Analysis of Locky ransomware

Deleted74295

Remember, in the BackBlaze client, it throttles the upload speed by default. So dive into the settings and you can set it to upload more.

I backed up 50GB in a couple of hours from the UK.

coliver

@Breffni-Potter said:

Remember, in the BackBlaze client, it throttles the upload speed by default. So dive into the settings and you can set it to upload more.

I backed up 50GB in a couple of hours from the UK.

Yep... my parents are on a crappy DSL connection.

Nic

@BRRABill said:

@coliver said:

Backblaze keeps a ton of versions of files. I don't remember how many but it is a lot. Backblaze also isn't a sync client. It is a true backup client.

I'm just imagining the process of restoring 150GB of data as individual files. Ugh.

They'll overnight you a flash drive with your data on it for a fee, if you can't wait for the download.
https://www.backblaze.com/blog/4-tb-usb-restore-drives-are-here-yay/

BRRABill

@Nic said:

They'll overnight you a flash drive with your data on it for a fee, if you can't wait for the download.
https://www.backblaze.com/blog/4-tb-usb-restore-drives-are-here-yay/

$189 isn't actually a bad deal AND you get to keep the drive.

I wonder how that works, though. I mean, you obviously don't want the actual backup, as the encrypted files have probably been uploaded. So can you get the previous version of every file?

You know what I mean? That seems messy.

coliver

@BRRABill said:

@Nic said:

They'll overnight you a flash drive with your data on it for a fee, if you can't wait for the download.
https://www.backblaze.com/blog/4-tb-usb-restore-drives-are-here-yay/

$189 isn't actually a bad deal AND you get to keep the drive.

I wonder how that works, though. I mean, you obviously don't want the actual backup, as the encrypted files have probably been uploaded. So can you get the previous version of every file?

You know what I mean? That seems messy.

How is it messy? I need the backups from 11/1/2015. They send you a drive with those backups on there. You plug it in and restore. Not sure where the issue is?

Nic

Well you can go into the console and look at and download individual files. I imagine if you needed a restore from only before the infection date then they'd be able to do that. Let me ping @aaron for more details, since he works for them.

BRRABill

@Nic said:

Well you can go into the console and look at and download individual files. I imagine if you needed a restore from only before the infection date then they'd be able to do that. Let me ping @aaron for more details, since he works for them.

Haha ... I was doing the same thing. He might not get the ping though since it's later in the day. I sent him a PM.

aaron-closed account

This post is deleted!

BRRABill

@aaron

Awesome info. That might just be the solution.

JaredBusch

Look what hit my quarantine.

0_1456344178164_upload-a4829315-ca73-49f1-a057-17cabcf76d36

So I delivered it.

0_1456344226793_upload-8cdfc0c8-d2fb-44e0-9e55-4f88cfad5095

OMG! I owe them $298,39

Wait what? comma 39 cents? What the f[moderated] is that.

This is an admin email account at a client. If the admin account has it, it is only time before someone does all the things.

Dashrender

this is why I turned off Doc and DOCX files via the spam filter.

BRRABill

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

wirestyle22

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Much better ways to share documents than through email

BRRABill

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

scottalanmiller

@JaredBusch weird mix of USD and European notation there.

Dashrender

@BRRABill said:

@Dashrender said:

this is why I turned off Doc and DOCX files via the spam filter.

What if your users legitimately need those files?

Then I can white list them. Luckily - we rarely need those sent through email.

Dashrender

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

BRRABill

@Dashrender said:

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

It was more a ML concession. I just assumed there was an easy was in ODfB everyone was using I was unaware of.

For the most part file sharing like that is a PITA, especially for most users who have no idea. I have to get the file, and share it out, etc..

stacksofplates

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs (doesn't really matter what service you use), but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

Dashrender

@johnhooks said:

@Dashrender said:

@BRRABill said:

@wirestyle22 said:

Much better ways to share documents than through email

Good point.

Actually - I would say not good point. What ways are you thinking? Drop Box? Google Drive? OneDrive, ODfB? etc - those are all horrible ways to share files because it's just as easy to get infected by them as it is by email.

Heck, the one person I know who got hit by Locky got it through DropBox. He got a notice it had been uploaded - he went and looked - he though HUH, it's odd that it's a word file, because normally it's a PDF - meh, whatever - click - infected!
It didn't help that the company used GPOs to remove the prompting about macros, so he didn't even have that protection.

I don't really do any local editing any more. Since I have Zoho I use Zoho Docs, but I use their online software. If I get it in an email, I can open it directly with their Docs apps and edit.

This is something awesome about O365 and Google Apps as well.