Workplace hit by cryptolocker virus

[Moley]

On the VM there was a new folder, C:\users\scan with a .exe. There was no new user profile.

If you can send me a copy of the .exe I can tell you what it does.

 

[Clav]

Have a read about pass-the-hash exploits, basically if any admin account has logged into a PC then it's hash is stored and can be cracked within seconds. Pretty much every Windows OS is vulnerable although Windows 10 has credential guard to mitigate it which looks quite good.

 

[Azza]

Great news, someone has ran the new zepto ransomware on their PC.

A fun afternoon coming up.

 

[peterwalkley]

Great news, someone has ran the new zepto ransomware on their PC.

A fun afternoon coming up.

Worst "I'll go home while IT fix my PC" excuse ever Bet it wouldn't have been run if the weather outside was bad.

 

[Azza]

Worst "I'll go home while IT fix my PC" excuse ever Bet it wouldn't have been run if the weather outside was bad.

Well it looks like it's actually been running since late yesterday evening.

Just looked at their profile and every file is .zepto... how they have been doing 'work' today I don't know.

 

[Azza]

And another one today...

Some people just shouldn't use computers!

 

[Jamesyboyjim]

We had an area manager hit with the Zepto the other day, it encrypted all their local files and their personal network storage, luckily it was stopped before it hit the public network drives and the ones the user had permission to access. Potentially devastating!!

 

[Borealis]

Which one is it this time?

And is it the same person?

 

[Azza]

Different person but it's Zepto again.


Weirdly this one has been going through the network folder to stuff which they don't have access to.

The previous Zepto and the other cryptolocker I've seen here only were able to do the folders the user had permissions to access.

 

[Banzai_Joe]

Aaaand......we got hit again last friday. Some clutz clicked on something and we got the [email protected] crypolocker.
Weird thing though, there was no text file demanding a ransom. Luckily we caught it early enough, it had only gotten through letters A-C on the folder structure. Our backup had everything back up prior to monday morning, and only losing an hour of saved data.
People will truly never learn.
4 times this year, different users we think, Although the 3rd one was when i was holiday and i think that maybe this is a variant of that as i found some encrypted files on our backup from that date back in June.

 

[KillBoY_UK]

Aaaand......we got hit again last friday. Some clutz clicked on something and we got the [email protected] crypolocker.
Weird thing though, there was no text file demanding a ransom. Luckily we caught it early enough, it had only gotten through letters A-C on the folder structure. Our backup had everything back up prior to monday morning, and only losing an hour of saved data.
People will truly never learn.
4 times this year, different users we think, Although the 3rd one was when i was holiday and i think that maybe this is a variant of that as i found some encrypted files on our backup from that date back in June.

4 times in a year ? without sounding rude your workforce are ether clueless or idiots. You would have thought after the first one people who know not to click on iffy looking links from iffy looking emails or is that just me ?

 

[Duke]

There are a number of firms that will provide you with phishing detection training, including periodic tests, for a reasonable fee, check it out.

The other major defense against this type of thing is to use a cloud email filtering technology, again fairly reasonably priced.

Mimecast is good for this sort of thing.

 

[Ukadder]

We got hit about 4months ago due to someone opening an attachment, lucky I was in that day and stopped it before things go out of hand.

I did a fair bit of research and spend time looking at ways to prevent it happening again, at least at the server level and implemented the following on all servers. Really impressed.

https://community.spiceworks.com/how_to/100368-cryptolocker-canary-detect-it-early

I ended up writing a Powershell script to implement it on all my other servers quicker.

 

[Warbie]

4 of our clients have been hit by cryptolocker variants - the 4 clients that ignored our advice re. using opendns umbrella in addition to usual anti-virus and mail filtering solutions. It's not full proof, but in my experience it's the single most effective protection against this kind of virus.

 

[Banzai_Joe]

We use openDNS too, but does nothing to stop idiots clicking attachments in emails sadly.
Most of the cryptolocker variants are zero day viruses do there's little you can do to detect. Just damage limitation with a bullet-proof backup system.

 

[Amp34]

May be worth looking at:

https://www.nomoreransom.org

Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

The “No-More-Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties.

May help some people if they don't have decent backups.

 

[Malevolence]

Aaaand......we got hit again last friday. Some clutz clicked on something and we got the [email protected] crypolocker.
Weird thing though, there was no text file demanding a ransom. Luckily we caught it early enough, it had only gotten through letters A-C on the folder structure. Our backup had everything back up prior to monday morning, and only losing an hour of saved data.
People will truly never learn.
4 times this year, different users we think, Although the 3rd one was when i was holiday and i think that maybe this is a variant of that as i found some encrypted files on our backup from that date back in June.

Time for management to amened contracts and class anyone who clicks on this **** to be guilty of gross negligence.

 

[Akagi]

There's no replacement for on site tape fallbacks.

And beatings for the offenders.

 

[FoxEye]

Once you get it restored it's time to look at the rights that user had, no way it should have spread that widely from one user.

I was just thinking that. Surely a non-admin user couldn't infect so much...?

e: three hours later I've read the whole thread. Nasty.

 

[the-evaluator]

Mimecast is good for this sort of thing.

Agreed. Mimecast TTP is an excellent product.