Workplace hit by cryptolocker virus

We got the locky virus as some one opened a invoice.
Lucky we had good backup system and was stopped and restored in 4 hours.
 
We've setup a rule in the GP to stop users from launching the usual attachments that would trigger this i.e js / com / bat / exe if found inside a zip file.
 
Halfmad said:
Once you get it restored it's time to look at the rights that user had, no way it should have spread that widely from one user.
Click to expand...

I was just commenting on this in another thread - recent versions of crypto malware are very very sophisticated and can lie quietly on the original infected machine for quite awhile using a variety of advanced attacks to spread in a LAN environment before they are triggered - this includes the ability to root older NAS devices that are running firmwares with known vulnerabilities, etc. and even inject themselves into the management functionality on managed switches, etc.

If it is one of the more advanced variants then you are gonna have to look at more than just cleaning up the obviously infected machines and also take a look at the rest of your hardware and reset and update the firmware on devices like routers and NAS boxes, etc. as otherwise it will just do the same thing all over again in a couple of months time or so.
 
Burnsy2023 said:
Recipient email addresses aren't validated, it's trivial to change the from address. You should have gone with exchange on O365 rather than on-premise, that spam protection is pretty good.
Click to expand...

Cheers Burnsy, I'll look into that.

The new server and setup was done by a small local IT firm and it's been a mess ever since tbh :mad:

Combined with every other staff member apart from myself being completely IT illiterate (and I'm only an enthusiastic amateur) I'm just waiting for the time our system comes crashing down round our ears from a virus :(
 
Once the software is on the system you are basically screwed. Privilege escalation is relatively easy, and generally done by pre-made scripts. There are whole suites of hacking tools available for free that allow things like this.
 
If people are routinely (as part of their main job) opening attachments, etc. from anywhere then it might be worth looking into setting up a sandboxed/virtual machine environment that is isolated from the rest of the LAN as much as possible.
 
Rroff said:
If people are routinely opening attachments, etc. from anywhere then it might be worth looking into setting up a sandboxed/virtual machine environment that is isolated from the rest of the LAN as much as possible.
Click to expand...

As long as it doesn't get widespread adoption that's probably the best bet.
 
Pawnless Endgame said:
The firm I previously worked at had a tape drive that rotated 10 backup tapes. The most recently recorded tape would be taken home and brought back to work the following day. This is known as off-site backup.
Click to expand...

Yes, and generally a very flawed system.
I did this for about 4 years with over 20 tapes daily.
But what happens if i'm ill?
Tape is fast, that's all imho.
 
Freakbro said:
Cheers Burnsy, I'll look into that.

The new server and setup was done by a small local IT firm and it's been a mess ever since tbh :mad:

Combined with every other staff member apart from myself being completely IT illiterate (and I'm only an enthusiastic amateur) I'm just waiting for the time our system comes crashing down round our ears from a virus :(
Click to expand...

I'm implementing exhcange in the cloud now cos of this virus. If it happens again we won't lose email functionality, arguably the most important tool for businesses aside from data.
Sadly Microshaft are pulling our pants down again with licensing :mad:
 
Sounds like a horror story for the IT department. When I was second line support many, many years ago I remember having to deal with frequent virus problems, but fortunately nothing ever to that scale. We had about 3500 users. Back then I guess the type of virii doing the rounds wasn't quite that intelligent. Having said that, I still had to put in serious overtime if someone/group got infected. It was awful really. But I bet it's a lot worse now.. I genuinely feel your pain.
 
yashiro said:
How on Earth does one peon opening an attachment take down an entire network? That's some spectacular I.T. failure.
Click to expand...

See my post further up - some of the recent variations of crypto malware can be incredibly sophisticated rather than immediately getting to work on the system they are opened on they simply root it and then quietly start sniffing the network (though on an enterprise setup that kind of network activity should be picked up on by heuristics) looking for things like NAS boxes on firmwares with known vulnerabilities, etc. that they can spread to, other services they can brute force attack to infect, etc. and the actual payload (encrypting files) won't be activated until much later. (I'm aware of atleast one variant that even has the ability to embed itself into the operating system on some brands of managed switches from which it can spread again later if you still have other devices with vulnerable firmwares like certain older Synology NAS if not flushed out).

Only needs to find one vulnerability where they can infect an executable file that is used by someone else who might have higher level permissions and it can quickly spread quite far.
 
Last edited:
yashiro said:
But the infected people would still need write access to said resources wouldn't they?
Click to expand...

How would you go about blocking write access? If its software based rules you can almost guarantee someone out there may have figured a way around it.

Only guarantee you can't write to something is to unplug it. ( at least as far as I know)
 
Rroff said:
See my post further up - some of the recent variations of crypto malware can be incredibly sophisticated rather than immediately getting to work on the system they are opened on they simply root it and then quietly start sniffing the network (though on an enterprise setup that kind of network activity should be picked up on by heuristics) looking for things like NAS boxes on firmwares with known vulnerabilities, etc. that they can spread to, other services they can brute force attack to infect, etc. and the actual payload (encrypting files) won't be activated until much later. (I'm aware of atleast one variant that even has the ability to embed itself into the operating system on some brands of managed switches from which it can spread again later if you still have other devices with vulnerable firmwares like certain older Synology NAS if not flushed out).

Only needs to find one vulnerability where they can infect an executable file that is used by someone else who might have higher level permissions and it can quickly spread quite far.
Click to expand...

Do you have a link to details of one that attacks hardware firmware? I've seen the end result of Crypto, Tesla and Locky enough times but nothing that advanced yet...
 
#Chri5# said:
Do you have a link to details of one that attacks hardware firmware? I've seen the end result of Crypto, Tesla and Locky enough times but nothing that advanced yet...
Click to expand...

The only one I've heard of can embed itself into the firmware of SSDs and HDDs essentially making it format/backup proof;

https://blogs.mcafee.com/mcafee-lab...n-ransomware-flash-exploits-firmware-attacks/

There is a much more technical article out there but I can't find it atm.

Iirc it had the ability to implant on most major harddrive ssd manufacturers firmware. Basically you could only be safe by replacing drives.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom