Workplace hit by cryptolocker virus

Steve2000 said:
If it was as easy as just "stopping it" then the problem would barely exist. Stopping 100% of these emails is nigh on impossible on an enterprise level.
Click to expand...

So back to my original question to Evangelion, why is it unspeakably stupid?
I agree if it's a Paypal or Co-Op email with a PDF attached but if this looks like a genuine accounts email that they deal with day in day out then why is it stupid?
I deal with Solicitors all day sending me PDF's so how would I know what not to open?
 
SexyGreyFox said:
Why is it stupid?
Like me, if these guys are getting loads of 'Account' PDF's sent to them every day that look like 'Account' PDF's then the fault lies with IT not stopping it.
Click to expand...
Utter testicles.
As has been said after your post, if It could stop this sort of thing without impacting on users and the daily running of the company then they would and these viruses would not prevail.
I could lock down our spam filters to disallow every attachment but nothing would get done for people constantly having to check their spam digests for something they're waiting for. Still wouldn't stop the virus because if it's disguised well then the user will release the mail message so they can look at the legit looking attachment.
Our accounts users need read/write acces to the c: drive of not only their computer but our RDS too as they use sage on both. This condition was directly from sage themselves.
Doesn't matter how many lockdowns you put in place it's still boils down to having a robust backup system......because humans will be humans.
 
Banzai_Joe said:
Utter testicles.
As has been said after your post, if It could stop this sort of thing without impacting on users and the daily running of the company then they would and these viruses would not prevail.
I could lock down our spam filters to disallow every attachment but nothing would get done for people constantly having to check their spam digests for something they're waiting for. Still wouldn't stop the virus because if it's disguised well then the user will release the mail message so they can look at the legit looking attachment.
Our accounts users need read/write acces to the c: drive of not only their computer but our RDS too as they use sage on both. This condition was directly from sage themselves.
Doesn't matter how many lockdowns you put in place it's still boils down to having a robust backup system......because humans will be humans.
Click to expand...

So Evangelion was wrong to call the staff unspeakably stupid for opening a genuine looking accounts email attachment?
 
Anyone using this:

https://www.fooli****.com/cryptoprevent-malware-prevention/

I had a scare earlier when looking at a 3rd party plex tool and their web server was hacked and gave me a load of pop ups about cryptolocker.

Scanned with malwarebytes and Avast but after reading this I think running some sort of tailored protection would be wise.

Edit:

ha they should have picked a better domain, it's foolish it.com (no space)
 
Freakbro said:
Cheers Burnsy, I'll look into that.

The new server and setup was done by a small local IT firm and it's been a mess ever since tbh :mad:

Combined with every other staff member apart from myself being completely IT illiterate (and I'm only an enthusiastic amateur) I'm just waiting for the time our system comes crashing down round our ears from a virus :(
Click to expand...

Every corporate domain that sends an email has something set up called an mx record, without that most emails are automatically classed as spam. Your filtering should also look at the source IP address, and perform a reverse dns lookup, if the from field does not show the same domain as the lookup, it should also get binned. It's relatively simple, but really if you are a small firm, you should probably be using the system you had before :( it will save you a few late evenings and maybe a weekend or two over the years.

Nox
 
Steve2000 said:
My post was aimed more at your apportioning of blame to the IT department.
Click to expand...

well it could well be partly their fault, unless this is some advanced virus that can exploit vulnerabilities in hardware etc.. as mentioned by Rroff then you'd have to ask why an ordinary user such as the accounts bod who openend it has write access to so much stuff
 
Pigeon_Killer said:
It's all the crap about reducing helpdesk calls by letting the users do what they want, when they want which appears to mean lowering security or removing it completely to keep them happy.

It's an accident waiting to happen but until it happens we're just going to spread our legs and lay out the welcome mat.
Click to expand...

It also opens your company up to running unlicensed software...

And it won't reduce help desk calls, quite the opposite. In my last place I stripped admin rights away from almost all people, and it reduced (eventually) the calls coming in by about 80%. It was a complete pita for about a month whilst I got all the niggles sorted though.

Nox
 
Last edited:
Pigeon_Killer said:
We're planning to get hit by this soon. My manager wants to empower our users by given them admin rights to install what they want and unrestricted Internet access because something called ITIL told him this would make him popular. I assume ITIL is some sort of reference to bending over and fisting yourself in the anus but haven't Googled it to find out.
Click to expand...

Explain to him/her that there may be consequences for the actions of this. When it happens you can be the smug one 'I told you so'. :)

The place I used to work at got hit by it on a low amount but speedy diagnostics stopped it in it's tracks. I think out of 6000 workstations only 20 got hit. A quick implementation of policies and AV definitions sorted this out.
 
Last edited:
mrbell1984 said:
Explain to him/her that there may be consequences for the actions of this. When it happens you can be the smug one 'I told you so'. :)
Click to expand...

If his Manager is such an ass he'll probably still be blamed for not implementing it right.
He needs to outline exactly what can go wrong and he is powerless to prevent it.
 
Happened in the place where I work too, it was me who spotted it but it was not me who fixed it s we have a manager who is responsible for this sort of incidents.

Luckily in our scenario only one department's drive got encrypted, not sure why it hasnt spread out to encrypt all drives/servers, less that 500gb of data I think.

Data was restored from backup tapes.
 
apatia77 said:
Luckily in our scenario only one department's drive got encrypted, not sure why it hasnt spread out to encrypt all drives/servers, less that 500gb of data I think.
Click to expand...

Older variants were very limited in terms of spreading and largely just infected the machine they were opened on so not really a virus just a trojan.

Its only recently variants of cryptolocker type malware have starts to become more sophisticated in terms of trying to spread - the next generation of it is going to cause some pretty significant headaches for people in IT IMO as it is becoming much more complex in terms of spreading in a LAN environment and hiding itself away to reinfect stuff later.

EDIT: If companies aren't already doing it they might want to consider much more comprehensive audits of network connected devices that have re-programmable firmwares and OSes that can be repurposed even stuff like managed switches, etc. and make sure they are uptodate and more thought put into isolating areas of the network like backups from users who could be a gateway for this kind of stuff (i.e. not assuming write privileges or lack of are enough).
 
Last edited:
SexyGreyFox said:
So Evangelion was wrong to call the staff unspeakably stupid for opening a genuine looking accounts email attachment?
Click to expand...
In my opinion yes, absolutely. It's also NOT helpful.
If I'd have opened it and released the virus then I'd be the first to kick myself in the pants and call myself stupid. But for a non-IT person who would receive dozens of similarly looking emails per day with pressure to action most of them in a short space of time? then as frustrating as it is for me (as I keep sending emails out asking people to be vigilant) even I can understand how it could get through.
As I said before, no matter how many systems you put in place, it only takes on human to press one button to screw the pooch so to speak.
 
Banzai_Joe said:
In my opinion yes, absolutely. It's also NOT helpful.
If I'd have opened it and released the virus then I'd be the first to kick myself in the pants and call myself stupid. But for a non-IT person who would receive dozens of similarly looking emails per day with pressure to action most of them in a short space of time? then as frustrating as it is for me (as I keep sending emails out asking people to be vigilant) even I can understand how it could get through.
As I said before, no matter how many systems you put in place, it only takes on human to press one button to screw the pooch so to speak.
Click to expand...

Thanks
 
Seems a strange approach. If I were a business the cost/benefit is highly in favour of paying the ransom and then upping security measures.
 
SexyGreyFox said:
Thanks
Click to expand...
Woah, hold on there horsey, I don't agree with your statement that the IT dept is at fault either.
This type of malware is created and distributed by people arguably more intelligent (and devious) than most. To point the figure at a person or dept just promotes a culture of blame.
I didn't mention this in my OP but this is the 3rd time we'd been hit in the past 6 months. Each time the malware/virus was executed from a different users account. Can't hang everyone.....not enough rope.
 
You must log in or register to reply here.
Back
Top Bottom