Main Site Documentation

Hope everyone has got their back-ups up to date


#1

At about 9:30 yesterday morning a user comes to me saying that they would like me to take a look at an Excel file as it now corrupted and will not open. As I am attending to this another user comes and says that they can no longer access several Word documents with similar error messages – alarm bells are now ringing. Look at the files and sure enough they will not open – last modification dates are unchanged from expected, but comparing the files to a recent backup shows completely different contents.

Just as I am thinking that this doesnt just look corrupted, but encrypted the first user comes back saying that their email signature is now garbled. Whatever it is it is on that PC – so pull the network cable and almost immediately a window appears – we have been infected by CryptoLocker.

If you havent heard of this one yet, it is a very nasty piece of work. It basically encrypts any accessible documents on both local and shared drives and the only way to get them unencrypted is to pay a fee to get the decryption key. If the malware gets tampered with or is removed then the decryption key is destroyed.

Made the decision not to pay and have just spent the last 24 hours scanning, cleaning and restoring our system. We ended up having two infected PCs and thousands of encrypted files on our server drives.

We were lucky in that it was detected quickly after infection and the data loss was minimal. If our backup systems had not been up to date then it could have been a very different story.

Our antivirus was up to date at the time of infection and even a manual full scan would not detect it yesterday morning. Some info regarding CryptoLocker can be found in the link below:

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

Up to this point my home computer backups have just been copies of files on shared folders and external drives but now Im moving to something a bit more comprehensive.

Be safe,

Keith.


#2

@ Keith - Scary!


#3

My brother called me yesterday - he had just gotten hit as well.


#4

Would be good to know how one get infected? Which way does it use? Exploits?


#5

From internet looks like it can either infect PCs via email attachments or compromised web sites. In our case looks like email was the source.

It managed to get through our email filtering and install on two PCs. Not sure how it avoided detection initially, but scans on the computers afterwards did pick up what I believe was the installers, but still were not picking up the actual program.

What is scary is just how much intentional collateral damage this one causes. Once a file is encrypted there seems only to be three options available: Pay the money, restore the file from a backup after it has been eradicated or lose it forever. This thing targets pictures as well as office and PDF documents so has as much potential for home computers as well as businesses. Only thing is home users may not have any backup in place and connecting an external USB key or HDD when the PC is infected would probably result in the loss of those files as well. Storage on NAS drives would also be affected if the infected computer has access to them.

In the past generally there have been tools to clean up infections and repair damaged files, but with the technology that this thing uses that is probably not possible. The malware itself can be removed, but the damage it causes can’t.

Bit of a wake up call for me - if this had hit my home PC I would have lost quite a bit as had no disconnected recent backup at the time. I’ve just done a full external backup of everything just to be safe.


#6

Just make sure the antivirus you change to isn’t hacked … like Avira:
http://betanews.com/2013/10/08/avg-and-avira-hacked-sites-currently-offline/


#7

@ andre.m The thought of changing AV had crossed my mind!

Spoke to a consultant we sometimes use and one of his team was at another customer at the same time with a CryptoLocker issue as well. The one they had there was also evading detection by several systems. The step that identified them for me was to pull the network cable and the CryptoLocker screen would appear.

Have found several posts indicating that there could be a new variant of CryptoLocker out there so possible what I found is different to the one identified last month. Am reporting back through the AV and see what comes of it.


#8

I think that the NSA (since they are still at work) should provide a decrypting service for those affected who chose not to pay the ransom. This virus is cyberterrorism, and as such, I think more of our US tax dollars should be spent combating the spread and repairing the damage of this virus. Health Care for your PC! #satire


#9

@ Keith - That’s a very familiar story… It’s sometimes called Ransomware. They try and make you pay a ransom to recover your computer. I had the same thing happen on my OS disk on my PC at home. I certainly did not pay the ransom. Antivirus software did not protect me because the variant was too new. I didn’t really lose any content, but I can tell you I knew exactly how I got it and it is shocking. I was doing a google image search for a mini fridge for my solder paste. I typed in some search terms for a mini fridge. On the third or fourth page of images, I saw one that was interesting. Then without even opening the source page, the virus was somehow transferred. I actually reproduced this and was shocked. It looked like a url source in China. Since then, I only use Bing image search. I NEVER USE Google Image search anymore. I have no clue how it executed. And perhaps Bing is no better… But, if infections can launch that easily, the internet as we know it could be at risk…


#10

@ Valkyrie-MT. Things like that are dependent on the browser you were using and the settings for things like scripts and ActiveX etc.


#11

The safest still seems to be using Oracle’s free VirtualBox to set up a virtual machine for surfing. If it gets trashed - reload copy of virtual disk.
Good back-ups are still a must, but losing a half days work to restore would be a bummer.


#12

Two days ago I had a similar thing but it was not Ransomware.

I thought it was a link in Amazon for my Kindle books.

I was amazed how quickly I had about 10 different applications installing.

My anti virus software didn’t blink an eye…

I pulled the plug and a restore seems to have corrected things.
(Windows 8) and it reinstalled the system files…

Not sure why a yellow face is showing for windows 8


#13

Heard back from AV tech support - it was a new variant that they hadn’t seen before. Apparently quite a few people got hit on Friday.

This new version was masquerading as a PDF file, but in fact actually was an executable.

In our case ShadowCopy was very useful in restoring a lot of the corrupted files on our server as the latest clean version was 1 hour before we were infected.

Will now be enabling ShadowCopy on all PCs as it is built into Windows and could give some extra recovery options when dealing with this type of attack.


#14

Exactly as expected - even had the typical thank you for choosing us and sorry for the inconvenience blurb. :slight_smile:


#15

Someone where I work had a similar issue. They used this to track it down: http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner (Happen’s to be the on I use on my personal laptop) Norton (Corporate) didn’t detect it.


#16

There are a lot of guides to remove it like this: http://privacy-pc.com/how-to/remove-cryptolocker-virus.html But encryption is still there. Has anybody tried to restore files with the help of ShadowExplorer or any other tools? As I understand, Windows does not delete files, just unattaches them from the partition. Maybe these tools can also help: http://en.wikipedia.org/wiki/List_of_digital_forensics_tools


#17

Spam?