File-trashing Cryptolocker PC malware
- Thread starter Old Man
- Start date
Was speaking to one of the guys in another team today apparently 2 people at our place have had it
Internal IT switched everyone over to symantec were on kaspasky, we are in the middle of a domain migration so I don't know if there plan was to switch product or they switched because of this
Internal IT switched everyone over to symantec were on kaspasky, we are in the middle of a domain migration so I don't know if there plan was to switch product or they switched because of this
Last edited:
Soldato
- Joined
- 6 Sep 2005
- Posts
- 3,781
Does anyone know what Thunderbird does with incoming mail regarding this?
I've had an email arrive this morning with the subject line "image 19 11 2013" from a hotmail address (so says Thunderbird).
I do receive emails with attachments as part of my business but after I noticed the attachment was a .zip and said sent from my iphone at the bottom...whether all iphones send images like that I don't know.
Then it suddenly occurred to me, what will Thunderbird do with that file? Will it try to automatically open/unzip that file or just leave it as a zip?
Exactly when is this virus activated, do you just have to download it, or unzip it or actively click on it?
I'm getting a bit worried now that I've caused an issue for myself.
I've had an email arrive this morning with the subject line "image 19 11 2013" from a hotmail address (so says Thunderbird).
I do receive emails with attachments as part of my business but after I noticed the attachment was a .zip and said sent from my iphone at the bottom...whether all iphones send images like that I don't know.
Then it suddenly occurred to me, what will Thunderbird do with that file? Will it try to automatically open/unzip that file or just leave it as a zip?
Exactly when is this virus activated, do you just have to download it, or unzip it or actively click on it?
I'm getting a bit worried now that I've caused an issue for myself.
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,306
- Location
- Aranyaprathet, Thailand
I have pretty much moved to only using my iPhone for all personal email. If my company is stupid enough to allow this stuff through the mail protection, more fool them.
Caporegime
- Joined
- 21 Nov 2005
- Posts
- 41,459
- Location
- Cornwall
I'm hoping our spam filter will stop this from getting on to our network in the first place but have tightened up our AV settings and proxy and blocked the program from running via GP on our domain PCs and via a program called CryptoPrevent on the others. Probably overkill but rather be safe than sorry.
http://www.computerworld.com/s/arti...to_do_if_you_are_?taxonomyId=125&pageNumber=2
http://www.fooli****.com/vb6-projects/cryptoprevent/
^ Foolish IT
http://www.computerworld.com/s/arti...to_do_if_you_are_?taxonomyId=125&pageNumber=2
http://www.fooli****.com/vb6-projects/cryptoprevent/
^ Foolish IT
What do you use to filter email spam and malware?
Extracts.
Can somebody be kind enough to forward me a copy of the zip please, will trust my email.
Surely you have to actually execute the attachment within the ZIP file though? It's an .EXE file so would have to be 'run', no?
I'm dreading a family member getting this, my old man for example has shed loads of files on his HD - sure he's backed up to a USB drive but I think it's possible to back up the encrypted file no? He'll be devastated if he loses all that.
The most annoying thing is that the people behind this are going to get massively rich.
The most annoying thing is that the people behind this are going to get massively rich.
Ouch. I would be looking at implementing a proper cloud-based filtering solution as soon as possible. The cost shouldn't be too high, given the low amount of users. Proactive security is far better than reactive security.
The drive will be encrypted if it's connected to the infected machine.
How much data are we talking about?
Backup to DVDR-DL might be an option if he doesn't have too much data.
Last edited:
Been dealing with this since it first made an appearance in September.
Setting up software restriction policies for clients now to restrict the following paths via a GPO -
%AppData%\*.exe
%AppData%\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
%LocalAppData%\Temp\*.zip\*.exe
%LocalAppData%\Temp\7z*\*.exe
%LocalAppData%\Temp\Rar*\*.exe
%LocalAppData%\Temp\wz*\*.exe
%UserProfile%\Local Settings\*.exe
%UserProfile%\Local Settings\*\*.exe
%UserProfile%\Local Settings\Temp\*.zip\*.exe
%UserProfile%\Local Settings\Temp\7z*\*.exe
%UserProfile%\Local Settings\Temp\Rar*\*.exe
%UserProfile%\Local Settings\Temp\wz*\*.exe
Even with GFI mail filtering it's getting through every now and again as they keep changing the emails it's attached with. The above policy stops it before it has a chance to run though. Seems to be coming mainly with the zbot trojan.
Absolute nightmare of a virus!
Setting up software restriction policies for clients now to restrict the following paths via a GPO -
%AppData%\*.exe
%AppData%\*\*.exe
%LocalAppData%\*.exe
%LocalAppData%\*\*.exe
%LocalAppData%\Temp\*.zip\*.exe
%LocalAppData%\Temp\7z*\*.exe
%LocalAppData%\Temp\Rar*\*.exe
%LocalAppData%\Temp\wz*\*.exe
%UserProfile%\Local Settings\*.exe
%UserProfile%\Local Settings\*\*.exe
%UserProfile%\Local Settings\Temp\*.zip\*.exe
%UserProfile%\Local Settings\Temp\7z*\*.exe
%UserProfile%\Local Settings\Temp\Rar*\*.exe
%UserProfile%\Local Settings\Temp\wz*\*.exe
Even with GFI mail filtering it's getting through every now and again as they keep changing the emails it's attached with. The above policy stops it before it has a chance to run though. Seems to be coming mainly with the zbot trojan.
Absolute nightmare of a virus!
I'm hoping our spam filter will stop this from getting on to our network in the first place but have tightened up our AV settings and proxy and blocked the program from running via GP on our domain PCs and via a program called CryptoPrevent on the others. Probably overkill but rather be safe than sorry.
http://www.computerworld.com/s/arti...to_do_if_you_are_?taxonomyId=125&pageNumber=2
http://www.fooli****.com/vb6-projects/cryptoprevent/
^ Foolish IT
You may want to edit your GP to include the extra locations from my post, as Iv'e found it to run from those locations also. You may need to whitelist specific exe's, depending on what, if anything, you're running from those locations.
Full guide on the virus available here -
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
I am quite interested in who is behind this. After it coming into the open that the US Government/Israel was behind Stuxnet etc. Whoever has executed this is very clever and very rich already, think of the amount of money needed to setup multiple gridded C&C servers (which is similar to Stuxnet) yet remains completely anon to the whole word.
Given forcing to pay via Bitcoin and China pretty much controlling the manufacture of individual bitcoins, it makes me wonder if this is not a PLA cyberattack.
A lot of people have paid and had their files decrypted except for 2-3 files, it would be interesting to see what these files are and if any are the same, especially given that the authors of Cryptolocker have a SaaS where you can upload encrypted files to "unlock them for free" if you have paid, therefore they would get an IP address of owners of specific files... now if these files were actual targets.........
Given forcing to pay via Bitcoin and China pretty much controlling the manufacture of individual bitcoins, it makes me wonder if this is not a PLA cyberattack.
A lot of people have paid and had their files decrypted except for 2-3 files, it would be interesting to see what these files are and if any are the same, especially given that the authors of Cryptolocker have a SaaS where you can upload encrypted files to "unlock them for free" if you have paid, therefore they would get an IP address of owners of specific files... now if these files were actual targets.........