Cryptolocker Malware

4_lom4_lom Member Posts: 485
Anyone have to deal with this yet? We've had one client get infected with this so far. A user clicked on a link in an email from "Fedex". It encrypted all of the files on her computer, plus all files in mapped drives she had. By the time it was finished, most of the files on their file server had been encrypted. Luckily, we had some offline backups of their data. We removed the malware from her computer (then reloaded Windows just to be sure), and restored the files. Needless to say, this was not a fun one icon_rolleyes.gif
Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Ah, ransomeware - The bridge trohl of malware. +1 for the nakedsecurity article, it's a good one.
  • 4_lom4_lom Member Posts: 485
    Great article Veritas. Here's another one from BC: Cryptolocker Ransomware
    Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

  • 4_lom4_lom Member Posts: 485
    I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.
    Goals for 2018: MCSA: Cloud Platform, AWS Solutions Architect, MCSA : Server 2016, MCSE: Messaging

  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Depends on how important the files are (as you said...). If you didn't back them up and were a small business it might be worth it. I would advise some one in that situation to pay up and them contact their bank and ask for them to get you're money back after the fact. Also cancel the card.... :P
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    4_lom wrote: »
    I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.
    Besides the obvious pitfalls of giving money / payment information to a criminal, many would just assume the files were decrypted and all is well; however malware payload is still on the box and it's unlikely the criminals aren't leaving backdoors behind.

    Orgs need to have backups, and they need to reimage on confirmed malware hits. It's the only way IMO.
  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Some people never back stuff up and rather pay any price to bring their data back from the dead. When I was doing consulting I had a client decline a backup proposal worth a few hundred bucks just to end up a year later paying Ontrack 2 grand to recover data.

    Takeaway from that article:
    The endgame is the same in all cases: if you have a reliable and recent backup, you'll have a good chance of recovering without too much trouble.

    Prevention, in this case, is significantly better than cure:

    - Stay patched. Keep your operating system and software up to date.
    - Make sure your anti-virus is active and up to date.
    - Avoid opening attachments you weren't expecting, or from people you don't know well.
    - Make regular backups, and store them somewhere safe, preferably offline.

    Don't forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don't count as backup.

    They may be extremely useful, but they tend to propagate errors rather than to defend against them.

    To the synchroniser, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that's that.
  • exampasserexampasser Member Posts: 718 ■■■□□□□□□□
    This is a good reason to have backups on devices that are not connected to the network (I'd image that the malware would have no problems encrypting backup files on shares that the infected PC is connected to.)
  • devils_haircutdevils_haircut Member Posts: 284 ■■■□□□□□□□
    I've seen a couple of these in the shop where I work. The virus itself is relatively easy to remove, but if you don't have backups or the ability to restore previous versions of important files, you're probably screwed. The encryption is ridiculously strong (2048-bit RSA followed by 256-bit AES with the RSA private key encrypted during the second encryption along with the file). I've heard people paying the fee and having their data decrypted, but I don't know that I'd go that route myself.
  • tecjohnsontecjohnson Member Posts: 46 ■■□□□□□□□□
    Weird. I have had this virus on my company's computers but nothing was ever encrypted.

    It was just a big old scary program that stopped other programs from working. But it was account specific so when I logged in with another account it was easy to remove.
  • BalantineBalantine Member Posts: 77 ■■□□□□□□□□
    The %AppData\*.exe is amusing. Such a case in point for why SRP was developed into AppLocker. You have to add more subdirectories manually inside a path... \*\*\*\*.exe etc. I'm surprised it can't be matched with a regular expression.
    dulce bellum inexpertis
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    I believe you have to pay the fee with bit coins to get the files decrypted, so paying with a credit card and then calling them will not work :/
  • MCITBoundMCITBound Member Posts: 65 ■■□□□□□□□□
    We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...
    If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool:
  • EveryoneEveryone Member Posts: 1,661
    "They claim"? You actually believe them? ;) I haven't had to deal with this first hand yet, but several co-workers have had customers get it. It's over a month old now. Trojan:Win32/Crilock.A
  • MCITBoundMCITBound Member Posts: 65 ■■□□□□□□□□
    Lol - No, I don't believe them...which is why I'm looking at their email, firewall, and web history to really see what's going on. Also on the phone with Trend Micro, our Anti-Virus provider, to find out how that got through the client.
    If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool:
  • EveryoneEveryone Member Posts: 1,661
    Trend has been able to detect it since September 10th... TROJ_RANSOM.NS | Low Risk | Trend Micro Threat Encyclopedia If you only recently got infected and your virus definitions were up to date, I'd be on the phone wanting to know why too. It is possible there is a new variant they don't detect and that's what you got hit with.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    MCITBound wrote: »
    We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...

    Regarding the web browsing piece of this, I think the biggest kick to the gut about malware is that it no longer hides in the deep dark corners of the interwebs. This year alone I have seen the following sites compromised and redirecting to exploit kit / malware servers:

    -YouTube - their ad rotator was serving malicious content (the users didn't have to click the ad to get infected, btw)
    -WaffleHouse.com
    -SpeedTest.net
    -CBSsports.com
    -Bible.org
    -Glassdoor.com

    ...and the list goes on. Now, those are just well-known and potentially high traffic destinations. Imagine how many legitimate local / small business sites are owned every day. I read recently that 70% of WordPress sites are vulnerable to attack. My larger point here is that legitimate run-of-the-mill sites get owned every day. A lot of them. The type of sites our Users won't think about when considering where malware compromise may have stemmed from.

    As far as the AV issue is concerned, you might want to use a 3rd party vendor to detect the malware, and send the .bup file to Trend for analysis and to get a signature written. Other than that, there are simply too many new malware specimins and variants being developed for them to keep up. It's literally an impossible task.

    I have found that one of the best ways of detecting the commodity malware is by detecting Java connections to uncategorized sites on the internet. Of course for this to be successful you'll need an enterprise grade proxy and IDS - and they must be logging everything.
  • MCITBoundMCITBound Member Posts: 65 ■■□□□□□□□□
    According to Trend, we have gotten a new variant of the virus and they are analyzing it now. This one runs multiple processes of it at the same time, so they end up protecting each other in the event that you end one of the processes.

    Java is being updated on all of our systems. STILL a huge pain!! Lol! I had better things to do today: like setup a second vCenter!
    If I gave good advice or was insightful, please add to my reputation!! If you have a LinkedIn account and want a new connection, feel free to add me! If you have any questions, ask! :cool:
  • EveryoneEveryone Member Posts: 1,661
    You should consider deploying AppLocker (built into Windows 7 and later). AppLocker Documentation for Windows 7 and Windows Server 2008 R2 It would help prevent this type of malware from running when it makes it past all your other layers of protection (including your AV).
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    Man didn't people learn that the only reason the Battlestar Galactica survived the Cylon attack was that Adama refused to network his ship?

    We are going to get so networked some day that a virus is going to take us back to the dark ages. Then Bill Cosby with his TI-99/4A will take over the world.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    At my old job someone just got hit with this and the main company network drive was encrypted. My boss found the user, wiped their machine, and they were able to restore all but about 20% of the files on the drive. We had been asking people to clean up the files on the drive prior to my leaving and oddly enough it's been two weeks with no complaints about anything missing that was needed.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • ratbuddyratbuddy Member Posts: 665
    My mom got hit with this today. I was on the phone with her, I heard her say 'my files are encrypted? huh?' and knew right away what had happened. My idiot brother was using her computer yesterday, nuff said.

    It's acting unlike other variants I have seen described online. When she attempts to run any program, a UAC window comes up with a generic looking message. The details show that it's actually trying to run vssadmin in quiet mode to erase all shadow copies on the C drive. I don't have physical access to the machine yet, and I told her to keep the wireless off in case there are other infections still active. MSE said it got rid of Cryptolocker. I don't know the mechanism behind the vssadmin attempts - did the trojan rewrite or modify the .exe files individually, is it hooking something on a more general level, etc. I'm sure the real sec-dudes will write about this variant soon enough.

    In the meantime, it's enough to know that there's definitely a new variant out there, and it's getting nastier.
  • Disgruntled3lfDisgruntled3lf Member Posts: 77 ■■■□□□□□□□
    I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.

    That's assuming no other malware was dropped during the compromise. Sure, the file system will be decrypted - I'd venture a guess that the system remains backdoor'd however.

    Nuke and pave gents, nuke and pave.
  • RomBUSRomBUS Member Posts: 699 ■■■■□□□□□□
    I actually ran into this on a user's desktop earlier this week (had no idea what they were doing prior to contracting it).

    I simply took a note of the .exe that was running in Task Manager which pointed to random character .exe process.logged off the user's profile, ran Malwarebytes and anti-virus scan. Looked up directories and registry entries that were linked to CryptoLocker and that random character .exe file. Cleaned out temp files. Rebooted once directories, scans and necessary registry keys were cleaned out. Did another scan...once it completed I logged back onto the user's profile and all traces of the virus was gone and user was able to get back to work. This took me roughly 40 mins to complete...luckily the user was able to work without the PC for a while
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Massachusetts police department pays Cryptolocker ransom: US local police department pays CryptoLocker ransom | Naked Security

    Talk about unprepared to handle a cybercrime incident! Besides the obvious downfalls of desktop techs "cleaning" machines of malware, the police department is so desperate they are willing to decrypt and place compromised data back on the network.

    Of course, the next place my mind takes me is to Zeus. Cryptolocker isn't being dropped alone - people, stop cleaning verified malware hits. Cleaning the obvious malware does not a clean system make. Additionally, after malware compromise, a clean A/V scan does not a clean system make.

    My favorite piece of the article is a quote from the police department's spokesperson: "We were never compromised" icon_rolleyes.gif

    Ref: http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-its-spam-and-zeuszbot-connection/
  • JockVSJockJockVSJock Member Posts: 1,118
    F-Secure Labs Blog has been following this issue for the last few days.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
Sign In or Register to comment.