[AusNOG] CryptoLocker Virus

Dave Finster dave.finster at construcsys.com.au
Thu Oct 24 08:42:32 EST 2013 

We’ve also encountered it at one of our remote sites. It did the client laptop and the majority of the server our there and tried to do some network drives on remote servers but considering they have a 3G link it didn’t get very far. We did basically a complete restoration on the on-site server and were able to retrieve a list of encrypted files from the infected client and selectively restore files on the other two remote servers. 

That virus got through our SpamTitan anti-virus which was up to date came along in a pdf.exe file enclosed in a zip file. We use Symantec Endpoint Protection and it didn’t show any warnings at all (up to date). From what I’ve read, if your AV solution has behavioural analysis turned on, it can detect it since the process doing the encryption systematically reads tons of files. 

We’ve recently enacted a GPO to mitigate it by forbidding applications that aren’t Dropbox or Citrix Receiver from running if they are stored in the AppData folder (one of our techs found that it stores itself there). No detected infections since but our SpamTitan has recently been blocking a lot of emails with the virus 'Suspect.DoubleExtension-zippwd-15’. SpamTitan uses both the ClamAV and Kaspersky engines for AV.

Good luck to anyone that encounters this one.

Cheers,
Dave

On 23 Oct 2013, at 10:59 pm, Damian Guppy <the.damo at gmail.com> wrote:

> We have come accross it. Delivery was via .pdf.exe in a zip attachment to an email. Email was processed by Trend Micro IMSVA that was up to date, and workstation had trend antivirus with latest definitions and it still managed to run unchecked for a couple of hours(it encrypts local system first so there was a lag time before it hit the file servers). It hit the mapped drives last, but didnt try to touch VSS / Previous versions on the windows file servers so once we identified and isolated the machine we rolled back to the last good checkpoint. 
> 
> If you have home directories a good way to identify the offending client is check which users home drives have been encrypted, as long as your corp mapped drives have a higher letter than the home drive as it seems to walk the drives in alphabetical order.
> 
> Very annoying, and from what I have seen around on forums, it has picked up a lot more this week. We decided to move ahead with blocking all executables in emails on the clients that didn't already have the policy.
> 
> --Damian
> 
> 
> On Wed, Oct 23, 2013 at 8:48 PM, Sean Slater <sean at farrellmedia.com.au> wrote:
> Hi all,
> 
> Leading on from Daniel's post, the best resource I've come across for CrypoLocker is on BleepingComputer.com,
> 
> http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
> 
> I haven't come across this thing yet personally, but it sounds nasty.
> 
> Kind Regards,
> 
> Sean Slater
> 
> --
> Farrell Media Pty. Ltd.
> ABN: 30 135 592 291 ACN: 135592291
> Email sean at farrellmedia.com.au
> Phone 08 8311 3955 : Fax 08 8311 5299
> 
> 
> On Wed, Oct 23, 2013 at 10:26 PM, Daniel Pearson <dpearson at pingco.com.au> wrote:
>  
> 
> Hi All,
> 
>  
> 
> Not sure if anyone else has come across this nasty piece of work…. Definitely worth everyone knowing about it. Already has caused havoc for a number of people I know. New versions look at network resources and delete *.bak, *.vbk etc… so even backups will become encrypted.
> 
>  
> 
> Anyway just thought I would make sure everyone is aware of it.
> 
>  
> 
> Regards,
> 
> DP
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131024/a0a3ef6a/attachment.html>

More information about the AusNOG mailing list