Cryptolocker Ransomware Warning

[MsDG]

I thought I should highlight this nasty little bugger to all, as it is doing the rounds at work (cyrptolocker)

There is a new form of mailware/virus going around that has a unique spin to it. When infected your PC will show no signs of problems while its busy encrypting all of your personal files (Documents / pictures etc) on both your PC and any none UNC drives you have attached to it. Once complete, it then pops up the usual ransom message bollocks.

The thing that makes this one different to the rest is that you can remove the virus... but you CANNOT decrypt your personal files. They are using strong encryption and no-one yet has cracked it.

Unless you have backups of your file (on something that wasn't attached at the time of getting the virus) you have pretty much lost everything!

http://en.wikipedia.org/wiki/CryptoLocker

[hoponbaby]

Apparently they are upholding their end of the "deal" and releasing the decryption key if you pay within the designated time, in some cases people have no choice 😞 effective little scam by the bastards

[Over Carl]

I've been told if you can find previous versions of the file (right click, properties, previous versions) this works. Also been told it just renames everything to loads of *.tmp files.

Haven't seen it myself so can't say if that works.

[ZX7R]

I thought I should highlight this nasty little bugger to all, as it is doing the rounds at work (cyrptolocker)

There is a new form of mailware/virus going around that has a unique spin to it. When infected your PC will show no signs of problems while its busy encrypting all of your personal files (Documents / pictures etc) on both your PC and any none UNC drives you have attached to it. Once complete, it then pops up the usual ransom message bollocks.

The thing that makes this one different to the rest is that you can remove the virus... but you CANNOT decrypt your personal files. They are using strong encryption and no-one yet has cracked it.

Unless you have backups of your file (on something that wasn't attached at the time of getting the virus) you have pretty much lost everything!

http://en.wikipedia.org/wiki/CryptoLocker

Out of interest, what anti-virus solution is being used at your workplace?

[MsDG]

I've been told if you can find previous versions of the file (right click, properties, previous versions) this works. Also been told it just renames everything to loads of *.tmp files.

Haven't seen it myself so can't say if that works.

The old Ransomware renamed files to tmp.... this new one actually encrypts files. Unless you have some backup of files (sometimes Windows restore works) you are really up shit creek

[MsDG]

Out of interest, what anti-virus solution is being used at your workplace?

Symantec Corporate. But to be fair to the AV, I think in all cases the payload is being delivered by the user either opening a dodgy zip from an email attachment or installing shite downloaded from the internet.

You must remember that this ransomware is making someone big money, so they are putting effort in to disguise the signature in 0day wave attacks.

The most effective way to block this little shit seems to be via creating a local / group policy to prevent EXE and ZIP files running in the temp areas of the users profile.

http://www.bleepingcomputer.com/viru...re-information

[Mr.James]

The most effective way to block this little shit seems to be via creating a local / group policy to prevent EXE and ZIP files running in the temp areas of the users profile.

I've been doing this for a long time at work and it can be a right pain in the arse. People can only execute stuff from program files and windows folders but it causes so many issues I'm thinking of scrapping it, maybe not if this could be a concequence. It's surprising how many legitimately installed apps copy stuff to a temp folder and run it from there. I must battle with software restriction polices once or twice a month.



________________
Sent via Tapatalk

[Mr.James]

and any none UNC drives you have attached to it.

Just out of curiosity, does it do mapped network drives? That could be a right pain!


________________
Sent via Tapatalk

[MsDG]

Just out of curiosity, does it do mapped network drives? That could be a right pain!


________________
Sent via Tapatalk

I am not sure. We use mapped UNC drives... so far we have not had any issues on the network drives.

[Mr.James]

That's not too bad then... All our 'my docs' folders are redirected onto UNC and the rest on mapped drives. Only thing people would lose are desktop folders favourites etc.

Email archives could be a pain though.


________________
Sent via Tapatalk

[keyser666]

Well Outlook strips out attachments at client level that are .exe .bat .zip etc. They are actually there but the default reg key is not to show them, so users wont be seeing them anyway. Cant remember with Notes or Groupwise as I have not supported them for some years

[akimba]

theres so much 3rd party encryption software is out there now it wasn't going to be long until it was used for ill gotten gains :-(

[QfanatiQ]

Thanks for this. I got hit several times on the old Ransomware. I must back up and will do tonight. This is a good reason to save files on a separate HD as well.

I take it Win7 does not have a block against this?

What is the money being asked for value wise?

Cheers.....Q

[DJ OD]

Cunning little trick TBH.

Thing is, regardless of how good your A/V security is, you can never stop idiots doing stupid shit. In the work place nothing should be stored locally anyway. If local machines get infected, a quick reboot with a machine image fixes all in a few minutes.

Fkin shite for home users! Hardly anyone backs up stuff properly.

I've got my music backed up in about 5 locations! Need to do a new one though...


DJ OD

[MsDG]

Thanks for this. I got hit several times on the old Ransomware. I must back up and will do tonight. This is a good reason to save files on a separate HD as well.

I take it Win7 does not have a block against this?

What is the money being asked for value wise?

Cheers.....Q

Windows will block if it is an outside attack, but if the user initiates it (i.e. manually installing it) then you are entirely down to your AV recognising it and blocking it.

Money = up to $300

[muttleymacclad]

Was thinking about this.

If you remove the Infection and all traces of it, how do you then find who to contact to get the decryption key from?

Is it a unique key for each decryption or a common public key ?

If its unique then how do the 'infectors' know it's their variant that has caused the encryption and therefore provide the right key (assuming there are variants in the wild?)

Do you have to provide a hash to obtain the correct de-crypt key?

Mml


Sent from my iPhone using Tapatalk

[MsDG]

Obviously if you killl the virus you cannot then pay and get the files decrypted.

From the forums I have read, no-one has yet reversed engineered the virus, so no-one knows much about the encryption.

"The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key."

[QfanatiQ]

Windows will block if it is an outside attack, but if the user initiates it (i.e. manually installing it) then you are entirely down to your AV recognising it and blocking it.

Money = up to $300

Are we talking Ransomware generally or this new one?

I never instigated it, first time is explainable, but my other two hits, no idea and very frustrating.

Never the less, this is good to know and deal with.

Q

[Over Carl]

Just started my first day doing commercial IT Support in a while and had fun with a client that had this virus. Only one machine was infected, but this nuked pretty much everything on the UNC shares on the server that were setup as mapped drives (mapped via ip address rather than hostname if that makes a difference)

Was thinking about this.

If you remove the Infection and all traces of it, how do you then find who to contact to get the decryption key from?

If you get infected you will have a countdown, it says after this the files will not be recoverable even if you pay. As you mentioned if you uninstall/clean it you then won't be able to pay if you wished, but they helpfully provide a link you can use to re-infect the pc to allow you to pay them to sort it.

Money = up to $300

The two options I saw were either 2 bitcoin or you had to load money on some prepayment card that only is a valid option in the US.

[evilsatan]

Cloud backups with versioning ftw then and offline backups for the data that's too large. Might have to disconnect my mapped drives for the time being too as the data on there is too large to backup (but is also replaceable, just inconvenient to lose).

Looks like I will be buying MBAM Pro just in case, it claims to prevent infection:
http://blog.malwarebytes.org/intelli...-need-to-know/

Lifetime Pro license less than half price:
http://www.digital-forums.com/showth...9-30?p=3721643