Workplace hit by cryptolocker virus

Hikari Kisugi said:
Account departments are often sent emails will invoices attached as .pdf files.
How does one stop this?
If one scans the attachment or email will this be picked up upon before opening?

Asking as we legitimately want some sort of defence, half these crypolockers are reported as zero day variations.
Click to expand...

You can't really prevent them. Antivirus will only pick up known ones or ones written using similar techniques to known ones. Theres always going to be some that can slip past even the best AV.

IIRC Adobe pro reader has an option to prevent any executable embedded code from running. Cant remember how much the pro version costs though.

Probably the only way short of a whitelist of email address(which can be spoofed or maybe the incoming email is compromised) would be to move to another less user friendly attachment form. Or sandbox the users PC's from the network.
 
Halfmad said:
I typically get our staff (we have 6000 of them) to forward the suspect attachments to me, I then stall them for a day and run them through virustotal.com and a few others the following day.

so far, after months of doing this nothing malicious has got past me.

If you want a proper solution though it comes down to basics of file/folder permission, user training and products like Avecto Defendpoint.
Click to expand...

The problem comes with whether these actually look suspicious to the user in the first place. When your lead design engineer receives invoice.zip he'll think it's odd. When your accounts data entry clerk receives the 20th invoice.something file from AN Other supplier of the morning, it won't even register as being out of the ordinary.
 
Question:

What's the point / advantage of tape? I thought we'd moved on from tape years ago, so what's the deal? Why not other mediums?
 
Halfmad said:
I typically get our staff (we have 6000 of them) to forward the suspect attachments to me, I then stall them for a day and run them through virustotal.com and a few others the following day.

so far, after months of doing this nothing malicious has got past me.

If you want a proper solution though it comes down to basics of file/folder permission, user training and products like Avecto Defendpoint.
Click to expand...

The assumption there is the user realises they are suspect first :)
 
Diddums said:
Question:

What's the point / advantage of tape? I thought we'd moved on from tape years ago, so what's the deal? Why not other mediums?
Click to expand...

Tape is cheap and very high density. There's not many removable mediums where you can fit over 6TB of data on something that costs £25.
 
There are a number of firms that will provide you with phishing detection training, including periodic tests, for a reasonable fee, check it out.

The other major defense against this type of thing is to use a cloud email filtering technology, again fairly reasonably priced.
 
Halfmad said:
Once you get it restored it's time to look at the rights that user had, no way it should have spread that widely from one user.
Click to expand...
Yeah, its a good point, but in a lot of businesses its not that straightforward. This .coverton one seems to have managed to elevate certain permissions. Don't know how as we were too busy restoring, but it encrypted our password-protected backup files.
Most users have read/write access to at least one folder on each server.
It looks like a fairly slow acting virus though as on our main fileserver it has only infected alphabetical folders down to the letter G. But as it was executed around 10pm at night it had all night to spread before anyone knew about it.
The bugger was it infected any computer that was switched on and connected to the network at that time.
So it fubar'd some computers (including the CEO's) where the user DID NOT have admin permissions. Those pc's had to be reformatted and data on it lost as we don't backup client computers.
It struck some users onedrives as well. So we had to disable every ADUC account until we'd checked each persons onedrive account, scanned their computers with AV and superantispyware and searched for files ending in".coverton". Only then did we re-enable their accounts.
 
Last edited:
Burnsy2023 said:
And that's where our IT Security guy has been working. He's been sending out emails to all 1200 staff which are fake phishing emails and seeing who's clicking them. 38% of staff clicked the fake link on the first try. A different, and a bit more obvious email was sent yesterday, where only 8% of people clicked it. He's going to continue testing us making it less obvious as we go through. He's essentially pen testing the staff.

I think it's a great idea and it's working as people are much more suspicious now. It also avoids the whole "let's look for a technical solution to a people issue".
Click to expand...

That's a good idea and a great quote at the end ;)
 
Huh...funny you should mention this...

I have a deleted email in my work inbox that is from 'Mike', subject line is 'Receipt' and with an excel attachment and a txt doc attached...

Funny really cause our mail system will stop you from forwarding emails to your personal account (such as digital copies of your pay slips etc) and will quarantine emails from other businesses (legit ones), yet it didn't pick this one up!
 
Kenai said:
The problem comes with whether these actually look suspicious to the user in the first place. When your lead design engineer receives invoice.zip he'll think it's odd. When your accounts data entry clerk receives the 20th invoice.something file from AN Other supplier of the morning, it won't even register as being out of the ordinary.
Click to expand...

Exactly. This IS what happens, sadly.
People (rightly or wrongly) are too in a rush, especially in accounts depts.

Ours was actually an ex employee's account who's mailbox was often checked by colleagues in the accounts dept for any residual emails coming in demanding payments etc. So, i'm assuming that possibly the FD was trawling through dozens of emails and ones that she thought were relevant, forwarded them to herself or actioned them and BOOM!!! bye bye sleep for a week! :rolleyes:
 
Over on Bleepingcomputer (the makers of Combofix and other great apps) there's a thriving and sadly very active anti-ransomware section. For home use and possibly for small businesses too the leader of the fight would appear to be Malwarebytes Anti-ransomware beta at this time.
 
We've just recently moved from a cloud based email system, which worked well, to a m/soft exchange running on our own server and had nothing but problems with spam and attachments.

The latest is people receiving emails with .zip attachments coming from their own email addresses. ...How is that happening? :confused:
 
Diddums said:
Question:

What's the point / advantage of tape? I thought we'd moved on from tape years ago, so what's the deal? Why not other mediums?
Click to expand...

The firm I previously worked at had a tape drive that rotated 10 backup tapes. The most recently recorded tape would be taken home and brought back to work the following day. This is known as off-site backup.
 
Freakbro said:
The latest is people receiving emails with .zip attachments coming from their own email addresses. ...How is that happening? :confused:
Click to expand...

Recipient email addresses aren't validated, it's trivial to change the from address. You should have gone with exchange on O365 rather than on-premise, that spam protection is pretty good.
 
You must log in or register to reply here.
Back
Top Bottom