My buddy's DAW caught a case of RANSOMWARE...

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes

Cakewalk
- Products
- Support

Mark Thread UnreadFlat Reading Mode ❐

Helpful ReplyMy buddy's DAW caught a case of RANSOMWARE...

Page: 1 2 > Showing page 1 of 2

Author Post Essentials Only Full Version
yorolpal Max Output Level: 0 dBFS Total Posts : 13829 Joined: 2003/11/20 11:50:37 Status: offline 2015/04/09 19:40:09 (permalink) My buddy's DAW caught a case of RANSOMWARE... Yup...he's screwed. No doubt. Looks like burning it down and reloading everything is his only option. So...is there a best practice procedure for both erasing/formatting and then restructuring? PS...if you DO know of something less drastic he could try, by all means pipe up. His particular version is called "CryptoWall". https://soundcloud.com/doghouse-riley/tracks https://doghouseriley1.bandcamp.com Where you come from is gone...where you thought you were goin to weren't never there...and where you are ain't no good unless you can get away from it. SPLAT 64 bit running on a Studio Cat Pro System Win 10 64bit 2.8ghz Core i7 with 24 gigs ram. MOTU Audio Express. #1 List Solutions Only 42 Replies Related Threads
trmusic Max Output Level: -90 dBFS Total Posts : 30 Joined: 2015/01/14 16:26:35 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 20:15:12 (permalink) First, he should try installing and running Malwarebytes to clean his system. #2
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 21:07:48 (permalink) i have had to help a few friends with this sort of thing. I try the least drastic tactics first. malware bytes is great, but typically is overwhelmed by this type of thing. Odds are good he will have to try multiple things. This is the best rundown on removing it that i have come across so far: http://www.bleepingcomput...ransomware-information #3
slartabartfast Max Output Level: -22.5 dBFS Total Posts : 5289 Joined: 2005/10/30 01:38:34 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 21:34:40 (permalink) ☄ Helpfulby dubdisciple 2015/04/09 21:47:42 As far as I can tell, CryptoWall is not impossible to remove using standard antivirus programs, but it is impossible to decrypt the files it has already altered without paying the ransom. If your buddy decides to go the burn it down route, the surest way to go is to use a self booting full erase program like DBAN. http://www.dban.org/ That minimizes the possibility of hiding virus DNA behind the boot system of Windows. A Windows format would not eliminate all viruses. Note that there is a reliable report of viruses that can write to "incaccessible" regions of the hard drive and resist any software based erasure. http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ So if you really really need to be sure there are no viruses at all on your computer, you need to buy new hard drives. #4
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 21:45:46 (permalink) It took me two months to get rid of a MBR trojan on my gf's computer. It was impossible to do with windows. i eventually was able to do it in linux #5
yorolpal Max Output Level: 0 dBFS Total Posts : 13829 Joined: 2003/11/20 11:50:37 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 21:58:52 (permalink) Thanks fellers. I'll forward this and all future suggestions to him. Screw the bastards that foist these things on us. https://soundcloud.com/doghouse-riley/tracks https://doghouseriley1.bandcamp.com Where you come from is gone...where you thought you were goin to weren't never there...and where you are ain't no good unless you can get away from it. SPLAT 64 bit running on a Studio Cat Pro System Win 10 64bit 2.8ghz Core i7 with 24 gigs ram. MOTU Audio Express. #6
lawajava Max Output Level: -55 dBFS Total Posts : 2040 Joined: 2012/05/31 23:23:55 Location: Seattle Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 22:05:33 (permalink) Here's unuseful advice for your friend, but a practical idea overall. On a regular cadence (such as weekly) back up your whole set of hard disks on your computer to a rotating series of external drives with something like Acronis. A different external drive for different weeks, rotating in sequence. Should this ransom thing occur just remove and throw away your computer drives, put in new ones and restore from one of your back up drives. Painless. Ransome-free. And don't forget - stop visiting that sketchy website where you picked up the malware. Two internal 2TB SSDs laptop stuffed with Larry's deals and awesome tools. Studio One is the cat's meow as a DAW now that I've migrated off of Sonar. Using BandLab Cakewalk just to grab old files when migrating songs. #7
yorolpal Max Output Level: 0 dBFS Total Posts : 13829 Joined: 2003/11/20 11:50:37 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/09 22:09:44 (permalink) Yup...that's the advice I gave him. He didn't even have an anti virus program loaded. Or a hard drive backup. He will now. He got it, apparently, from trying to download a game for his young son. https://soundcloud.com/doghouse-riley/tracks https://doghouseriley1.bandcamp.com Where you come from is gone...where you thought you were goin to weren't never there...and where you are ain't no good unless you can get away from it. SPLAT 64 bit running on a Studio Cat Pro System Win 10 64bit 2.8ghz Core i7 with 24 gigs ram. MOTU Audio Express. #8
SongCraft Max Output Level: -36 dBFS Total Posts : 3902 Joined: 2007/09/19 17:54:46 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 02:01:03 (permalink) yorolpal Yup...that's the advice I gave him. He didn't even have an anti virus program loaded. Or a hard drive backup. He will now. He got it, apparently, from trying to download a game for his young son. Downloads and emails are methods of delivery ((CryptoWall)). Thanks to your thread, I decided to read up about this Ransomware - Just recently read that the criminals upgraded Cryptowall to version 3 (Jan,2015), nasty stuff! But if its caught in the most earliest stage, it can be removed easy enough, but once it gets in deep - encrypts files - that's bad news, AND it can also infect Drop Box files. Anyway, I'm sure your friend will get his computer up and running as new soon. #9
Jeff Evans Max Output Level: -24 dBFS Total Posts : 5139 Joined: 2009/04/13 18:20:16 Location: Ballarat, Australia Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 02:17:02 (permalink) ☄ Helpfulby craigb 2015/04/10 03:45:26 Keep your DAW computer off the net Specs i5-2500K 3.5 Ghz - 8 Gb RAM - Win 7 64 bit - ATI Radeon HD6900 Series - RME PCI HDSP9632 - Steinberg Midex 8 Midi interface - Faderport 8- Studio One V4 - iMac 2.5Ghz Core i5 - Sierra 10.12.6 - Focusrite Clarett thunderbolt interface Poor minds talk about people, average minds talk about events, great minds talk about ideas -Eleanor Roosevelt #10
robert_e_bone Moderator Total Posts : 8968 Joined: 2007/12/26 22:09:28 Location: Palatine, IL Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 06:05:18 (permalink) I remove viruses and malware from between 20-50 computers a year, on average. What I find to be the quickest method is to physically remove the hard drive(s) from the infected machine, then load each drive, one at a time, to another computer that is clean and running good antivirus software. Boot up that computer, and it will see the 'boot drive' from the other computer only as a data drive on this computer, which makes it MUCH faster and MUCH easier to scrub, since nothing from that drive boots up into memory and all that. If a 2nd clean computer is available, I suggest the above approach to scrubbing an infected drive from a different computer. I do this technique all the time. You will also want to run something like MalwarBytes too. And, my antivirus software of choice is Avast. Bob Bone Wisdom is a giant accumulation of "DOH!" Sonar: Platinum (x64), X3 (x64) Audio Interfaces: AudioBox 1818VSL, Steinberg UR-22 Computers: 1) i7-2600 k, 32 GB RAM, Windows 8.1 Pro x64 & 2) AMD A-10 7850 32 GB RAM Windows 10 Pro x64 Soft Synths: NI Komplete 8 Ultimate, Arturia V Collection, many others MIDI Controllers: M-Audio Axiom Pro 61, Keystation 88es Settings: 24-Bit, Sample Rate 48k, ASIO Buffer Size 128, Total Round Trip Latency 9.7 ms #11
ston Max Output Level: -71 dBFS Total Posts : 965 Joined: 2008/03/04 12:28:40 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 10:38:31 (permalink) robert_e_bone What I find to be the quickest method is to physically remove the hard drive(s) from the infected machine, then load each drive, one at a time, to another computer that is clean and running good antivirus software. +1 that's usually what I do too. There are a number of very good unix low level disk drives tools which can help clean up (or rebuild) the boot sector (MBR, volume boot record etc.) If you really want a 'start over' solution, then DBAN is probably the way to go. #12
bitflipper 01100010 01101001 01110100 01100110 01101100 01101 Total Posts : 26036 Joined: 2006/09/17 11:23:23 Location: Everett, WA USA Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 10:53:27 (permalink) This bit one of my customers a couple years ago. They sent me what they thought was a corrupted MS Access database. Restoring corrupt Access databases is one of my specialties, and I've had a 99.9% success rate, so I assured them I could fix it and recover the data. That turned out not to be the case, as the malware (CryptoLocker) had encrypted the file and was demanding $500 for the decryption key. Fortunately, they had a fairly recent backup, but it took a couple of weeks of data entry to bring it up to date. Needless to say, they do backups more frequently now! Backups are the best insurance against this sort of thing. Even if your computer isn't on the internet, even if it's only connected to an internal LAN, this kind of malware can still get you if ANY workstation on your local network has internet access. After doing its thing on the infected computer, the virus then searches out additional files on the LAN. Taking a DAW completely off all networks isn't practical, as it makes backups and software authorization difficult. You can, however, reduce your vulnerability by disabling the network most of the time and turning it on only when you need it. This has the added benefit of reducing overhead and making more CPU cycles available to the DAW. All else is in doubt, so this is the truth I cling to. My Stuff #13
yorolpal Max Output Level: 0 dBFS Total Posts : 13829 Joined: 2003/11/20 11:50:37 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 11:03:41 (permalink) How would just physically removing his hard drives and tossing them, then putting new drives in, formatting and re-installing software be? Would that work? That would seem to be his cheapest option now. https://soundcloud.com/doghouse-riley/tracks https://doghouseriley1.bandcamp.com Where you come from is gone...where you thought you were goin to weren't never there...and where you are ain't no good unless you can get away from it. SPLAT 64 bit running on a Studio Cat Pro System Win 10 64bit 2.8ghz Core i7 with 24 gigs ram. MOTU Audio Express. #14
Leadfoot Max Output Level: -47 dBFS Total Posts : 2817 Joined: 2011/04/26 11:08:38 Location: Indiana Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 11:29:38 (permalink) Jeff Evans Keep your DAW computer off the net +1 For me, it's worth the extra hassle to keep my DAW computer free of all that garbage. #15
jamesg1213 Max Output Level: 0 dBFS Total Posts : 21760 Joined: 2006/04/18 14:42:48 Location: SW Scotland Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 12:11:56 (permalink) My DAW has been on the 'net for 7 years. I must be either lucky, or very careful. Jyemz Thrombold's Patented Brisk Weather Pantaloonettes with Inclementometer #16
Rain Max Output Level: 0 dBFS Total Posts : 9736 Joined: 2003/11/07 05:10:12 Location: Las Vegas Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 14:02:14 (permalink) Now that I can afford to, I keep my DAW offline 99% of the time - unless I want to transfer a mixdown to my laptop via AirDrop or need to download/authorize something. But no e-mail, no browsing internet, no FB. I've been lucky in the past but I'd rather not push my luck if I don't have to. TCB - Tea, Cats, Books... #17
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 14:24:32 (permalink) It's getting harder and harder to keep DAWs off the net completely. The compromise I have taken is to connect but only go to sites that are 100% relevant like software support and such. It's highly unlikely updating my vsts will give me a virus. When i want to surf the net, i use my tablet or linux box. Even when on DAW computers, I use products like noscript to account for the occasional typo that ends up going to wrong site. #18
ampfixer Max Output Level: -20 dBFS Total Posts : 5508 Joined: 2010/12/12 20:11:50 Location: Ontario Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 16:14:19 (permalink) ☄ Helpfulby craigb 2015/04/10 16:30:55 Why isn't an act like you described not considered theft over $1,000? It should be a felony IMHO. Regards, John I want to make it clear that I am an Eedjit. I have no direct, or indirect, knowledge of business, the music industry, forum threads or the meaning of life. I know about amps. WIN 10 Pro X64, I7-3770k 16 gigs, ASUS Z77 pro, AMD 7950 3 gig, Steinberg UR44, A-Pro 500, Sonar Platinum, KRK Rokit 6 #19
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/10 16:46:08 (permalink) I'm sure it is a felony, but good luck finding the guys doing this. odds are good they are in a country where catching these guys is not a priority. #20
dmbaer Max Output Level: -49.5 dBFS Total Posts : 2585 Joined: 2008/08/04 20:10:22 Location: Concord CA Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/11 14:16:09 (permalink) lawajava hould this ransom thing occur just remove and throw away your computer drives, put in new ones and restore from one of your back up drives. Painless. Ransome-free. Throw away your drives? I'm pretty certain reformatting them would be adequate. #21
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/11 14:29:30 (permalink) dmbaer lawajava hould this ransom thing occur just remove and throw away your computer drives, put in new ones and restore from one of your back up drives. Painless. Ransome-free. Throw away your drives? I'm pretty certain reformatting them would be adequate. Reformatting works on most malware except the ones that affect the disk outside of the OS. In those cases throwing away the drive is unnecessary. There are tools for cleaning MBR and other non-os malware infections. An industrial strength magnet will likely do the trick as well. #22
slartabartfast Max Output Level: -22.5 dBFS Total Posts : 5289 Joined: 2005/10/30 01:38:34 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/11 17:26:26 (permalink) ☄ Helpfulby dubdisciple 2015/04/11 19:52:47 An industrial strength magnet might make the data on the drives unreadable, if you mean the kind they use to lift cars in a scrapyard. The drives are pretty well protected from even strong permanent magnets. The NSA recommendation is to reduce them to fine dust in a grinder following degaussing since there is concern that even massive magnetic noise may be insufficient to hide everything. But you will not be able to use them for anything else after zapping them with a degausser. Aside from the damage to the mechanical parts and circuits, the platters themselves are factory formatted (like a "blank" CD) and if you erase that level of formatting via degaussing, you will not be able to format them for use under an OS. https://www.kjmagnetics.com/blog.asp?p=hard-drive-destruction Throwing away your drives is almost certainly overkill for any common virus. If you are not confident that your antivirus software can detect and remove suspected viruses, then the DBAN followed by fresh format is as far as you probably need to go. Modern hard drives have a firmware secure erase routine built in, but it is difficult to access from most OS's, and even blocked by some BIOS versions to prevent the accidental erasure of the drive. One way of calling the routine is here: http://cmrr.ucsd.edu/people/Hughes/secure-erase.html. Not for the faint of heart, but it does not require a second computer and once the sequence is initiated it is impervious to any interference by a program running on the computer. That stuff applies mostly to destroying classified data. As far as removing a virus, like any other computer program, all you need to do is make a few bits unreadable to make it stop working. You do not have to remove all traces from the possibility of forensic recovery by state actors. A simple delete will kill it dead. post edited by slartabartfast - 2015/04/11 17:50:29 #23
sharke Max Output Level: 0 dBFS Total Posts : 13933 Joined: 2012/08/03 00:13:00 Location: NYC Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/11 18:21:04 (permalink) I've only ever had one computer virus in my life and that was years ago after downloading and running a dodgy torrent. Lessons learned. As long as you're not doing anything stupid (downloading cracked software, installing software from untrusted sources, opening attachments in junk emails etc) then you're not going to get caught. I believe keeping your DAW offline is completely unnecessary. It seems to me that music producers are alone in this kind of paranoia - there are hundreds of other professions which rely on computers (web designers, graphic designers, architects, photographers etc) and you never hear about them advising each other to stay offline in case of viruses. James Windows 10, Sonar SPlat (64-bit), Intel i7-4930K, 32GB RAM, RME Babyface, AKAI MPK Mini, Roland A-800 Pro, Focusrite VRM Box, Komplete 10 Ultimate, 2012 American Telecaster! #24
craigb Max Output Level: 0 dBFS Total Posts : 41704 Joined: 2009/01/28 23:13:04 Location: The Pacific Northwestshire Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/11 23:58:25 (permalink) ☄ Helpfulby tlw 2015/04/12 10:37:03 Ironically, the only times I've gotten a virus were when I wasn't doing anything stupid. Time for all of you to head over to Beyond My DAW! #25
slartabartfast Max Output Level: -22.5 dBFS Total Posts : 5289 Joined: 2005/10/30 01:38:34 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/12 07:45:15 (permalink) Somehow the myth of the safe website keeps re-surfacing. Although the dark web and porn sites are clearly risky places to find downloads, there is very good evidence that legitimate sites serve as the largest source of virus infections. While a legitimate website may not be designed from the ground up as a malware trap, they are clearly not immune from being hacked or otherwise infiltrated with dangerous links, downloads, or phishing forms. The largest and best financed sites at least have the resources to police such things, but they also offer the most return to those who can get access. Smaller (smaller than Google) commercial sites rarely have the staff or security expertise to diligently purge the inevitable breaches. Even Google has hosted malware on its ads and Apple's app store has served up poisoned product. http://www.dailyfinance.com/2010/07/02/survey-legitimate-web-sites-more-likely-to-carry-a-virus-than-a/ #26
Moshkito Max Output Level: -37.5 dBFS Total Posts : 3765 Joined: 2015/01/26 13:29:07 Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/12 11:04:58 (permalink) Hi, The computers (2 of them), that I do music on are not for anything else and all other programs are taken out. I have not tried it yet, but I'm also thinking of disabling the router port for the duration of the music making process to cut down issues. I did talk to F-Secure, and they said that you can disable the software and that it will not bother you -- which is a request I had for them, and I have tested it by leaving it off with the connection to the router unplugged and had no issues for an hour ... so far it's a good thing. My other computers do all the mail and browsing. Period. Music is not about notes and chords! My poem is not about the computer or monitor or letters! It's about how I was able to translate it from my insides! #27
kakku Max Output Level: -59 dBFS Total Posts : 1646 Joined: 2014/08/31 21:37:39 Location: Finland Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/12 12:41:17 (permalink) I use Sandboxie always when I surf online because any web site can potentially be possessed by malware which can infect users' computers. If I have understood correctly, Sandboxie isolates the user's system and data files from the internet and some other clever stuff. It has not failed me yet, as far as I know (but I've been fooled before). Sandboxie is also an easy to use program and configurable to give even better protection. I also use noscript and flash blocking plugins when surfing with firefox and Opera for extra protection. Also I use the free Comodo internet suite and Microsoft's EMET thingy. Sorry if I went OT. Sonar X1 Studio, Duo-capture and Steinberg's UR22 mk2 interfaces, super fast (read snail like) dual core computers, Arturia the Player 25 and Goldstar midi keyboards, Samsung Galaxy Ace 2 phone kakku #28
dmbaer Max Output Level: -49.5 dBFS Total Posts : 2585 Joined: 2008/08/04 20:10:22 Location: Concord CA Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/12 13:40:31 (permalink) sharke I've only ever had one computer virus in my life Same here. It was Norton Anti-virus. It was astonishing how hard it was to remove that piece of junk from my machine. #29
dubdisciple Max Output Level: -17 dBFS Total Posts : 5849 Joined: 2008/01/29 00:31:46 Location: Seattle, Wa Status: offline Re: My buddy's DAW caught a case of RANSOMWARE... 2015/04/12 16:14:54 (permalink) Many get viruses from social networking sites like facebook now. Ever site carries some level of risk, but you are still far more likely to be exposed via a warez or porn site than logging into your cakewalk store to grab a PC module. Legit sites do transmit more viruses , but the distribution is typically done in chunks. A google or yahoo will infect the millions who happened to log on before exploit was irradicated. #30

Page: 1 2 > Showing page 1 of 2

Jump to:

Helpful ReplyMy buddy's DAW caught a case of RANSOMWARE...

My buddy's DAW caught a case of RANSOMWARE...

42 Replies Related Threads