Ransomware

pepsilol · 20 Oct 2015 at 21:35

So I got this CBT-Locker on my work pc which I am not fussed over as I have back ups etc. What I am fussed over is how on earth it got on my pc in the first place with AV running 24/7 aswell.

I always tripple check emails, never download zips or exes from unknown sources. The way it has happened is even more strange. I was using my PC at work, surfing about the usual. 5pm comes and I head on home, get home and I start getting dropbox alerts of updates to files. Open dropbox to find the extensions changing. I teamview into my PC and find it on there and just shut it down.

I'm running ESET now and still there is absolute not indication on how the hell it got there.

Any tips on how I can trace it to find where it came from?

Destination · 20 Oct 2015 at 21:55

Is it networked?
They often spread via network now.

Rroff · 20 Oct 2015 at 21:57

Hikari Kisugi said:
Is it networked?
They often spread via network now.

Also sophisticated enough to try and attack NAS boxes, etc. now as well - so good idea to have write protected backups of some sort in place for critical files (I rotate a some USB drives with regular snapshots that are stored disconnected).

pepsilol · 20 Oct 2015 at 22:35

We only have 4 clients. Everyone else looked fine :confused:

#Chri5# · 21 Oct 2015 at 08:56

Software exploit perhaps. Are you fully patched for Windows, Flash, Java etc?

You can visit a totally legit website that has been compromised in some way and get infected via a zero day exploit eg:

http://www.securityweek.com/chinese...s-website-watering-hole-attack-security-firms

The malware infection was inside the “Thought of the Day” Flash widget which appears whenever users try to access a Forbes.com page. Visitors didn't need to do anything other than to try to load Forbes.com in their browser to get infected.

demonix · 21 Oct 2015 at 18:11

pepsilol said:
What I am fussed over is how on earth it got on my pc in the first place with AV running 24/7 aswell.

That is because no single anti-virus program can detect 100% of all viruses and malware in the wild, and it's possible that some aren't found until they are out in the wild.

russell664 · 21 Oct 2015 at 18:22

Most likely 0 day, update you Antivirus to the latest definitions and take it from there.

HazardO · 21 Oct 2015 at 18:31

Disable plugins in your browsers. Adobe flash attacks are all too common these days.

KIA · 22 Oct 2015 at 13:49

The teamviewer account has a long, random, complex password, right?

This relates to RDP, but I don't like the idea of TV accepting connections 24/7.

My guess is unpatched software such as Flash or Java.

Blackjack Davy · 22 Oct 2015 at 19:00

Using an Ad Blocker? I've had drive by infections from compromised ad servers more than once. Its almost compulsory to install one to protect yourself these days.

Akagi · 22 Oct 2015 at 19:19

I've seen Cryptolocker introduced to a few business networks (and have had to sort out the aftermath), and they were all running very good antivirus on every machine.

Sometimes a new virus creeps in before the definitions are updated...

It was usually through just opening an infected web-page, not necessarily a deliberately malicious page, just an infected one.

russell664 · 23 Oct 2015 at 09:36

An example was that myself and a couple of colleagues went on source-forge to get file-zilla, and boom, we had some nasty crap going on, and I went out my way to sort that too. It was more adware/spyware than a cyptolock though.

demonix · 23 Oct 2015 at 18:11

russell664 said:
An example was that myself and a couple of colleagues went on source-forge to get file-zilla, and boom, we had some nasty crap going on, and I went out my way to sort that too. It was more adware/spyware than a cyptolock though.

That was because sourceforge sold their souls to the devil and started bundling adware into all the application installers.