[AusNOG] CryptoLocker Virus

Tim March march.tim at gmail.com
Thu Oct 24 09:31:47 EST 2013 

There's a demo video at
http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/
for anyone interested in seeing how it works in practice...



T.

On 24/10/13 8:42 AM, Dave Finster wrote:
> We’ve also encountered it at one of our remote sites. It did the client
> laptop and the majority of the server our there and tried to do some
> network drives on remote servers but considering they have a 3G link it
> didn’t get very far. We did basically a complete restoration on the
> on-site server and were able to retrieve a list of encrypted files from
> the infected client and selectively restore files on the other two
> remote servers. 
> 
> That virus got through our SpamTitan anti-virus which was up to date
> came along in a pdf.exe file enclosed in a zip file. We use
> Symantec Endpoint Protection and it didn’t show any warnings at all (up
> to date). From what I’ve read, if your AV solution has behavioural
> analysis turned on, it can detect it since the process doing the
> encryption systematically reads tons of files. 
> 
> We’ve recently enacted a GPO to mitigate it by forbidding applications
> that aren’t Dropbox or Citrix Receiver from running if they are stored
> in the AppData folder (one of our techs found that it stores itself
> there). No detected infections since but our SpamTitan has recently been
> blocking a lot of emails with the virus
> 'Suspect.DoubleExtension-zippwd-15’. SpamTitan uses both the ClamAV and
> Kaspersky engines for AV.
> 
> Good luck to anyone that encounters this one.
> 
> Cheers,
> Dave
> 
> On 23 Oct 2013, at 10:59 pm, Damian Guppy <the.damo at gmail.com
> <mailto:the.damo at gmail.com>> wrote:
> 
>> We have come accross it. Delivery was via .pdf.exe in a zip attachment
>> to an email. Email was processed by Trend Micro IMSVA that was up to
>> date, and workstation had trend antivirus with latest definitions and
>> it still managed to run unchecked for a couple of hours(it encrypts
>> local system first so there was a lag time before it hit the file
>> servers). It hit the mapped drives last, but didnt try to touch VSS /
>> Previous versions on the windows file servers so once we identified
>> and isolated the machine we rolled back to the last good checkpoint. 
>>
>> If you have home directories a good way to identify the offending
>> client is check which users home drives have been encrypted, as long
>> as your corp mapped drives have a higher letter than the home drive as
>> it seems to walk the drives in alphabetical order.
>>
>> Very annoying, and from what I have seen around on forums, it has
>> picked up a lot more this week. We decided to move ahead with blocking
>> all executables in emails on the clients that didn't already have the
>> policy.
>>
>> --Damian
>>
>>
>> On Wed, Oct 23, 2013 at 8:48 PM, Sean Slater <sean at farrellmedia.com.au
>> <mailto:sean at farrellmedia.com.au>> wrote:
>>
>>     Hi all,
>>
>>     Leading on from Daniel's post, the best resource I've come across
>>     for CrypoLocker is on BleepingComputer.com
>>     <http://BleepingComputer.com>,
>>
>>     http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
>>
>>     I haven't come across this thing yet personally, but it sounds nasty.
>>
>>     Kind Regards,
>>
>>     Sean Slater
>>
>>     --
>>     *Farrell Media Pty. Ltd.*
>>     ABN: 30 135 592 291 ACN: 135592291
>>     *Email sean at farrellmedia.com.au <mailto:sean at farrellmedia.com.au>*
>>     Phone 08 8311 3955 <tel:08%208311%203955> : Fax 08 8311 5299
>>     <tel:08%208311%205299>
>>
>>
>>     On Wed, Oct 23, 2013 at 10:26 PM, Daniel Pearson
>>     <dpearson at pingco.com.au <mailto:dpearson at pingco.com.au>> wrote:
>>
>>         __ __
>>
>>         Hi All,____
>>
>>         __ __
>>
>>         Not sure if anyone else has come across this nasty piece of
>>         work…. Definitely worth everyone knowing about it. Already has
>>         caused havoc for a number of people I know. New versions look
>>         at network resources and delete *.bak, *.vbk etc… so even
>>         backups will become encrypted.____
>>
>>         __ __
>>
>>         Anyway just thought I would make sure everyone is aware of it.____
>>
>>         __ __
>>
>>         Regards,____
>>
>>         DP____
>>
>>
>>         _______________________________________________
>>         AusNOG mailing list
>>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>         http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 

-- 
PGP/GNUPG Public Key: http://d3vnu11.com/pub.key

More information about the AusNOG mailing list