MODS: Please feel free to edit/delete this post if it is out of place.
Guys/Gals,
I work in IT, and feel the need to spread this word along to others. We have seen customers infected with this new type of Malicious Ware. We personally have not seen anything we cannot fix, (regarding virus') in maybe 10 or 15 years. However this new trick has really screwed over some people/companies, and the only fix we have seen has been restoring backups.
Brief summary:
An email will come in to someone within your network (the one we have seen has been with regards to a payroll service) with an attachment (usually PDF). This individual will open the attachment and catch a bunch of junk on the screen (or nothing happens at all), while in the background a "Ransom-Ware" infection installs on the client machine, and begins its work to encrypt the local user profile's documents, pictures, etc. This software also will reach out to any mapped network drives (or servers) and begin encrypting those files there as well.
The Encryption:
The ransom-ware will encrypt certain files using a mixture of 2048 bit RSA and AES encryption keys.
The Ransom:
When the encryption process has finalized its task, the user who infected everything will begin seeing a display stating that "Your personal files are encrypted" and to send a ransom of either $100 or $300 for it to decrypt said files. (it will provide you with a list of the files and drives of each individual file that has been encrypted).
The Catch:
You have 72 hours to pay any ransom to decrypt your files, once you have seen the big read screen stating that "Your personal files are encrypted". If you let the timer run out and have not paid the ransom, their server will remove the key, and all hope is lost.
If you pay the ransom:
Good news is, if you get this, and actually pay (dont pay with a personal CC. Go get a prepaid card) these scumbags have actually followed through and decrypted your files. Some reports have said that there were a few errors decrypting some files, and those were lost. But so far nothing we have read have had any complaints saying that they ran off with the money. The process of paying for the ransom apparently takes about 4 hours before they verify and begin the decryption process. The decrypt process I imagine would take quite a lot of time.
The fix:
We personally have whats called a Backup Disaster Recovery setup on our clients, so we are able to flash them back to a point before the encryption, and move on with life, while we wipe and restore the infected workstation. A link that I will provide (mods please PM if I need to edit the link or remove it) shows of another way for people running Windows 7 and up (or anyone with Volume Shadow copy enabled on their computer) to restore a "previous version" of the selected file. Otherwise, you will have to resort again to a previous backup.
Prevention:
This issue has been out now for about 4 weeks. Most antivirus companies have updated their software to stop the encryption process. You will however still get the software and it will install, there just wont be anything happening after that point. Until the software gods figure out a way to hunt this down and remove it. Most enterprise AntiVirus companies have not had an update to this, so it is recommended that the network admins force some strong Group policy, or local policy procedures. (that can all be found in the link provided below.)
This thing has been a real pain in the butt, folks. I dont wish this damn thing on anyone I know. We have gained a few customers with this thing out, but unfortunately they were left up to some horrible IT practices before, and lost valuable data. So everyone please be aware that this thing is out, and honestly causing problems. Please make sure you are updated on all your security updates. If you do not have an antivirus, Microsoft provides a free one called "Microsoft Security Essentials" and it has been updated to help prevent this thing from happening. Again, that is free.
Links: (Please be cautious when clicking on links outside of the BOTL.org website)
1. Nerd link for a much more descriptive and updated status of this CryptoLocker.
2. Microsoft Security Essentials
Best of luck to everyone on the network! And please forgive any grammar and spelling issues. I wrote this quickly...
-Chrisso
Guys/Gals,
I work in IT, and feel the need to spread this word along to others. We have seen customers infected with this new type of Malicious Ware. We personally have not seen anything we cannot fix, (regarding virus') in maybe 10 or 15 years. However this new trick has really screwed over some people/companies, and the only fix we have seen has been restoring backups.
Brief summary:
An email will come in to someone within your network (the one we have seen has been with regards to a payroll service) with an attachment (usually PDF). This individual will open the attachment and catch a bunch of junk on the screen (or nothing happens at all), while in the background a "Ransom-Ware" infection installs on the client machine, and begins its work to encrypt the local user profile's documents, pictures, etc. This software also will reach out to any mapped network drives (or servers) and begin encrypting those files there as well.
The Encryption:
The ransom-ware will encrypt certain files using a mixture of 2048 bit RSA and AES encryption keys.
The Ransom:
When the encryption process has finalized its task, the user who infected everything will begin seeing a display stating that "Your personal files are encrypted" and to send a ransom of either $100 or $300 for it to decrypt said files. (it will provide you with a list of the files and drives of each individual file that has been encrypted).
The Catch:
You have 72 hours to pay any ransom to decrypt your files, once you have seen the big read screen stating that "Your personal files are encrypted". If you let the timer run out and have not paid the ransom, their server will remove the key, and all hope is lost.
If you pay the ransom:
Good news is, if you get this, and actually pay (dont pay with a personal CC. Go get a prepaid card) these scumbags have actually followed through and decrypted your files. Some reports have said that there were a few errors decrypting some files, and those were lost. But so far nothing we have read have had any complaints saying that they ran off with the money. The process of paying for the ransom apparently takes about 4 hours before they verify and begin the decryption process. The decrypt process I imagine would take quite a lot of time.
The fix:
We personally have whats called a Backup Disaster Recovery setup on our clients, so we are able to flash them back to a point before the encryption, and move on with life, while we wipe and restore the infected workstation. A link that I will provide (mods please PM if I need to edit the link or remove it) shows of another way for people running Windows 7 and up (or anyone with Volume Shadow copy enabled on their computer) to restore a "previous version" of the selected file. Otherwise, you will have to resort again to a previous backup.
Prevention:
This issue has been out now for about 4 weeks. Most antivirus companies have updated their software to stop the encryption process. You will however still get the software and it will install, there just wont be anything happening after that point. Until the software gods figure out a way to hunt this down and remove it. Most enterprise AntiVirus companies have not had an update to this, so it is recommended that the network admins force some strong Group policy, or local policy procedures. (that can all be found in the link provided below.)
This thing has been a real pain in the butt, folks. I dont wish this damn thing on anyone I know. We have gained a few customers with this thing out, but unfortunately they were left up to some horrible IT practices before, and lost valuable data. So everyone please be aware that this thing is out, and honestly causing problems. Please make sure you are updated on all your security updates. If you do not have an antivirus, Microsoft provides a free one called "Microsoft Security Essentials" and it has been updated to help prevent this thing from happening. Again, that is free.
Links: (Please be cautious when clicking on links outside of the BOTL.org website)
1. Nerd link for a much more descriptive and updated status of this CryptoLocker.
2. Microsoft Security Essentials
Best of luck to everyone on the network! And please forgive any grammar and spelling issues. I wrote this quickly...
-Chrisso
