Jump to content



Photo

  • Please log in to reply
68 replies to this topic

#1 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:07

Today I heard reports of a new piece of malware that is going around. This one is particularly nasty, It Encrypts all of the data on your drive and mapped network drives with a RSA 256 bit AES key. Once encrypted there is no way to decrypted. The only way to get the files back is from an off site backup (because if the backup drive is local it also gets encrypted) or to actually pay them the money in which they apparently decrypt your data.

 

crilock.png

 

A video from Remove-malware.com


 

 

Over the past few days Emsisoft’s malware research team has received numerous reports of a new file encrypting ransomware strain. This new family of ransomware is commonly referred to as CryptoLocker or Trojan:Win32/Crilock.A.
Ransom note as presented by CryptoLocker

Ransom note as presented by CryptoLocker

Like all file encrypting ransomware (also known as crypto malware) the goal of the attacker is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files.
Initial infection and establishing communication

Based on the data we have gathered so far, the infection is mainly spread via social engineering techniques. Multiple victims received emails with alleged customer complaints containing an attachment that is in fact a malware downloader. This downloader then downloads and installs the actual CryptoLocker malware. Once CryptoLocker has been downloaded and executed by the downloader, it ensures its automatic start during boot by using the following registry value
- See more at: http://blog.emsisoft...h.YwfgyrMP.dpuf

 

 

http://blog.emsisoft...omware-variant/




#2 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 12 September 2013 - 14:09

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.



#3 UseLess

UseLess

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 24-July 04
  • Location: Australia, West Coast

Posted 12 September 2013 - 14:15

Oh. How rude! Time to make all my network drives read-only! (technically all but 1 - RAID5 can deal with 1) I don't have any other way to practically deal with =P

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)



#4 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:22

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.

 

That's the problem, it's amazing they even had backups. 99% of people have no backups. The 1% that actually have backups, they are local and not offsite.



#5 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 12 September 2013 - 14:23

That's the problem, it's amazing they even had backups. 99% of people have no backup.

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.



#6 Haggis

Haggis

    Neowinian Senior

  • Tech Issues Solved: 12
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 12 September 2013 - 14:24

No point in havign a backup attached to the machine that your backing up in my opinion



#7 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:25

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.

 

What kind of offsite did you configure for them?



#8 fusi0n

fusi0n

    Don't call it a come back

  • Tech Issues Solved: 3
  • Joined: 08-July 04
  • OS: OSX 10.9\Windows 10\Ubuntu
  • Phone: LG G3

Posted 12 September 2013 - 14:25

Pretty hardcore malware.. 



#9 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:26

No point in havign a backup attached to the machine that your backing up in my opinion

 

No it's good to have both local and off site. If it's not connected to the machine (Not counting online) then it never gets done. It needs to be automatic. But in this case you also have to do off site as well one that is not connected.



#10 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 12 September 2013 - 14:26

What kind of offsite did you configure for them?

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call. 



#11 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 September 2013 - 14:26

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call.

 

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.



#12 +Bryan R.

Bryan R.

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 04-September 07
  • Location: Palm Beach, FL

Posted 12 September 2013 - 14:28

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.

This malware starts on a client machine and encrypts any data that user has access to which would include the mapped drive the user had but not the local disks on the server. There's another malware that super hides all data in the same way.



#13 firey

firey

    F͎̗͉͎͈͑͡ȉ͎̣̐́ṙ͖̺͕͙̓̌è̤̞͉̟̲͇̍̍̾̓ͥͅy͓̍̎̌̏̒

  • Tech Issues Solved: 8
  • Joined: 30-October 05
  • Location: Alberta, Canada
  • OS: Windows 7
  • Phone: Android (4.4.2)

Posted 12 September 2013 - 14:31

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

It would to an extent.  Basically anything in program files would be safe.. as long as it is not elevated though UAC.. however all documents, data, etc would be vulnerable.



#14 vcfan

vcfan

    Doing the Humpty Dance

  • Tech Issues Solved: 3
  • Joined: 12-June 11

Posted 12 September 2013 - 14:32

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?



#15 UseLess

UseLess

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 24-July 04
  • Location: Australia, West Coast

Posted 12 September 2013 - 14:32

Generally speaking, your server shouldn't be getting infected, unless you're using the server? - I would imagine this spreads by "client initiated methods" (email, websites, etc). We have windows 2008 at work, and any backup it creates unmaps any drive letter from the backup drive, so I assume this would be sufficiently well preserved (including the fact it isn't visible over the network)

 

The fact that it checks network drives is what really bothers me. I have my home windows backup set to backup to a network location...so in this case it would whack that backup too. I would guess VERY few people have disconnected/read-only backups.

 

edit: money can be "easily" hidden through some random array of shell companies...or more easily nowadays, any cryptocurrency =/