CryptoLocker!

[DQuaN]

Has anyone dealt with this yet? I'm dealing with it for one of my customers and it is a HORRIBLE virus.

Some info: http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

The basics of it are that when infected, it will immediately encrypt all the files it can find in shares. The encryption is done using RSA2048 and the decryption key is held by the virus distributors. The encryption cannot be broken. The distributors will give you the key for a fee of $300, otherwise they will destroy the key leaving your files locked forever.

Your only options are pay, or restore from backup.

I'm using the latter option on my customer.

 

[wfooshee]

Have not seen it, and I hope someone finds and kills these guys before I do see it.

Delivery seems to be by attached ZIP files in email, which are always dangerous and suspect.

 

[Danny]

We've been warned of this at work. It's a particularly nasty virus.

 

[Pako]

Can't we just follow the money trail and brake some knee caps? Cyber crime is beyond frustrating.....

 

[Jump_Ace]

I haven't seen it yet, hopefully never will. Does it just target files in the users My Documents folder? Or will it just scan the system for those extension files?


Jerome

 

[DQuaN]

It will scan shares and attack the file server if it can.

 

[Jump_Ace]

It will scan shares and attack the file server if it can.

🤬 lovely, time for another PSA.


Jerome

 

[Jubby]

This is a nasty 🤬. I deal with it at work as I work for a Online Backup company. It can affect local drives, removable drives- read: Externals that are still hooked up, network drives and network computers. From what we've learned, it changed the metadata on the files and it really doesn't matter where the file is/was. You must have a dated backup and know when you were infected to restore it to.

Obviously, DO NOT PAY THE RANSOM. Reports of it being paid does not ultimately lead you to getting the encryption key or even the key working properly.

My suggestion, make weekly full backups of essential data on a removable drive and remove it when not doing the backup. Source of the infection seems to be driven in emails that have hidden attachments. The emails seem legit, but nasty things ensue; not even a web page loads. It seems to be a direct executable attached that is opened through the hyperlink in the email.

 

[Dan]

This thing sounds terrifying.

 

[Pako]

Again, we need to hunt these 🤬 down and break every one of their fingers.

I am normally a pretty mellow dude, but this kind of malicious trickery is so evasive, destructive, and can literally bring a company to it's knees. Not to mention all the personal information that potentially can be destroyed. Backups of family photo's never to be retrieved? It's like someone coming to your house and ran sacking the place.

 

[Dan]

Again, we need to hunt these 🤬 down and break every one of their fingers.

I am normally a pretty mellow dude, but this kind of malicious trickery is so evasive, destructive, and can literally bring a company to it's knees. Not to mention all the personal information that potentially can be destroyed. Backups of family photo's never to be retrieved? It's like someone coming to your house and ran sacking the place.

Same here. These hackers are absolute no-lives. If they wanted to be rich, they should get a job and work hard, not sit on their asses hacking people.

 

[DQuaN]

A second customer has just become infected.

 

[TB]

While they didn't call it CryptoLocker, the campus IT department sent out an email advising against opening attachments and clicking on links in strange emails or your files could be encrypted.

Ya think?

 

[MHPALA]

This virus intrigues me. It attacks shares too!!! That is so clever . The companies assets are at stake plus everything else within the host. I love it. Whoever created this virus, I give massive props.

 

[TB]

You have got to be 🤬 kidding, right? Losing everything on all of your drives because some douche made a virus that encrypts all of your files because a co-worker or family member clicked on something they shouldn't have?

Yeah, that sounds absolutely swell.

 

[Punknoodle]

Surely not long until this thing gets added to virus definitions?

 

[MHPALA]

You have got to be 🤬 kidding, right? Losing everything on all of your drives because some douche made a virus that encrypts all of your files because a co-worker or family member clicked on something they shouldn't have?

Yeah, that sounds absolutely swell.

Not swell one bit. I ran into a similar predicament with a drive running EFS. Lost the profile certificate . Damn asymmetric cryptography, you scary.

 

[wfooshee]

Everybody recommending keeping backups up to date.... It wouldn't hurt to make sure the backup drive is disconnected when complete. How much suck would it be to have those encrypted, too?

I say this because it's my habit to backup up a 30-day retention of image backups to a USB drive that is always there. I've not had any backups actually kept offline, and I need to address that.

 

[DQuaN]

Depends how you're backing up. If you're just doing flat file copies then yes, you are in trouble, but that's a silly way of backing up.

If you have a backup program that backs up to a bkf or some other file, you are safe.

 

[wfooshee]

How? If it's accessible to the virus, and it gets encrypted, then what? Are there only certain file types this thing goes after?

 

[DQuaN]

Yes.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

 

[Jump_Ace]

How? If it's accessible to the virus, and it gets encrypted, then what? Are there only certain file types this thing goes after?

A lot of backup software will make some sort of image of your backups (similar to zipping your files). The best news from that is that most of them make a specific file extension for use with just that backup software so that 'should' make it safer.

But what he is referring to is having a backup drive plugged into your system at all times. If your backup drive is plugged in while your system gets compromised, the virus will infect your backup too. Rendering your files at their mercy.

As for the file types, the first link in the OP has a list of file types. Basically all the common file types for word, notepad, jpg, excel...tons of them.


Jerome

 

[phillgt2002]

I'm not scared about getting this but I'm scared for my parents and many other networks. I'm going to have to tell my parents, brothers and sister about this because it can really ruin someone's life. My dad has many copies of his dissertations so that's good. I wish someone were able to out these people taking advantage of others. I'd love to go to their places armed with just a pair of pliers.

 

[Pako]

I'm not scared about getting this but I'm scared for my parents and many other networks. I'm going to have to tell my parents, brothers and sister about this because it can really ruin someone's life. My dad has many copies of his dissertations so that's good. I wish someone were able to out these people taking advantage of others. I'd love to go to their places armed with just a pair of pliers.

Pliers would be to humane. I would go in bare handed.

 

[Main]

I'm not scared about getting this but I'm scared for my parents and many other networks. I'm going to have to tell my parents, brothers and sister about this because it can really ruin someone's life. My dad has many copies of his dissertations so that's good. I wish someone were able to out these people taking advantage of others. I'd love to go to their places armed with just a pair of pliers.

My father runs a security blog and has a lot of articles about cryptolocker and others. These days all people need to learn how to prevent and remove malware. Security education is important for all ages.

 

[Jubby]

My father runs a security blog and has a lot of articles about cryptolocker and others. These days all people need to learn how to prevent and remove malware. Security education is important for all ages.

However, removal is very difficult when there is no symptom before it's too late for this virus. By the time you've figured it out, you're clicking on encrypted files or getting the ransom request- and the files are already encrypted. People just need to quit sending links in emails, if not necessary, and people need to stop clicking on them.

 

[MHPALA]

I've been doing some research on this virus. Reason why is because I gave my mother's computer (+ others') access to some important shares advertised by my home server. I pretty much had to redo my whole automated backup strategy. One thing that had me curious is if it can change file permissions in a forceful manor, then encrypt the files.

Luckily I found this (quote):

NOTE: Also take this opportunity to review the permissions set on your file server share access control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions, so if the user who gets infected is logged into an account that has very limited permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of business application vendors to further tighten loose permissions that are "required" for "supportability" -- often these specifications are needlessly broad.

Source: http://www.computerworld.com.au/art...etting_infected_what_do/?fp=4&fpid=1398720840

Thank god it does not override permissions. Still formulating my new automated backup strategy. I do know that to prevent it from infecting file shares, network drives, etc.., is by running something as simple as a custom bat file that checks the registry with "REG" for any signs of cryptolocker in the registry, backs up your stuff if it passes the registry search, and uses "cacls" to change the access control list with permissions that renders the cryptolocker virus unable to encrypt any backed up files. Also using a system health validator will help fend off any new PCs that connect to the network.

For when my mother's PC (+ others') is already on the network, and she happens to open the cryptolocker executable, she will need administrative privileges in order for her to install it, plus I will use an audit policy that prompts my computer's event viewer if the event happens.

 

[yzfmike]

I have dealt with this at my work (Online Data Backup). No fun. There was a customer that had the attack we got her fixed, and a few weeks later she had it back. The virus is no fun at any level and nothing to stop it unless people have more security information as mentioned already.