Seems like Cryptolocker is changing.
http://blog.trendmicro.com/trendlab...ew-cryptolocker-spreads-via-removable-drives/
http://blog.trendmicro.com/trendlab...ew-cryptolocker-spreads-via-removable-drives/
CryptoLocker - New Ransomware
- Thread starter dbdawn
- Start date
This really makes it worse. I've been advising clients on email best practices to prevent this virus. Now that's not good anymore. I hope the A/Vs can stop this from removeable drives. I wonder if the various prevention tools out there are still going to work on this variant.
TechPJC
Active Member
- Reaction score
- 130
Makes me wonder, too...
BillMoney
Member
- Reaction score
- 2
- Location
- Massachusettes
rut row. Considering how cheap flash drives are now you can get 50 1 gb on ebay for like $10 throw this on & drop it somewhere for people to get infected. Guess we will see an increase in virus removals & get a lot of data backup upsells
CryptoPrevent from FoolishIT has been added to Continuum's scripts library. No need to do a custom download script for Continuum users. They have 3 scripts. An Install with reboot, Install without reboot, and uninstall without reboot.
We had a user infected with CryptoLocker for the second time. Once in early November and once last week. After we cleaned the infection the first time we told the person they needed a backup. The laptop was a hand me down from another employee and was never really setup for the new employee. They were still using the old employee login and Outlook PST. Someone in the company just removed the old user's email account and added the new employee's email account. When I recommended the backup I also recommended a wipe and reload on the laptop since it was previously used by two other employees. The owner declined. The sad thing is, this user is the HR person for a 30+ employee company. Nuts! When they were infected a second time and lost all of her files AGAIN, they still declined to do anything related to backup or cleaning the machine. This time the employee admitted to opening an ADP payroll zip file from her email. I also recommended they ditch the lousy POP email service with zero filtering and get something better. No word yet. The other wacky thing is this company has a terminal server that everyone is supposed to use for documents. We have a Datto box on the servers so her files would have been recoverable.
Plus, there is no email or browser access on the server. Oh well.
We had a user infected with CryptoLocker for the second time. Once in early November and once last week. After we cleaned the infection the first time we told the person they needed a backup. The laptop was a hand me down from another employee and was never really setup for the new employee. They were still using the old employee login and Outlook PST. Someone in the company just removed the old user's email account and added the new employee's email account. When I recommended the backup I also recommended a wipe and reload on the laptop since it was previously used by two other employees. The owner declined. The sad thing is, this user is the HR person for a 30+ employee company. Nuts! When they were infected a second time and lost all of her files AGAIN, they still declined to do anything related to backup or cleaning the machine. This time the employee admitted to opening an ADP payroll zip file from her email. I also recommended they ditch the lousy POP email service with zero filtering and get something better. No word yet. The other wacky thing is this company has a terminal server that everyone is supposed to use for documents. We have a Datto box on the servers so her files would have been recoverable.
Plus, there is no email or browser access on the server. Oh well.
kwisher
Active Member
- Reaction score
- 78
- Location
- Kokomo, IN
Does anyone know if a backup to an external drive using the built-in Win7 backup program is vulnerable to CrytoLocker? What about other backups from other software publishers?
TIA
TIA
carrcomp
Well-Known Member
- Reaction score
- 178
- Location
- Barrie, ON
Yes it is.
Any drive connected to the computer is vulnerable. It's taken me almost 2 weeks to deal with a crypto locker infection because it hit their Carbonite.
What you need to keep them protected is an online storage that uses versioning.
SOS online backup is one like that. I can shoot you a 10GB 1 month trial if you want to have a look.
Any drive connected to the computer is vulnerable. It's taken me almost 2 weeks to deal with a crypto locker infection because it hit their Carbonite.
What you need to keep them protected is an online storage that uses versioning.
SOS online backup is one like that. I can shoot you a 10GB 1 month trial if you want to have a look.
frederick
Well-Known Member
- Reaction score
- 154
- Location
- Phoenix, AZ
This is what I got today. I didn't open it on my system (you crazy!!!). No, I launched one of our Windows 7 VM's and wham, bam....she's infected. Just thought some might be interested in it. The attachment name and who it is from should be flagged.
In case it is hard for you to see...which it probably is....
From: HSBC Bank <info@hsbc.co.uk>
Subject: Payment
Attachment name: BANK TT COPY (2).rar
In case it is hard for you to see...which it probably is....
From: HSBC Bank <info@hsbc.co.uk>
Subject: Payment
Attachment name: BANK TT COPY (2).rar
Attachments
RegEdit
New Member
- Reaction score
- 3
- Location
- Pacific Palisades, CA
Some of my old customers were dumb as a box of rocks and would have opened that email attachment.
frederick
Well-Known Member
- Reaction score
- 154
- Location
- Phoenix, AZ
I like launching questionable attachments in VMs to see what it is. It comes in handy when it comes to virus removal sometimes. Cause ill have a fresh VM and see all the little nasties it adds and what things like JRT and MBAM detect and remove.
4ycr
Well-Known Member
- Reaction score
- 131
- Location
- West Lothian, Scotland
Thanks frederick, I think I will warn my clients of this but without using your image as it is a .co.uk email address
frederick
Well-Known Member
- Reaction score
- 154
- Location
- Phoenix, AZ
I'm not in the UK and I got this
JustInspired
Well-Known Member
- Reaction score
- 226
- Location
- Kent, United Kingdom
A .rar file! It's definitely evolving to get past the zip attachments scanning and blocking. Trouble is for them, it greatly reduces the number of end users that can open it.
I believe soon it will target backup files too. But isn't the actual Windows backup file protected?
JustInspired
Well-Known Member
- Reaction score
- 226
- Location
- Kent, United Kingdom
In this thread http://www.technibble.com/forums/showthread.php?t=54356
I am trying to figure out how to prevent CryptoLocker from gaining access to a backup drive/share/local-folder etc by running backups as another not-logged-in user. The folder will have NTFS permissions set to allow only the special Backup user.
I have gotten almost to the point where I can do what I want but still not quite there.
I would be happy for any collaboration on the mission!
Last edited:
"I believe soon it will target backup files too. But isn't the actual Windows backup file protected?"
The user can't open the archive unless they take ownership, afaik.
I think the problem it has with backups is the size. It can hit a lot of .doc, .xls, etc quickly without raising eyebrows until it's too late. 10's or hundreds of GB, that's going to drag the system down to encrypt that much and erase the original.
The user can't open the archive unless they take ownership, afaik.
I think the problem it has with backups is the size. It can hit a lot of .doc, .xls, etc quickly without raising eyebrows until it's too late. 10's or hundreds of GB, that's going to drag the system down to encrypt that much and erase the original.
untoldtech
Active Member
- Reaction score
- 225
fyi, I was able to save a client's files without paying the ransom. This virus is legit and does exactly what it says and even takes over files on network shares etc. If your client uses backup like carbonite, it actually does cause a 'change' in the file which means it causes the file to be backed again. If your client is running something like carbonite you can go back and restore a previous revision (right click on it and go to carbonite tab). This process *SUCKS* it takes forever, but you can get 99-100% of your files back without losing them.
Does anyone have a link to download the scanning tool that list the encrypted files? The source link is below but the download links to a dropbox download but it errors out when I try to download.
http://omnispear.com/tools/cryptolocker-scan-tool
A friend has an SMB client with 10 infected machines. Fortunately their server is backed up with Shadow Protect and all workstations are setup with folder redirection. Heck of a way to start the weekend.
http://omnispear.com/tools/cryptolocker-scan-tool
A friend has an SMB client with 10 infected machines. Fortunately their server is backed up with Shadow Protect and all workstations are setup with folder redirection. Heck of a way to start the weekend.
Vicenarian
Active Member
- Reaction score
- 19
Just tried it, and the Dropbox download works fine for me.
I went back later and it was working. I guess Dropbox was having issues.
Edit: The friend I was helping has another client infected with Cryptolocker. They have a Sonicwall but did not have the gateway AV subscription. This will be his 2nd weekend in a row cleaning and restoring. We had a small client infected this week as well. Fortunately we had Ghost backing up workstations to a NAS and was able to recover files.
Edit: The friend I was helping has another client infected with Cryptolocker. They have a Sonicwall but did not have the gateway AV subscription. This will be his 2nd weekend in a row cleaning and restoring. We had a small client infected this week as well. Fortunately we had Ghost backing up workstations to a NAS and was able to recover files.
Last edited:
Similar threads
