[AusNOG] CryptoLocker Virus

Damian Guppy the.damo at gmail.com
Wed Oct 23 23:59:51 EST 2013 

We have come accross it. Delivery was via .pdf.exe in a zip attachment to
an email. Email was processed by Trend Micro IMSVA that was up to date, and
workstation had trend antivirus with latest definitions and it still
managed to run unchecked for a couple of hours(it encrypts local system
first so there was a lag time before it hit the file servers). It hit the
mapped drives last, but didnt try to touch VSS / Previous versions on the
windows file servers so once we identified and isolated the machine we
rolled back to the last good checkpoint.

If you have home directories a good way to identify the offending client is
check which users home drives have been encrypted, as long as your corp
mapped drives have a higher letter than the home drive as it seems to walk
the drives in alphabetical order.

Very annoying, and from what I have seen around on forums, it has picked up
a lot more this week. We decided to move ahead with blocking all
executables in emails on the clients that didn't already have the policy.

--Damian


On Wed, Oct 23, 2013 at 8:48 PM, Sean Slater <sean at farrellmedia.com.au>wrote:

> Hi all,
>
> Leading on from Daniel's post, the best resource I've come across for
> CrypoLocker is on BleepingComputer.com,
>
>
> http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
>
> I haven't come across this thing yet personally, but it sounds nasty.
>
> Kind Regards,
>
> Sean Slater
>
> --
> *Farrell Media Pty. Ltd.*
> ABN: 30 135 592 291 ACN: 135592291
> *Email sean at farrellmedia.com.au*
> Phone 08 8311 3955 : Fax 08 8311 5299
>
>
> On Wed, Oct 23, 2013 at 10:26 PM, Daniel Pearson <dpearson at pingco.com.au>wrote:
>
>>  ** **
>>
>> Hi All,****
>>
>> ** **
>>
>> Not sure if anyone else has come across this nasty piece of work….
>> Definitely worth everyone knowing about it. Already has caused havoc for a
>> number of people I know. New versions look at network resources and delete
>> *.bak, *.vbk etc… so even backups will become encrypted.****
>>
>> ** **
>>
>> Anyway just thought I would make sure everyone is aware of it.****
>>
>> ** **
>>
>> Regards,****
>>
>> DP****
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131023/2571b94b/attachment.html>

More information about the AusNOG mailing list