymous Coward

    Javascript?

    Could it have been a javascript file that required permission to run?

  7. Your alien overlord - fear me

    Well, normally it's his customers who end up f*cked - how the tables are turned !!!!

  8. GrumpyOldBloke

    The dog that doesn't bark

    > state and federal police along with the federal Australian Cybercrime Online Reporting Network is unable or unwilling to help.

    Clients of *Net scum* should be happy to know that their generous donation is funding the black ops of allied nations and their death squads. Every time you decrypt a file a child dies in Syria / Iraq / Libya / Sudan / Donbass / Yemen. The only other possible conclusion is that the 5-eyes intelligence services are all smoke and mirrors, a threat rather than a value, completely useless at protecting anything. I'll go for the state sponsored terrorism theorem as more likely.

  9. -tim
    Flame

    Backup? What is a backup?

    Lots of people think they make "backups"

    What did they miss:

    1) Archives

    a) Tax office wants something from X years ago

    b) Boss needs a customer file from long ago

    c) How did we work thought this type of problem in the past?

    2) Near line backup

    a) "opps I deleted my report for a customer"

    b) PFY just doesn't understand how to configure something so its rollback time

    3) Disaster recovery

    a) File server raid card died and we can't get one that talks to the existing disks anymore

    b) The building burned down

    c) The crazy guy in development was sacked and now all the files are funny

    d) Synolocker is running on the sales XP box

  10. Version 1.0 Silver badge

    Screen savers rule

    I see a lot of attachments at the mail server here every day with names like resume.doc.scr - to the average luser this looks like a resume and when the open it the file just appears to close and they figure that the poor sucker sent them an empty document.

    Currently I'm seeing about five .scr files to every .exe or .doc/.xls infected file although java script nuggets are becoming more popular. I block them all at the mail server.

  11. Gene Cash Silver badge

    There are those that make backups, and those that have yet to pay $1,000 to get their data back.

  12. Tezfair
    Facepalm

    I have been getting a few dropbox invites just recently, but i'm behind smsmse and I set the content filtering to drop any email that contains any executible file whether exe, cmd scr etc. Seems to work well.

    Also implimented a file scanning rule on windows servers (courtesy of spiceworks) that if we / client gets unlucky and gets infected and starts mass file modifications / decrypt.txt files start appearing, it effectively blocks that IP, or blocks the file saves (can't remember off the top of my head)

    I have seen it three times, twice in businesses and once as a residential job, but his one was a bugger because it took out his backup too as his backup hdd was always left connected.

  13. John Tserkezis

    "We paid the ransom, they accepted it, and sent the key," Edwards says. "It's the only thing you can do."

    "It's the only thing you can do."? Really? It's a sex shop and they couldn't "back up".

    Thank you, thank you, I'll be here till tuesday, remember to tip your waiter.

  14. Neoc

    For those of you bleating "backup", may I remind you that the latest round of this particular nastyware hangs around for a while encrypting/decrypting files on the fly... which means that the backups themselves contain nothing but encrypted files by the time the virus pulls the plug on the decryption part of things.

    So no, it is entirely possible that backups would NOT have helped.

    1. I. Aproveofitspendingonspecificprojects

      > So no, it is entirely possible that backups would NOT have helped.

      How much would a printer cost?

      1. Anonymous Coward
        Anonymous Coward

        Then you also have to factor in the cost of toner, paper, storage, probably locks, and labor in case the stuff actually has to be restored to an electronic format. Plus this does nothing for stuff (like programs) that don't convert easily to paper, and anything that can preserve a program can preserve a malware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like