Jump to content

New computer virus -BEWARE-


CT4ME

Recommended Posts

A new virus is circulating that goes beyond anything done before. Google CryptoLocker for a real scare. It attacks all the data files (docs, pics, vids, music, etc) and encrypts them. Then, it asks for a $300 ransom to get the encryption key to unlock everything. The virus also encrypts all data files on any hard drive connected to the computer... this means it will encrypt all data files on your server, or external drives. To make things worse, if your virus program finds and eliminates even part of the virus, you won't even be able to pay the ransom to get your stuff back. And worse yet, the servers that hold the encryption key may have been taken down (by authorities), so even if you pay the ransom, you may not be able to encrypt your files.

We have seen this with some of our clients, and it is real. Restoring from a backup is your only possible solution, besides avoiding it in the first place.

So far, our clients have got the virus through bogus email attachments, but it is also spreading with fake "updates" that pop up on web pages.

=-=-=- BEWARE =-=-=-=-

tim

Link to comment
Share on other sites

Note that at the time of this writing, malwarebytes and avast antivirus are able to stop the infection before it begins. I do not know of any others.

 

Also, if you are in IT: create a GPO entry preventing any executables from operating from users %appdata% directory. CryptoLocker bypasses UAC and it does not matter if you are an admin account or not.

 

More information for IT personnel can be found in the sysadmin subreddit:

Link to comment
Share on other sites

On a more serious note, I have seen these kinds of ransom malware/virus/trojans before...nasty stuff. I don't know how the FBI is not ALL over this.

 

They are. However, this uses untraceable payment methods such as bitcoin. Untraceable meaning the wallet codes are not linked to any identifiable information.

Link to comment
Share on other sites

They are. However, this uses untraceable payment methods such as bitcoin. Untraceable meaning the wallet codes are not linked to any identifiable information.

 

I get that, but it seems they could set up a computer and put the trojan on it, then see where they are supposed to send payment and start a series of warrants to trace the whole IP path. It can be done I think.

Link to comment
Share on other sites

Morden, you need to see how bitcoin works. It doesnt go directly to any ip. It is a distributed hash network.

 

I get that, but at some point a network transaction must occur to a Bitcoin wallet, account, or what have you, and another must occur to convert that to dollars or rubles or something. THOSE parts can be tracked, you don't have to track the Bitcoin encryption itself.

Link to comment
Share on other sites

The virus is nasty and no one seems to be able to break the encryption it puts on your files, but it is not new. One site says it has been around for 30 years.

If you are seriously worried - backup off site, or to a portable hard drive and don't leave it connected after the backup, make certain your anti-virus and malware protection is kept up to date. Don't open files that as attachments from sources you don't know (address of the sender - it may look legit). The virus (as far as I could find) only affects PCs and does have a signature that can be detected and stopped. (One of the things it does is modify the registry, so there are protections against it.)

Link to comment
Share on other sites

Cryptolocker is new.

 

 

I get that, but at some point a network transaction must occur to a Bitcoin wallet, account, or what have you, and another must occur to convert that to dollars or rubles or something. THOSE parts can be tracked, you don't have to track the Bitcoin encryption itself.

 

If you use wide open channels for it ;). Bitcoins are unregulated, so you could just sell them to someone who doesn't keep records.

 

The virus is nasty and no one seems to be able to break the encryption it puts on your files, but it is not new. One site says it has been around for 30 years.

If you are seriously worried - backup off site, or to a portable hard drive and don't leave it connected after the backup, make certain your anti-virus and malware protection is kept up to date. Don't open files that as attachments from sources you don't know (address of the sender - it may look legit). The virus (as far as I could find) only affects PCs and does have a signature that can be detected and stopped. (One of the things it does is modify the registry, so there are protections against it.)

 

Cryptolocker is a month old. The encryption method used however, hasn't been broken in its 30 year life (rsa 2048 bit)

Link to comment
Share on other sites

Cryptolocker is new.

 

If you use wide open channels for it ;). Bitcoins are unregulated, so you could just sell them to someone who doesn't keep records.

 

 

It's definitely a hard problem, but with the right warrants and subpoenas (and maybe some help from your friendly neighborhood NSA) it seems they could get to the perpetrators eventually. I'm sure the first time this trojan jacks a CIA/DIA/DoD/NSA computer with classified information on it, this will bubble to the top of the priority pile. :)

Link to comment
Share on other sites

Cryptolocker comes in various forms. One of the most dangerous ones is when it compromises a system and sends itself as invoices to other companies. This has been one of the more effective vectors against businesses, because it is from people that you do know, and invoices are shared over email often.

Link to comment
Share on other sites

First rule: NEVER and that means NEVER EVER open anything in an email from a person you do not know. In fact, don't even open the email itself if you do not recognize the person in the from field, or the subject line.

 

About 10 years ago, because of this advice, they started using email addresses of people you DO KNOW. Between the social networks, and wholesale break-ins at the email providers (yahoo, msn, hotmail, etc) it's relatively easy to link people together. Your usual contacts are available to any virus. So, perhaps better advice is to not open any attachments that you were not expecting (regardless of person). And beware of files that claim to be documents or PDFs, but are really EXEcutable files. Often they are hidden in zip files. Beware of any email that claims to have a refund, or undelivered merchandise, or tickets, or free stuff.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...