File-trashing Cryptolocker PC malware

This is why I point blank refuse to have an external harddrive connected 24/7 for the sake of daily backups. I backup once every few months by imaging my drives to a harddrive which I only connect to my eSATA ports when I'm doing the backup.
 
Nate--IRL-- said:
Yes, exactly my point. If the Host has access to the internet, it can be infected just the same as the VM. I don't see a difference.

Nate
Click to expand...

just because a computer has access to the internet, it does not put it at risk. if that were true we'd all have it.

it's only stupid user action like opening dodgy attachments, browsing compromised sites or accepting incoming connections that would be dangerous.
 
Last edited:
I have had a user infected with this at work, was one of those users that has a monthly rebuild and just downloads and installs everything (hence the rebuilds!)

Luckily, everytime I rebuild users laptops I actually physically swap the hard drive for a preimaged one and keep the old hard drive for a few months so I had a physical backup of everything he ever did.

have been looking at this: http://www.fooli****.com/vb6-projects/cryptoprevent/ anyone have any experience of it? looks like a good tool to deploy to stop this stuff.
 
Nate--IRL-- said:
Which would be done on the host..........

Nate
Click to expand...

?
The whole idea is that all of that is done inside VMs. My host doesn't have an email client, and It can't browse the web without changing adapter settings.
It's used solely for notepad and running my various virtual machines
 
We've had a few people hit by this, clients that thought they could get away without paying for AV, and co-incidentally didn't have any real backups in place either! Yey!

There's a GPO you can put in place to stop applications being ran from the root of AppData, but the last infection I looked at, it seemed to have changed locations.
 
kaiowas said:
Any decent AV should be catching this on the original inbound email long before it's had a chance to encrypt anything
Click to expand...

Liquidfox said:
We've had a few people hit by this, clients that thought they could get away without paying for AV
Click to expand...

Lazder said:
Kaspersky would make mashed potato out of this.
Click to expand...

Forget the false sense of security. Regular offline backup is the only real protection in this case.
 
Are people using some sort of email system, that when looking on the list of emails they have received, and then click on the title, the malware is able to auto-install, without them clicking download or open attachment?
 
Jimmy Hillbilly said:
Interesting... So do you know if Hubic would be safe, or whether the 'secure transfer' it mentions actually means it does require password access?
https://hubic.com/en/discover-hubic

If you don't know I can email them to ask. Thanks
Click to expand...

Looks like that application puts a live sync folder somewhere on your local hard drive. So yes definitely; anything you put into that folder will get encrypted by the virus, the hubic software will see this as a file modification, will therefore will get updated to their servers as this new encrypted file.

If you use this service as a backup service and you're worried about getting this virus, I'd remove live the sync service. If hubic has some kind of basic web interface, use that instead.
 
Last edited:
asim18 said:
Looks like that application puts a live sync folder somewhere on your local hard drive. So yes definitely; anything you put into that folder will get encrypted by the virus, the hubic software will see this as a file modification, will therefore will get updated to their servers as this new encrypted file.

If you use this service as a backup service and you're worried about getting this virus, I'd remove live the sync service. If hubic has some kind of basic web interface, use that instead.
Click to expand...

I don't use it, but I was trying to understand whether it would be a safe option to use. You have now clarified this for me, thanks.
 
marc2003 said:
it's only stupid user action like opening dodgy attachments, browsing compromised sites or accepting incoming connections that would be dangerous.
Click to expand...

Any site can be compromised so it's not stupid user action at all.

Must be horrible using a VM with no networking all the time..
 
platinum87 said:
Are people using some sort of email system, that when looking on the list of emails they have received, and then click on the title, the malware is able to auto-install, without them clicking download or open attachment?
Click to expand...

No. People get emailed a file called something like "we_tried_to_deliver_a_parcel.pdf.zip" with an EXE inside, and they run it. In any given company there's probably more than 50% of the employees who would do exactly the same thing.
 
I got one of these as a zip file posing as a "secure message" from Santander (not my bank) sent to my @uk.ibm.com address. If I ever try to send or receive an attachment it gets nuked by the firewall, but this stuff is apparently allowed right in.

I run the internal Ubuntu distro, so tend to have a poke round stuff like this to see what it contains.
 
You must log in or register to reply here.
Back
Top Bottom