Cryptolocker Malware
Anyone have to deal with this yet? We've had one client get infected with this so far. A user clicked on a link in an email from "Fedex". It encrypted all of the files on her computer, plus all files in mapped drives she had. By the time it was finished, most of the files on their file server had been encrypted. Luckily, we had some offline backups of their data. We removed the malware from her computer (then reloaded Windows just to be sure), and restored the files. Needless to say, this was not a fun one
Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging
Comments
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■No, but this was an interesting read: Destructive malware “CryptoLocker” on the loose – here’s what to do | Naked Security
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□Ah, ransomeware - The bridge trohl of malware. +1 for the nakedsecurity article, it's a good one.
-
4_lom Member Posts: 485Great article Veritas. Here's another one from BC: Cryptolocker RansomwareGoals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging
-
4_lom Member Posts: 485I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■Depends on how important the files are (as you said...). If you didn't back them up and were a small business it might be worth it. I would advise some one in that situation to pay up and them contact their bank and ask for them to get you're money back after the fact. Also cancel the card.... :P
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.
Orgs need to have backups, and they need to reimage on confirmed malware hits. It's the only way IMO. -
cyberguypr Mod Posts: 6,928 ModSome people never back stuff up and rather pay any price to bring their data back from the dead. When I was doing consulting I had a client decline a backup proposal worth a few hundred bucks just to end up a year later paying Ontrack 2 grand to recover data.
Takeaway from that article:The endgame is the same in all cases: if you have a reliable and recent backup, you'll have a good chance of recovering without too much trouble.
Prevention, in this case, is significantly better than cure:
- Stay patched. Keep your operating system and software up to date.
- Make sure your anti-virus is active and up to date.
- Avoid opening attachments you weren't expecting, or from people you don't know well.
- Make regular backups, and store them somewhere safe, preferably offline.
Don't forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don't count as backup.
They may be extremely useful, but they tend to propagate errors rather than to defend against them.
To the synchroniser, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that's that. -
exampasser Member Posts: 718 ■■■□□□□□□□This is a good reason to have backups on devices that are not connected to the network (I'd image that the malware would have no problems encrypting backup files on shares that the infected PC is connected to.)
-
devils_haircut Member Posts: 284 ■■■□□□□□□□I've seen a couple of these in the shop where I work. The virus itself is relatively easy to remove, but if you don't have backups or the ability to restore previous versions of important files, you're probably screwed. The encryption is ridiculously strong (2048-bit RSA followed by 256-bit AES with the RSA private key encrypted during the second encryption along with the file). I've heard people paying the fee and having their data decrypted, but I don't know that I'd go that route myself.
-
tecjohnson Member Posts: 46 ■■□□□□□□□□Weird. I have had this virus on my company's computers but nothing was ever encrypted.
It was just a big old scary program that stopped other programs from working. But it was account specific so when I logged in with another account it was easy to remove. -
Balantine Member Posts: 77 ■■□□□□□□□□The %AppData\*.exe is amusing. Such a case in point for why SRP was developed into AppLocker. You have to add more subdirectories manually inside a path... \*\*\*\*.exe etc. I'm surprised it can't be matched with a regular expression.dulce bellum inexpertis
-
MrAgent Member Posts: 1,310 ■■■■■■■■□□I believe you have to pay the fee with bit coins to get the files decrypted, so paying with a credit card and then calling them will not work
-
MCITBound Member Posts: 65 ■■□□□□□□□□We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool:
-
Everyone Member Posts: 1,661"They claim"? You actually believe them? I haven't had to deal with this first hand yet, but several co-workers have had customers get it. It's over a month old now. Trojan:Win32/Crilock.A
-
MCITBound Member Posts: 65 ■■□□□□□□□□Lol - No, I don't believe them...which is why I'm looking at their email, firewall, and web history to really see what's going on. Also on the phone with Trend Micro, our Anti-Virus provider, to find out how that got through the client.If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool:
-
Everyone Member Posts: 1,661Trend has been able to detect it since September 10th... TROJ_RANSOM.NS | Low Risk | Trend Micro Threat Encyclopedia If you only recently got infected and your virus definitions were up to date, I'd be on the phone wanting to know why too. It is possible there is a new variant they don't detect and that's what you got hit with.
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...
Regarding the web browsing piece of this, I think the biggest kick to the gut about malware is that it no longer hides in the deep dark corners of the interwebs. This year alone I have seen the following sites compromised and redirecting to exploit kit / malware servers:
-YouTube - their ad rotator was serving malicious content (the users didn't have to click the ad to get infected, btw)
-WaffleHouse.com
-SpeedTest.net
-CBSsports.com
-Bible.org
-Glassdoor.com
...and the list goes on. Now, those are just well-known and potentially high traffic destinations. Imagine how many legitimate local / small business sites are owned every day. I read recently that 70% of WordPress sites are vulnerable to attack. My larger point here is that legitimate run-of-the-mill sites get owned every day. A lot of them. The type of sites our Users won't think about when considering where malware compromise may have stemmed from.
As far as the AV issue is concerned, you might want to use a 3rd party vendor to detect the malware, and send the .bup file to Trend for analysis and to get a signature written. Other than that, there are simply too many new malware specimins and variants being developed for them to keep up. It's literally an impossible task.
I have found that one of the best ways of detecting the commodity malware is by detecting Java connections to uncategorized sites on the internet. Of course for this to be successful you'll need an enterprise grade proxy and IDS - and they must be logging everything. -
MCITBound Member Posts: 65 ■■□□□□□□□□According to Trend, we have gotten a new variant of the virus and they are analyzing it now. This one runs multiple processes of it at the same time, so they end up protecting each other in the event that you end one of the processes.
Java is being updated on all of our systems. STILL a huge pain!! Lol! I had better things to do today: like setup a second vCenter!If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool: -
Everyone Member Posts: 1,661You should consider deploying AppLocker (built into Windows 7 and later). AppLocker Documentation for Windows 7 and Windows Server 2008 R2 It would help prevent this type of malware from running when it makes it past all your other layers of protection (including your AV).
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Man didn't people learn that the only reason the Battlestar Galactica survived the Cylon attack was that Adama refused to network his ship?
We are going to get so networked some day that a virus is going to take us back to the dark ages. Then Bill Cosby with his TI-99/4A will take over the world. -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■At my old job someone just got hit with this and the main company network drive was encrypted. My boss found the user, wiped their machine, and they were able to restore all but about 20% of the files on the drive. We had been asking people to clean up the files on the drive prior to my leaving and oddly enough it's been two weeks with no complaints about anything missing that was needed.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
ratbuddy Member Posts: 665My mom got hit with this today. I was on the phone with her, I heard her say 'my files are encrypted? huh?' and knew right away what had happened. My idiot brother was using her computer yesterday, nuff said.
It's acting unlike other variants I have seen described online. When she attempts to run any program, a UAC window comes up with a generic looking message. The details show that it's actually trying to run vssadmin in quiet mode to erase all shadow copies on the C drive. I don't have physical access to the machine yet, and I told her to keep the wireless off in case there are other infections still active. MSE said it got rid of Cryptolocker. I don't know the mechanism behind the vssadmin attempts - did the trojan rewrite or modify the .exe files individually, is it hooking something on a more general level, etc. I'm sure the real sec-dudes will write about this variant soon enough.
In the meantime, it's enough to know that there's definitely a new variant out there, and it's getting nastier. -
Disgruntled3lf Member Posts: 77 ■■■□□□□□□□I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□Disgruntled3lf wrote: »I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.
That's assuming no other malware was dropped during the compromise. Sure, the file system will be decrypted - I'd venture a guess that the system remains backdoor'd however.
Nuke and pave gents, nuke and pave. -
RomBUS Member Posts: 699 ■■■■□□□□□□I actually ran into this on a user's desktop earlier this week (had no idea what they were doing prior to contracting it).
I simply took a note of the .exe that was running in Task Manager which pointed to random character .exe process.logged off the user's profile, ran Malwarebytes and anti-virus scan. Looked up directories and registry entries that were linked to CryptoLocker and that random character .exe file. Cleaned out temp files. Rebooted once directories, scans and necessary registry keys were cleaned out. Did another scan...once it completed I logged back onto the user's profile and all traces of the virus was gone and user was able to get back to work. This took me roughly 40 mins to complete...luckily the user was able to work without the PC for a while -
YFZblu Member Posts: 1,462 ■■■■■■■■□□Massachusetts police department pays Cryptolocker ransom: US local police department pays CryptoLocker ransom | Naked Security
Talk about unprepared to handle a cybercrime incident! Besides the obvious downfalls of desktop techs "cleaning" machines of malware, the police department is so desperate they are willing to decrypt and place compromised data back on the network.
Of course, the next place my mind takes me is to Zeus. Cryptolocker isn't being dropped alone - people, stop cleaning verified malware hits. Cleaning the obvious malware does not a clean system make. Additionally, after malware compromise, a clean A/V scan does not a clean system make.
My favorite piece of the article is a quote from the police department's spokesperson: "We were never compromised"
Ref: http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-its-spam-and-zeuszbot-connection/ -
JockVSJock Member Posts: 1,118F-Secure Labs Blog has been following this issue for the last few days.***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)
"Its easier to deceive the masses then to convince the masses that they have been deceived."
-unknown