Cryptolocker

[Bird]

So anyone been hit yet?

Mate of mine in Sydney and another in Qld have had several companies calling for support on it... apparently the easiest solution is to pay up

http://www.smh.com.au/digital-life/consumer-security/cryptolocker-warning-malware-extortion-virus-attacks-on-rise-20131116-2xnl8.html

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

One nasty component of it
"It grabs network shares and all drives on a computer, so if an idiot in one part of the network gets it, it crawls into its network shares and cyphers all the files it can find"

[westvic]

ooooh that looks very nasty!

Shows how old school backup with removeable media still works but I'll bet the cloud backup is now stuffed too

Anyone come up with a proper fix other than paying??

cheers,
Steve

[dungee]

It's the first of a new generation of malicious software thats about to run amok.

Obviously don't execute the program in the first place but sometimes these programs are very cleverly disguised.

Generally any attached writable media will be encrypted with this one and the real big issue is that as the law enforcement people catch up with the baddies they shut down their servers effective rendering your encrypted data forever gone as you cant retrieve the unlock key.

I you've been hit and don't have a good remote/disconnected backup you have two choices, pay asap or kiss your data goodbye.

I think that sometimes a data disaster is a good way of getting rid of all that data plaque you've been collecting for years :-)

Remember, if your data doesn't exist in three places it may not exist at all!  The three places could be local HDD, local USB/network copy and disconnected copy in geographically different location.

If you sync your data this may not be a real backup unless you keep versions as you can sync corruptions and deletions.

[Bird]

It's the first of a new generation of malicious software thats about to run amok.

Obviously don't execute the program in the first place but sometimes these programs are very cleverly disguised.

Generally any attached writable media will be encrypted with this one and the real big issue is that as the law enforcement people catch up with the baddies they shut down their servers effective rendering your encrypted data forever gone as you cant retrieve the unlock key.

I you've been hit and don't have a good remote/disconnected backup you have two choices, pay asap or kiss your data goodbye.

I think that sometimes a data disaster is a good way of getting rid of all that data plaque you've been collecting for years :-)

Remember, if your data doesn't exist in three places it may not exist at all!  The three places could be local HDD, local USB/network copy and disconnected copy in geographically different location.

If you sync your data this may not be a real backup unless you keep versions as you can sync corruptions and deletions.

Also if you backup weekly, test your backups monthly to make sure they work... I've had it at a place I worked the backups were reporting 100% fine.. but it wasnt - for 6 months...

[Bird]

From mate who is working on this Shit

Hi

A word of warning regarding a new breed of computer virus. This one is called " Cryptolocker ". It is 'Ransomware'.

What it does is infect your machine and then encrypt all your documents and pictures.
It then demands you pay ~ $ 400 or so within 72 hours to get them back.

It uses an RSA 2048 bit encryption method which is not 'crackable' - and only they hold the 'private' key to decrypt your files.

I don't normally send emails warning of viruses to everyone (in fact I never have before) but this one is a game changer.

This virus is being mass distributed via email and also by using browser exploits
- which means you can get it just by looking at web sites that are infected.

I suggest you do a search on Cryptolocker to learn more about it and review your current data backup methods.

Special notes on Cryptolocker:

* It is quite easy to become infected as it can get around almost all antivirus programs.

* It encrypts ALL Documents, Spreadsheets, and pictures, etc located anywhere on your machine - This includes backup drives and network drives.

* If you have an internal hard drive as a backup, it will encrypt all the documents and pictures, etc on it also.

* If you are on a network, it can reach into uninfected machines thru your network and encrypt data on mapped network drives.

* It doesn't just do it's work on the main 'C' Drive, it walks thru the entire machine to make sure it gets everything.

* Only one machine needs to be infected on a network - if that machine has shared/mapped drives, it will also encrypt remote machines
  that are not infected.

* If you use Google Drive or a similar cloud service, when documents are changed by the virus (encrypted), these can get uploaded to the 'cloud' and be damaged also.

* The encryption is unbreakable. If they don't get paid, your data is gone forever - unless it is backed up safely elsewhere.

* There is no guarantee that paying them gets your data back but these people have setup a web page for 'customer support' and actively post in forum threads to 'help' people pay them.   And yes - that is remarkable.

* Currently, it only affects Windows machines - for now.

* It appears the virus only affects office and text documents (and similar) and pictures. Mp3s and videos don't appear to be targeted (for now).
* A list of files it affects is available online.

* The virus only appeared on or about Sept 6th, 2013.

* The virus writer(s) gets paid via near untraceable methods like Bitcoin, uKash, MoneyPak, etc.

I predict in future that these types of viruses will be the norm and this is only the beginning of this type of attack.

What you should do:
=================
* Please read and learn more about this new type of virus. There is loads of info and news articles about it now. It is only a few months old.

* Keep an OFFLINE backup of your data - EG: Use an EXTERNAL Hard Drive or Flash Pen, etc and turn it off and disconnect it when not in use.

* Unmap network drives that are not needed.

* Update Adobe Flash, and the Java RunTimes (if you use that), your web browser, Windows Updates and your AV software.

* Learn about the 2 programs which may be able to block the virus from infecting your computer.
-  One is called: CryptoPrevent from Foolish IT (It's free) and the other is from the Hitman Pro people - Cryptoguard (Free also)
- You need to determine if these tools are suitable for your computer environment (Business, Home, Network, etc)

* If you have a computer network, warn people using your computers about this virus and the damage it can cause.

What you should NOT do:
=====================
* Please do not just reply to this email with : "I don't want to read all about that, just tell me what to do ..." Instead, please learn about this malware/virus and take steps to securely protect your data.

* NEVER open an attachment you are not expecting.
Currently, the emails that are spreading it are pretending to be from banks, courier firms, businesses, etc.

* Certain websites now contain the virus which can automatically run it - if that happens and you have done nothing to protect your data, then a few minutes or hours later your data will be encrypted and without a SAFE BACKUP that has not been affected, you will have a big problem.

* If you have staff, instruct them to be wary of these sorts of emails and please take proactive steps to safeguard your data.

* These people are very aggressive at getting this virus spread
 - Last week over 10 million emails were sent out containing the virus payload - And this was in the UK alone.

* Websites that help or give information out about it are routinely under a DDOS attack. * For example, BleepingComputer was attacked.
  The forum thread about Cryptolocker at BleepingComputer is 140 pages long and has been viewed 250,000 times.

====

This is not a standard virus whereby you just remove it and it's gone. The virus is relatively easy to remove.
The encrypted data it leaves you with is the problem.
Once it has your data encrypted on your entire machine and your network, it displays a message to pay them.
They get paid all the time by people who don't have a proper OFFLINE, SAFE recent backup.

A Windows patch or anti virus companys' virus definitions may in future be able to stop this or prevent it but it is best that you learn about what this virus can do and what steps to take to prevent it and protect your data.

Regards

Rog ...

[MrCruza]

Yes it's a right bastard. A couple of our clients have been hit but so far we've managed to recover from backups.
We have found a preventative solution if you are on a domain, or if you have windows professional. It basically disallows the running of executables from any temporary area on your PC by setting local security policies. Haven't worked out how to make it happen on windows home yet as they don't do local security policies the same as the pro versions. Need to get into the registry and haven't had time to work it out yet.


This link from BleepingComputers explains all about it.
Refer to point 16 for how to safeguard yourself.

Edit:- Been testing CryptoPrevent  from http://www.foolish it.com/vb6-projects/cryptoprevent/ (remove the space in  "foolish it", the swear filter is getting in the way   )and it appears to work well. Much simpler way of applying run restrictions to a small number of PCs. For a domain a GPO is the way to go.
Works on home versions too

[westvic]

bitcoin just over $1000 and rising like a rocket....wonder if it is related?

[Bird]

bitcoin just over $1000 and rising like a rocket....wonder if it is related?

http://www.theguardian.com/technology/2013/nov/27/hard-drive-bitcoin-landfill-site

[Mace]

30% of our N drive has been affected by Cryptolocker.  ITS have been working on restorations for 10 days now. May get access back to our files early next week, although some of the replaced data will be from 5 days before the break in.

Scary thing is that N drive is also used by payrole, finance, enrolements and HR.

Point of Entry?  supposedly very high up in the organisation. Only takes one out of 2500!

[Bird]

30% of our N drive has been affected by Cryptolocker.  ITS have been working on restorations for 10 days now. May get access back to our files early next week, although some of the replaced data will be from 5 days before the break in.

Scary thing is that N drive is also used by payrole, finance, enrolements and HR.

Point of Entry?  supposedly very high up in the organisation. Only takes one out of 2500!

what is the ransom amount..

[Mace]

Been told it was in the tens of thousands!

[KingBilly]

Been told it was in the tens of thousands!

Mate who is IT Manager for large eduction company said he can protect 99% of the system but the bosses have laptops that are the main risk.

KB

[4wd26]

guys
by network drives, can this also "jump" infect ip drives

I have a harddrive that is remote and accessed wirelessly through a IP address, it is not mapped as a network drive, and is my secondary backup.
main backup is mapped to the system so a risk- hoping that the IP drive is secure, or I will have to rethink things

this is just a home network- but I use the IP drive as backup of everything that is important (photos etc) after having lost a harddrive once

[MrCruza]

The only way I've heard of it spreading is via mapped drives so a drive that is never mapped should be fine.
Do you have the ability to power down the remote drive? That's the safest way. Just power it up when you want to run a backup.

[Mallory Black]

This is what my IT said about it
This Malware variant is of the Ransomware variety and once run encrypts all files that the user has write access to. This effectively locks the user out of all of their local files and is known to also jump to any mapped network drives.

 

The name of this virus is Crilock.A and there are two ways it can be spread:

1.       Email attachments claiming to be a dispute notification

2.       Via machines infected with the Zeus Botnet (virus)

 

As it stands, the latest virus definitions across all the major vendors are unable to detect the Ransomware until it has been run and begun encrypting files.

 

What can I do to mitigate the risk?

1.       Ensure all machines have antivirus installed and the latest virus definitions

2.       Ensure that all your laptops and desktops have System Restore/VSS turned on

3.       Don’t keep USB Drives and Backup drives plugged in unless you need to be using them

4.       Ensure all your servers are being backed up regularly and that you have successful nightly backups

 

How do I know I have been infected?

1.       If you see any of the attached images pop up on your screen you will have been compromised by the Cryptolocker Virus

 

What can I do if I have been infected?

1.       Immediately disconnect from the Network

2.       Unplug any USB Drives or Keys you have attached to the machine

3.       Call your IT Service Desk and let us know you have been infected by Cryptolocker

 

[Bird]

Work got hit today...

Point of origin - manger opening obvious spam email with a Shit link in it.

Buy decryption software and get all your files back


Buy decryption software for 600 AUD before 2014-09-14 ?4?:?20?:?19? ?PM

OR buy it later with the price of 1200 AUD

Time left before price increase: 54 h. 44 m. 19 s.

Your total files encrypted: 6456

[Bird]

Turns out to be a new variant out 2 days ago.. no solution but file restorations.. we have good backups thankfully....
just no going home tonight..

[Jasman]

New forked version apparently infecting shadow copies now.

[Bird]

New forked version apparently infecting shadow copies now.

forked alright... full restore to recover...

[bodgie]

Even if you pay the ransom you are not guaranteed to get all of you data back, unless you pay more.

Essentially if you pay once they know you are prepared to pay so they may attempt to extract more cash from you.

AV/Malware software usually can't keep up with the changes to the software. The reason for this is Cryptolocker is polymorphic which means it can change the way it looks so it can't be detected by traditional AV software.

This site may be helpful if you have a Cryptolocker problem, you milage may vary:

https://www.decryptcryptolocker.com

[peterdeg]

Just remember, a backup is not a backup until you've tested a restore.

At home I switched from backing up to shared drive on a NAS to using rsync as cryptolocker looks for shared drives to hit too.

[bodgie]

On the backup note it probably pays to have a couple options, I've been starting to adopt a hybrid approach where key data is backup up to disk and also up to a cloud provider on a regular basis.

[Bird]

On the backup note it probably pays to have a couple options, I've been starting to adopt a hybrid approach where key data is backup up to disk and also up to a cloud provider on a regular basis.

been doing that for just on 12 mths now. the old school tape backup and cloud.

[bodgie]

The cost of some of the cloud backup solutions is pretty reasonable overall, to me there is no reason why people should lose data today.

Jason

[Ratbag]

The cops have caught the purveyors of Cryptolocker and Gameover Zeus, and captured their database of encryption keys.

These are now available for free to victims who have been unable to recover their data by other means.

See the following BBC News item in this link:

http://www.bbc.com/news/technology-28661463

In this part of the world, we have three firewalls (four, if you count the Windows firewall - I don't ... ); three kinds of anti-virus s/w; three kinds of anti-malware software; several bad site blockers.

One of the firewalls has not been updated since 2004. This might seem crazy, but it is an extremely simple and simple-minded piece of s/w. Every file has a checksum. If that file's checksum has changed, the firewall blocks it by default. If it happens to become active in the middle of the night, it gets blocked. Nothing can access either the local network or the Internet without it being vetted by this s/w. Because it's simple, it's also very fast. No fancy heuristics - just a simple GO/NO GO test.

I also pay a bit extra to Telstra for their on-line email anti-virus protection. I was caught once about 17 years ago, and it took me three days to clean/clear all the computers. Never again. Since then, not even DOUBLECLICK and its ilk get to survive!

We also use write-once media for backup of image and data files. These are checked periodically for DVDR/CDR read errors. I have a number of CDRs that need to be re-burned after 10 years in "special" three-ring binder disk storage pockets!! Not impressed! They are still readable (100% for all sectors), but the surface is deteriorating.

Paper DVDR/CDR disk jackets are best, IMNSHO.
As a counsel of perfection, DVDRs should be burned in pairs, with one copy going off-site immediately. This also protects against theft and fire/flood etc.

As for other backup. We have 3 large external powered drives (6TB in total). These are only plugged in and turned on when actually in use.
We also have about 3TB of storage on portable external HDDs. The main one of these travels with me in my camera bag at all times.
These two sets of drives each contain a complete and relatively current backup of all data files from all computers on our network.

I also backup current email data files to my laptop (i.e. back to around 2003. Prior email files to this are in archive files ... .

When push comes to shove, I've yet to see a virus that can prevent the deletion of all partitions using FDISK.EXE, and a complete re-partition/ reformat and re-install of all software. But that's a bloody awful job to undertake!

Just don't open attachments to emails if one is even the tiniest bit suspicious of it. I have even managed to train my SWMBO about this!

BTW, I don't trust Cloud backup at all. Many reasons. First one is: Can you guarantee that the provider will be in business tomorrow? Quite a few more caveats after that major hurdle ...