1. #1

    New virus going around

    I don't know if this is permitted here or not but I got this in an email today at work and wanted to get awareness out about this new virus going around because it's pretty nasty. If it isn't aloud I apologize.

    NCCIC / US-CERT
    National Cyber Awareness System:

    TA13-309A: CryptoLocker Ransomware Infections
    11/05/2013 10:58 AM EST

    Original release date: November 05, 2013 | Last revised: November 13, 2013
    Systems Affected

    Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

    Overview

    US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

    Description

    CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

    Impact

    The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

    Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

    While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

    Solution

    Prevention

    US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

    Do not follow unsolicited web links in email messages or submit any information to webpages in links
    Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
    Maintain up-to-date anti-virus software
    Perform regular backups of all systems to limit the impact of data and/or system loss
    Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
    Secure open-share drives by only allowing connections from authorized users
    Keep your operating system and software up-to-date with the latest patches
    Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
    Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks
    Mitigation

    US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

    Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
    Users who are infected should change all passwords AFTER removing the malware from their system
    Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:

    Restore from backup,
    Restore from a shadow copy or
    Perform a system restore.
    References

    CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours And Threatens To Encrypt Hard Drive
    CryptoLocker Wants Your Money!
    CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery
    Microsoft Support – Description of the Software Restriction Policies in Windows XP
    Microsoft Software Restriction Policies Technical Reference – How Software Restriction Policies Work
    CryptoLocker Ransomware Information Guide and FAQ
    Revision History

    Initial
    November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

  2. #2
    High Overlord Vile's Avatar
    Join Date
    Mar 2008
    Location
    Arizona, USA
    Posts
    122
    Yeah this one is a really nasty one, it's been going around for about a a couple of months. We didn't have much info about it initially but there's some pretty good info/reading about it now that it's been around for a bit:

    http://www.bleepingcomputer.com/viru...re-information
    http://www.reddit.com/r/sysadmin/com..._cryptolocker/
    Last edited by Vile; 2013-11-15 at 05:00 PM.

  3. #3
    Epic! Iamanerd's Avatar
    Join Date
    Jul 2011
    Location
    Connecticut, USA
    Posts
    1,730
    Yeah I've dealt with it a few times at work already, it's been out since september but it's not to wide spread yet. Only thing that I've found through testing is that Malwarebytes Pro blocks the exe from coming in. I extracted it off a customers machine and set up a test environment for it, watched it encrypt some bs documents I put on there. Uses 2 key encryption as well so one public and one private. Another good counter-measure is to set AppData to not run exe's period unless you allow exceptions for certain programs. There's a reg fix as well but I haven't tried that.

    Just try to be safe on the web and backup your data to multiple sources if it's important and you can't afford to lose it.

    Edit: Just saw the well done article on bleeping computer and they have a tool to block cryptolockers paths from which it runs. Still this is a nasty piece of malware and I hope the bastard(s) doing this are caught.
    Last edited by Iamanerd; 2013-11-14 at 02:40 AM.
    Intel I5-2500k @4.8Ghz| Noctua NH-U9B | Asus P67 Deluxe | 16GB G.SKILL Ares 2133Mhz
    Samsung 840 EVO 500GB/1TB | 512GB MX100 | 1TB WD Black x2 | 2TB WD Black |3TB WD Green NAS x2
    MSI GTX 980 Gaming 4G | SeasonicX 650 | NXZT H440 | Asus PB278Q | Razor Naga Molten Edition | CM Quick Fire Rapid TK
    Asus Xonar Essense STX | Presonus E5 x2 | Takstar HiFi 2050's

  4. #4
    Sounds nasty. Thanks for the heads up.

  5. #5
    High Overlord
    Join Date
    Jun 2009
    Location
    Florida
    Posts
    157
    From what I am told (today) it has yet to reach Florida.

  6. #6
    Quote Originally Posted by coolflame View Post
    From what I am told (today) it has yet to reach Florida.
    Hasn't reached my computer yet either.

  7. #7
    I am Murloc! Cyanotical's Avatar
    Join Date
    Feb 2011
    Location
    Colorado
    Posts
    5,256
    malware is not bound goegraphically


    we've been watching this at my SOC for a while now, it's pretty nasty, and about the only way around it is to have archival backups, it will corrupt shadowcopy and encrypt local mounted network drives

    but its also been pretty funny, the guys behind the virus now have a full fledged support center to help people pay the ransom, however this will cost you 10 btc instead of 2


    my suggestion is to go out and buy an external and backup your music movies and other documents, then unplug it and only plug it in when you need to add something to it, most of us can easily survive blowing away an install and starting over, but an external archive backup makes sure that if you get this virus you can just LOL and reformat your hardrive, not only will this protect you from cryptolocker, but its good practice as well


    on top of that, don't open executables you get from email, even if you know the person who's sending them, my friends and i sneakernet programs and only use mail for information

    i7-4790K | Z97 Class. | 8GB DDR3-2133 | GTX-690 Quad SLI | RAIDR | 512GB Samsung 830 | AX1200 | RV05
    Dell U2711 | Ducky Shine3 YoS | Steelseries Sensei | Xonar Essence One | KRK RP8G2s

  8. #8
    Stood in the Fire
    Join Date
    Dec 2010
    Location
    Kansas City, MO
    Posts
    422
    Quote Originally Posted by Cyanotical View Post
    but its also been pretty funny, the guys behind the virus now have a full fledged support center to help people pay the ransom, however this will cost you 10 btc instead of 2
    lol, wow, why cryptocurrency? because of it being anonymous? and 1 BTC is valued at around 400 dollars. that's like 4+ grand! LOL

  9. #9
    Herald of the Titans Ghostpanther's Avatar
    Join Date
    Dec 2012
    Location
    USA
    Posts
    2,556
    Quote Originally Posted by Cyanotical View Post
    malware is not bound goegraphically


    we've been watching this at my SOC for a while now, it's pretty nasty, and about the only way around it is to have archival backups, it will corrupt shadowcopy and encrypt local mounted network drives

    but its also been pretty funny, the guys behind the virus now have a full fledged support center to help people pay the ransom, however this will cost you 10 btc instead of 2


    my suggestion is to go out and buy an external and backup your music movies and other documents, then unplug it and only plug it in when you need to add something to it, most of us can easily survive blowing away an install and starting over, but an external archive backup makes sure that if you get this virus you can just LOL and reformat your hardrive, not only will this protect you from cryptolocker, but its good practice as well


    on top of that, don't open executables you get from email, even if you know the person who's sending them, my friends and i sneakernet programs and only use mail for information
    This is actually the best way to handle this virus. IF more did, those crooks would have to come up with something different to make money by bribery, stealing..etc.
    And remember, it is good to reformat your hard drive and reinstall the OS once a year or so anyway. So if you have to do that, keep a good attitude, it is best for your system anyway.

  10. #10
    I am Murloc! Cyanotical's Avatar
    Join Date
    Feb 2011
    Location
    Colorado
    Posts
    5,256
    Quote Originally Posted by mercs213 View Post
    lol, wow, why cryptocurrency? because of it being anonymous? and 1 BTC is valued at around 400 dollars. that's like 4+ grand! LOL
    btc is a safer, would you rather give known criminals your cc number?

    and yeah, that is around 4 grand

    i7-4790K | Z97 Class. | 8GB DDR3-2133 | GTX-690 Quad SLI | RAIDR | 512GB Samsung 830 | AX1200 | RV05
    Dell U2711 | Ducky Shine3 YoS | Steelseries Sensei | Xonar Essence One | KRK RP8G2s

  11. #11
    Yeah I have been dealing with this at work for the past couple of weeks. Thus far I have only seen it on email attachments as a .exe compressed in a zip file masquerading as another file extension. We had a handful of users that stupidly opened it in a few of our campuses and it is pretty terrible. Anything that you have mapped in the PC will be effected. This meant that all our file server documents were encrypted. Luckily we had good backups, but all the data those users had locally were lost. Also it appears that you have about a 50-50 chance you will actually get the private key if you actually pay the money, so it is really a crap shoot.

    On another note, it appears whoever is sending this out is also specifically targeting spam messaging for my company now as well. I have had to deal with a DDOS attack on one of our satellite offices, and I am now having to deal with particularly well crafted spam that is emulating my domain name (administrator@"yourcompany".org), which even had our help desk email in it to add extra believably. I just finished changing everyone's passwords (including all the admin ones as I found out they had not been changed in the last 15 years).

    As a previous poster had mentioned, malwarebytes pro along with a couple different paid for anti-virus do actually have active defenses against this particular randsomware. But really it just comes down to Don't open sketchy files!!!

  12. #12
    Gaming on Windows and using Ubuntu for work seems like a good idea now.

    The best antivirus for these kinds of things are usually behind the keyboard.

    to quote loardmatthias: "Don't open sketchy files!!!"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •