HEADS UP!!!

Weescotty · Post by **Weescotty** » 30 Oct 2013, 03:05

Particularly new NASTY virus going around....CRYPTOLOCKER

If it gets in it encrypts a load of your data files (xls, doc, pdf etc), and to get them decrypted you have to pay $300-$350.
What is really bad is if you clean the infection off your system you are still left with encrypted files.
There is not a hope in hell you can crack the encryption, best estimates say that using the fastest super-computer available it would take 100's of years.
It will also affect external hard drives connected to your computer (in fact anything that gets a drive letter, including networked drives), so any backups on it get encrypted also.

Best advice -
Backups should be kept off-line, ie not connected to your computer - until needed.
If you are using Windows 7 Pro or above or 8 Pro or above, you can add software restrictions that will stop the current versions from executing. They use the %AppData% and %LocalAppData% folders.
The restrictions also prevent the exe's from being run from within an archive.

Lots more info out on the web, good source of what is currently going on (plus how to restrict computers) is in the forums here...
http://www.bleepingcomputer.com/

They reckon these 'people' have so far taken millions of dollars in 'decrypt' payments from companies who can't afford the downtime of a complete file restore.

Have enabled the restrictions on ALL the computers at the place I work for.

Good additional counter is to show file extensions.
Windows 7 by default hides them.
Goto any folder
- select 'Organize' (top left of window)
- select 'Folder and search options'
- select 'View'
- UNCHECK 'Hide extensions for known file types'

You will now see the file extension for all files.

They have been sending emails with what looks like a PDF or a Voicemail file (they have the correct icon look), but they are actually exe files containing the virus.
So with the change above instead of just seeing MYPDF as the attachment name, you would actually see MYPDF.exe or MYPDF.pdf depending on if its real or not.

Be safe!

dk1213 · Post by **dk1213** » 30 Oct 2013, 08:18

I don't understand why people do this S$%T. It has no benefit even for the idiots that make them.

Weescotty · Post by **Weescotty** » 30 Oct 2013, 21:21

Hi Dan, yes it does.

Low estimates put the amount of money they have got from companies paying up to get their files decrypted at easily over a million dollars!

Unfortunately this will only encourage other lowlife to try the same thing.

UPDATE - There seems to be a group who have created a DNS blackhole that is (with limited success) intercepting the initial 'callback' to the command and control computers and redirecting it to a dud DNS.
This prevents the virus even kicking off in the first place, without the initial callback it does not create the encryption key pair and therefore doesn't start encrypting your files - AT THE MOMENT.
This thing is morphing so quickly that anti virus providers are having real problems keeping up with it.

MIKE JG · Post by **MIKE JG** » 30 Oct 2013, 23:46

Time to decide between the red pill and the blue pill I guess.......

Sophie_Westenra · Post by **Sophie_Westenra** » 09 Nov 2013, 04:44

I believe some major Internet Service Providers (at least Downunder) are also now helping to catch and prevent the spread by not letting it past there servers. If it looks sus, then the email is stopped dead and the recipient does not receive it. Down side is that more and more of your legitimate emails may not make it through to you in there current written form. The sender may need to change how they send attachments or written links to websites.
You should also be aware that these virus can also be hidden in downloads, games sites like Flightsim are a feeding ground for unsuspecting victims as you would not know the virus was in the downloaded zip until you clicked on it’s icon which would look the same as any normal icon found accompanying that download such as a PDF file, etc.
These days it pays to use an older PC for browsing and downloading goodies online and keep your main PC away from the web altogether, or use it with caution as to where you visit. Remove your incoming email functions and collect them either on your older PC or use a tablet or pod. Of course I’m talking private home use, not business.
Sophie

John Young · Post by **John Young** » 10 Nov 2013, 09:40

That's interesting Sophie because a few days ago we found a very unusual post from Russia at ACG promoting porno pictures with a link to them. We thought it was malicious and removed it without clicking the link. We have never had any instance like this before and having just seen your reference to flightsim sites, it could well have been the virus we are talking about.

That's really dangerous because it might have instead been positioned as a flightsim related topic. I guess we need to be suspicious of any unrecognised links anywhere.

John

Weescotty · Post by **Weescotty** » 10 Nov 2013, 10:12

One of the sneaky ways there are doing it is to give the icon a PDF look and name it for eg invoice.pdf

What you don't see unless you have file extensions turned on is that it is actually called invoice.pdf.exe

I used a GPO to turn on file extensions on all pcs on the domain and also to block exes running from specific locations.
Finally I prohibited password protected zips, and set our spam app to search within archives and strip out any executable file (exe,bat,ini,cmd etc) before delivery.
Fingers crossed (have already caught a couple, one a .pdf.exe the other a .scr)

HEADS UP!!!

HEADS UP!!!

Re: HEADS UP!!!

Re: HEADS UP!!!

Re: HEADS UP!!!

Re: HEADS UP!!!

Re: HEADS UP!!!

Re: HEADS UP!!!