New virus going around

[the game]

I don't know if this is permitted here or not but I got this in an email today at work and wanted to get awareness out about this new virus going around because it's pretty nasty. If it isn't aloud I apologize.

NCCIC / US-CERT
National Cyber Awareness System:

TA13-309A: CryptoLocker Ransomware Infections
11/05/2013 10:58 AM EST

Original release date: November 05, 2013 | Last revised: November 13, 2013
Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

Do not follow unsolicited web links in email messages or submit any information to webpages in links
Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
Maintain up-to-date anti-virus software
Perform regular backups of all systems to limit the impact of data and/or system loss
Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
Secure open-share drives by only allowing connections from authorized users
Keep your operating system and software up-to-date with the latest patches
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks
Mitigation

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
Users who are infected should change all passwords AFTER removing the malware from their system
Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:

Restore from backup,
Restore from a shadow copy or
Perform a system restore.
References

CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours And Threatens To Encrypt Hard Drive
CryptoLocker Wants Your Money!
CryptoLocker ransomware – see how it works, learn about prevention, cleanup and recovery
Microsoft Support – Description of the Software Restriction Policies in Windows XP
Microsoft Software Restriction Policies Technical Reference – How Software Restriction Policies Work
CryptoLocker Ransomware Information Guide and FAQ
Revision History

Initial
November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

[Vile]

Yeah this one is a really nasty one, it's been going around for about a a couple of months. We didn't have much info about it initially but there's some pretty good info/reading about it now that it's been around for a bit:

http://www.bleepingcomputer.com/viru...re-information
http://www.reddit.com/r/sysadmin/com..._cryptolocker/

[Iamanerd]

Yeah I've dealt with it a few times at work already, it's been out since september but it's not to wide spread yet. Only thing that I've found through testing is that Malwarebytes Pro blocks the exe from coming in. I extracted it off a customers machine and set up a test environment for it, watched it encrypt some bs documents I put on there. Uses 2 key encryption as well so one public and one private. Another good counter-measure is to set AppData to not run exe's period unless you allow exceptions for certain programs. There's a reg fix as well but I haven't tried that.

Just try to be safe on the web and backup your data to multiple sources if it's important and you can't afford to lose it.

Edit: Just saw the well done article on bleeping computer and they have a tool to block cryptolockers paths from which it runs. Still this is a nasty piece of malware and I hope the bastard(s) doing this are caught.

[WeightLossPro]

Sounds nasty. Thanks for the heads up.

[coolflame]

From what I am told (today) it has yet to reach Florida.

[Twoddle]

From what I am told (today) it has yet to reach Florida.

Hasn't reached my computer yet either.

[Cyanotical]

malware is not bound goegraphically


we've been watching this at my SOC for a while now, it's pretty nasty, and about the only way around it is to have archival backups, it will corrupt shadowcopy and encrypt local mounted network drives

but its also been pretty funny, the guys behind the virus now have a full fledged support center to help people pay the ransom, however this will cost you 10 btc instead of 2


my suggestion is to go out and buy an external and backup your music movies and other documents, then unplug it and only plug it in when you need to add something to it, most of us can easily survive blowing away an install and starting over, but an external archive backup makes sure that if you get this virus you can just LOL and reformat your hardrive, not only will this protect you from cryptolocker, but its good practice as well


on top of that, don't open executables you get from email, even if you know the person who's sending them, my friends and i sneakernet programs and only use mail for information

[Ghostpanther]

malware is not bound goegraphically


we've been watching this at my SOC for a while now, it's pretty nasty, and about the only way around it is to have archival backups, it will corrupt shadowcopy and encrypt local mounted network drives

but its also been pretty funny, the guys behind the virus now have a full fledged support center to help people pay the ransom, however this will cost you 10 btc instead of 2


my suggestion is to go out and buy an external and backup your music movies and other documents, then unplug it and only plug it in when you need to add something to it, most of us can easily survive blowing away an install and starting over, but an external archive backup makes sure that if you get this virus you can just LOL and reformat your hardrive, not only will this protect you from cryptolocker, but its good practice as well


on top of that, don't open executables you get from email, even if you know the person who's sending them, my friends and i sneakernet programs and only use mail for information

This is actually the best way to handle this virus. IF more did, those crooks would have to come up with something different to make money by bribery, stealing..etc.
And remember, it is good to reformat your hard drive and reinstall the OS once a year or so anyway. So if you have to do that, keep a good attitude, it is best for your system anyway.

[Cyanotical]

lol, wow, why cryptocurrency? because of it being anonymous? and 1 BTC is valued at around 400 dollars. that's like 4+ grand! LOL

btc is a safer, would you rather give known criminals your cc number?

and yeah, that is around 4 grand

[lordmatthias]

Yeah I have been dealing with this at work for the past couple of weeks. Thus far I have only seen it on email attachments as a .exe compressed in a zip file masquerading as another file extension. We had a handful of users that stupidly opened it in a few of our campuses and it is pretty terrible. Anything that you have mapped in the PC will be effected. This meant that all our file server documents were encrypted. Luckily we had good backups, but all the data those users had locally were lost. Also it appears that you have about a 50-50 chance you will actually get the private key if you actually pay the money, so it is really a crap shoot.

On another note, it appears whoever is sending this out is also specifically targeting spam messaging for my company now as well. I have had to deal with a DDOS attack on one of our satellite offices, and I am now having to deal with particularly well crafted spam that is emulating my domain name (administrator@"yourcompany".org), which even had our help desk email in it to add extra believably. I just finished changing everyone's passwords (including all the admin ones as I found out they had not been changed in the last 15 years).

As a previous poster had mentioned, malwarebytes pro along with a couple different paid for anti-virus do actually have active defenses against this particular randsomware. But really it just comes down to Don't open sketchy files!!!

[septagon]

Gaming on Windows and using Ubuntu for work seems like a good idea now.

The best antivirus for these kinds of things are usually behind the keyboard.

to quote loardmatthias: "Don't open sketchy files!!!"