CryptoLocker - New Ransomware

Wheelie said:
I did not experience that today with the Cryptolocker virus. The shadow copies were there but they were encrypted.

.
Click to expand...

How can you be sure that the shadow copies were directly encrypted by the malware and not just copies of the encrypted files themselves after the malware encrypted the files.

Actually what I would put my money on, was that they were they weren't encrypted, but rather just 'corrupted' because Shadow Explorer 'found' them after VSSADMIN actually deleted them, which is why they weren't visible with Windows built-in Previous Versions, that makes more sense to me...

I'm only asking because I didn't think it possible to actually manipulate shadow copies directly - while they are still shadow copies. If it is, then I still don't think the malware is that sophisticated (it sure isn't as far as delivery method.) Thinking about it, if it was, then why would it need VSSADMIN in order to delete the shadow copies in the first place, if it could directly manipulate them to encrypt it could do the same to delete...

EDIT: The whole reason I'm pressing the issue is that I'm considering what blocking VSSADMIN as a preventative would do... though admittedly I still need to research if that would mess up the actual shadow copies getting created themselves or other potential side effects...
 
Last edited:
YeOldeStonecat said:
Are you checking and opening unknown and typically suspicious e-mail attachments from it? If not...I wouldn't be losing sleep over it.
Click to expand...

No, but sometimes client files come into contact with it. I'm not going to lose any sleep, but I have been a bit slack with VM security, allowing certain VMs access to my business files when they really shouldn't.
 
FoolishTech said:
How can you be sure that the shadow copies were directly encrypted by the malware and not just copies of the encrypted files themselves after the malware encrypted the files.

Actually what I would put my money on, was that they were they weren't encrypted, but rather just 'corrupted' because Shadow Explorer 'found' them after VSSADMIN actually deleted them, which is why they weren't visible with Windows built-in Previous Versions, that makes more sense to me...

I'm only asking because I didn't think it possible to actually manipulate shadow copies directly - while they are still shadow copies. If it is, then I still don't think the malware is that sophisticated (it sure isn't as far as delivery method.) Thinking about it, if it was, then why would it need VSSADMIN in order to delete the shadow copies in the first place, if it could directly manipulate them to encrypt it could do the same to delete...

EDIT: The whole reason I'm pressing the issue is that I'm considering what blocking VSSADMIN as a preventative would do... though admittedly I still need to research if that would mess up the actual shadow copies getting created themselves or other potential side effects...
Click to expand...

Nick,

Please check the PM I sent you the other day.

Does it make any sense.

I don't want to post it, (for obvious reasons), but if you do, bring it out for discussion.

Harold
 
FoolishTech said:
How can you be sure that the shadow copies were directly encrypted by the malware and not just copies of the encrypted files themselves after the malware encrypted the files.
Click to expand...
I believe the malware did it because the virus onset was at 10:40 AM the day I received the PC (I picked it up at 3 PM 11/07/13) and the built-in timer that CL uses agreed with that. All the system restore points were from October (a week or more before the CL attack).

The Shadow Explorer program showed 3 or 4 restore points (I didn't record exactly how many on my work order) from October 31 to October 12 (if I recall correctly). So I used Shadow Explorer to recover each of the data sets from those restore points to separate folders on an external HDD while the PC was detached from the LAN. Shadow Explorer allows you to browse folders and right click and export by folder. According to Bleeping Computer article it said CL would not encrypt files while the PC was disconnected from the Internet (but who knows).

All of the data from those 3 or 4 restore points were behaving exactly like the original data set on the affected PC: Word and Excel would complain when trying to open a given file that the format was incorrect and if you proceeded to open it the documents were random letters and extended characters. Same with Excel. Encrypted jpgs did not have the thumbnail but just an orange flower and generated the same file read error.

When I tried using Windows Explorer's built-in restore file feature "Restore Previous Versions" it saw zero previous versions of files for any of the files on the PC. In other words it was blind to the fact that there were 3 or 4 restore points. So I could not restore any files with Windows Explorer.

Side note: I also noted that any files where the customer double-downloaded photos into a folder and the photos had file names like: "photo001.jpg" and an identical photo named "photo001(2).jpg" the one with brackets was NOT encrypted. He had tons of photos in multiple directories that were NOT encrypted if they had brackets in the file name. Thought that was interesting. I guess if you wanted to you could rename all the files on your PC to have brackets in them and they might not get encrypted by CL? lol

.
 
I submitted the threats Malwarebytes found to Virustotal before I removed them and it was interesting (shocking in a few cases) to note that the following AV companies had green check marks next to the threats (did not detect a problem): Clam AV, BKAV, ByteHero, Baidu-Int'l, CAT-QuickHeal, nProtect, Rising, TheHacker, SuperAntiSpyware (wow), and F-Prot.

All other virus companies showed the files as threats.

.
 
Wheelie said:
it was interesting (shocking in a few cases) to note that the following AV companies had green check marks next to the threats (did not detect a problem): Clam AV, BKAV, ByteHero, Baidu-Int'l, CAT-QuickHeal, nProtect, Rising, TheHacker, SuperAntiSpyware (wow), and F-Prot.

All other virus companies showed the files as threats.

.
Click to expand...

Quite a lot of bad ones in that list....well i dont know all of them but the ones i do know are bad.
 
AliceKlaar said:
For you info the current versions of cryptolocker have hard coded handling specifically for ????????.jpg, ????????.jpe and not the generic *.jpg that you may have expected.
This appears to be a deliberate ploy to avoid destroying the windows wallpapers thus alerting the user to a problem. <- just my theory.

Current search criteria order
Code: 
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, 
*.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, 
*.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, 
*.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, 
*.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, 
*.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, 
*.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, 
*.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, 
*.pfx, *.p12, *.p7b, *.p7c
Click to expand...

Where did you read that?

Edit: Oh i see it....thats odd I do not know its purpose...wallpaper is unlikely to be the reasoning.
 
Last edited:
Cryptolocker attacks servers, at least originally, and that is where I've jousted with it.

Disinfection can be easy but beware of leftovers, that reactivate later.
There were some autorun.ini files sprinkled about the network shares, calling

'tooiko.exe'

and dated the same as the original attack.(early October 2013)
The re-emerged a couple of weeks later and more files (MS Office) were encrypted.

I have a copy of 'tooiko.exe', which I sent to Avast, but haven't heard back.
There is nothing on the net about it.

Cryptoguard does not list servers and has another potential problem.

I think it uses the same technology that Avast behaviour shield/script shield and this goes bananas with the legitimate management software the client is running.

The attack cost a deal of data loss (the client din't pay) but has prompted him to accept proper backup procedures, which is the still the best answer so far.
 
Has anyone seen a network share become encrypted, but not found any workstations to be infected with the virus?

I have a client who is showing clear signs of the CL virus. Data on a network share on the server has all the right filetypes corrupt or unreadable.

I have checked every computer and there is no CL virus and no one has reported a CL pop up. Is it possible that a computer was infected, perhaps running the encryption over night, and their A/V ran a scheduled scan and removed it quietly?

Other possibility I can see is BYOD that is infected, hops on the wireless then disappears when it is brought home.
 
TAPtech said:
Has anyone seen a network share become encrypted, but not found any workstations to be infected with the virus?

I have a client who is showing clear signs of the CL virus. Data on a network share on the server has all the right filetypes corrupt or unreadable.

I have checked every computer and there is no CL virus and no one has reported a CL pop up. Is it possible that a computer was infected, perhaps running the encryption over night, and their A/V ran a scheduled scan and removed it quietly?

Other possibility I can see is BYOD that is infected, hops on the wireless then disappears when it is brought home.
Click to expand...

Depending on version of the virus, you can look at the properties of the folder that got encrypted and look at owner. At one point that was one way to identify who got infected. Newer versions, it isn't so easy.

So if that doesn't help, I would run the cryptolist program from bleeping computer on each workstation. If it comes out positive on any of them, then that is your culprit.
 
YeOldeStonecat said:
Another prevention kit...described as full of features, GPO friendly
http://community.spiceworks.com/topic/396103-cryptolocker-prevention-kit-updated
Click to expand...

I used this early on. It works. The only problem is that is blocks too much. We found we have to remove the GPO entirely in order to update 3rd party apps or even uninstall some apps from appwiz. I was converting a Zenith BDR to a Datto appliance and had to remove the Zenith installed Shadowprotect. I opened appwiz, clicked uninstall and saw nothing on the screen. It took me about 5 minutes before I thought to myself, I wonder if... sure enough, removed the GPO, Shadowprotect uninstalled.
 
TAPtech said:
Has anyone seen a network share become encrypted, but not found any workstations to be infected with the virus?

I have a client who is showing clear signs of the CL virus. Data on a network share on the server has all the right filetypes corrupt or unreadable.

I have checked every computer and there is no CL virus and no one has reported a CL pop up. Is it possible that a computer was infected, perhaps running the encryption over night, and their A/V ran a scheduled scan and removed it quietly?

Other possibility I can see is BYOD that is infected, hops on the wireless then disappears when it is brought home.
Click to expand...

The virus screen does not pop up immediately upon infection. And I have seen several discussions about the machine being infected for quite a few days before the virus announced itself. I would say that a machine became infected and encrypted the shares, but was then taken out by antivirus. Have you checked the AV logs/quarantines?
 
uprighttech said:
The virus screen does not pop up immediately upon infection. And I have seen several discussions about the machine being infected for quite a few days before the virus announced itself. I would say that a machine became infected and encrypted the shares, but was then taken out by antivirus. Have you checked the AV logs/quarantines?
Click to expand...

Yep- you nailed it. I believe that the A/V was possibly suppressing the window from popping up on the infected workstation, but fortunately did not delete the program.

I sent a company wide email and let as many people know in person as I could - if you see anything even remotely similar to "crypto or cryptolocker" to notify me immediately.

"Fortunately" the screen popped up on a machine. They had a good deal of data on their desktop and C:, no backup of that workstation, everything encrypted. The virus must have been running for a few days as I had to revert back to a Sunday backup on the server.

Man, did it erk the hell out of me to call them up and recommend that we pay the $300. Yuck. I am still angry about it. $304.95 later, a few hours of nervously checking in on the workstation, and it is now successfully decrypting the mapped drive and the workstation. Prior to running it I restored the backup that I had made immediately when we found the problem. Strange feeling, purposely restoring the encrypted files! What a nightmare.

I have pitched a good managed A/V (GFI) and a UTM to these guys before without too much interest. Hopefully now they go for it! It most likely came in through email, so its time for a good filtering service as well.

This is a good reason for a client to step away from break/fix and move toward MSP.
 
I wonder how much money these crooks have made.
And where are they? Russia? China? Could someone in the US pull this off?
I wonder if the FBI is hot on their trail or if it's a cold case.
 
I would guess they have made huge heaps of money. They are probably MoneyPak's largest client!

Does anyone have any experience with UTM appliances successfully blocking these from coming in, or at least blocking the CL program from obtaining the encryption key portion from the internet server?

Does a UTM do much if there's an Exchange server behind it? Guessing most of these CL's are coming from the fine folks at "UPS" and FakeEX tracking department.
 
The unit this week kept blocking the payment verification server. I had to throw the infected machine into a dmz so it would authorize and decrypt the files.
 
You must log in or register to reply here.

Similar threads

Porthos
AgeLocker ransomware targets QNAP NAS devices, steals data
Replies
8
Views
1K
glennd
glennd
phaZed
Synology warns of malware infecting NAS devices with ransomware (Bruteforce)
Replies
1
Views
966
Sky-Knight
Sky-Knight
Porthos
New ransomware attacks target your NAS devices, backup storage
Replies
1
Views
790
ell
E
Porthos
Windows 10 Start Menu Suggests Firefox Users Switch to Edge
Replies
11
Views
1K
DRPCNZ
DRPCNZ
GTP
New Feature in Emsisoft
2
Replies
24
Views
2K
Archon Prime
Archon Prime
Back
Top