Jump to content

Just hit by CryptoLocker


MrWrighty
 Share

Recommended Posts

One of our users opened an email supposedly containing a voicemail but was in fact and executable.

 

He says it did not run it, but this morning a different user was unable to open a range of .doc and .xls files in a mapped drive. I managed to restore the folder from a shadow copy.

 

It turns out that the original user had unleashed CyrptoLocker on the network and a random named bitmap I found on his desktop informed me of what had happened.

 

His laptop has had a large number of malicious hits and Eset has picked them up, but I am concerned as to how easy it was for this CrtyptoLocker to run and effectively avoid detection.

 

The Laptop is running version 5.0.2126 of Eset AntiVirus

Link to comment
Share on other sites

If the threat came down in an email, was the user utilizing a software mail client like Outlook?

I would check that Eset is setup to monitor mail traffic and the plug in is loaded in the mail client.

I am pretty sure Eset would have caught and flagged this ransomware if it was email or attachment and plug in loaded with definitions up to date.

Is your version 5 a valid license ? I would strongly recommend upgrading to a stricter version 7

If yer sub is good you should have up to date definitions.

I would suspect if it got thru the mail client , and hopped to a network drive, im not sure if ESET would be watching that mapped drive as closely as your own system.

The hosted server should of caught it at that point.

Server have Eset endpoint installed ?

Edited by Arakasi
Link to comment
Share on other sites

Mr wrighty ; another thread for you :

https://forum.eset.com/topic/1085-files-corrupted-by-unidentified-virus-server-protected-with-nod32/

Last post suggests a policy edit.

I know most large networks with exchange block archives and exes in mail.

May be something to look into.

Link to comment
Share on other sites

Hi All thanks for the update

 

We have a current subscription and our Virus signatures are updated 3 or 4 times a day. Marcos, the damage I believe happen on Friday last week so yesterday would have been too late.

 

We Have Eset Endpoint AV on the clients and Eset Endpoint File Server Security on our SBS2011 server and our Server 2003 SQL Server.

 

The treat came via an email through Outlook 2010. Outlook has the Eset plugin installed and running, and Eset.

 

Arakasi, what is this version 7 you mention, Eset only goes to 5.0.2214

Link to comment
Share on other sites

Hello MrWrighty

 

It was a tiny "slip" from Arakasi :-)). Version 7 belong to home editions, and you are right, Version 5.0.2214 is the latest in Eset endpoint security.

 

Regards, Janus

Edited by Janus
Link to comment
Share on other sites

  • ESET Insiders

@MrWrighty

 

 

Without access to logs I can not claim this, but - I *think* that an e-mail contained just a link, customer clicked on the link which opened web page with Java exploit that allows download and execution of .exe file; that exe encrypted files (could be any of dozens of perfectly legal utilities); it could also download an additional .exe which overwrote original documents (again, this could be one of hundreds perfectly legal tools for secure deleting files).

 

So *i believe* there was no malware in game at all - just plain old application-exploit attack, which IMHO usually have the nastiest payload than malware. Should other types of security software be as effective as antivirus, it would be much prettier world :-)

 

Maybe you could check browser history and/or logs, mail logs, etc. for further details.

Upgrade Java, all browsers and applications!

 

 

Tomo

Link to comment
Share on other sites

@MrWrighty

 

 

Without access to logs I can not claim this, but - I *think* that an e-mail contained just a link, customer clicked on the link which opened web page with Java exploit that allows download and execution of .exe file; that exe encrypted files (could be any of dozens of perfectly legal utilities); it could also download an additional .exe which overwrote original documents (again, this could be one of hundreds perfectly legal tools for secure deleting files).

 

So *i believe* there was no malware in game at all - just plain old application-exploit attack, which IMHO usually have the nastiest payload than malware. Should other types of security software be as effective as antivirus, it would be much prettier world :-)

 

Maybe you could check browser history and/or logs, mail logs, etc. for further details.

Upgrade Java, all browsers and applications!

 

 

Tomo

As far as I can tell, it was an email that supposedly contained a voicemail which was zipped, then the user clicked on the content thinking they were going to listen to a voicemail but instead ran the exe.

 

I have implemented the Group Policy Exe lockdown as suggested by Arakasi to see if that helps.

Link to comment
Share on other sites

  • Administrators

Marcos, the damage I believe happen on Friday last week so yesterday would have been too late.

 

I was referring to the latest variant spammed under the name voice*.exe. It was blocked within a few minutes after it was first reported via LiveGrid, long before other AVs did.

A detection for another Voice_Mail_Message.exe variant was added in update 8935 (20131018), released on Friday, 12:35 CET. The best would be if we could get the file from your quarantine to find out when the detection was exactly added and when ESET's products started blocking it.

Link to comment
Share on other sites

Live grid is awesome.

" ...before other AV's did" :lol:

 

I just manually cleaned this exact virus off a clients computer today !

Very easy to remove.

 

Recovering the data..... not so easy haha

*They had backups though.

 

Backup, backup, backup ...... or else .....

Edited by Arakasi
Link to comment
Share on other sites

hxxp://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

 

info on cryptolocker from bleeping computer

 

more info on the virus here lots lots lots lots lots lots more for eset hxxp://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/

Edited by DGMurdockIII
Link to comment
Share on other sites

The odd thing about the CryptoLocker experiences described here is that no one has reported that CryptoLocker is a virus (maybe I should use a broader term) that encrypts a large variety of documents AND offers to decrypt the documents after payment.

My information source is the Windows Secrets Newsletter (to which I subscribe), Thursday 24 October 2013, in an article by Susan Bradley (a regular contributor to the newsletter).  But the article is available at Windows Secrets Lounge, where it can be read (and probably downloaded or at least copied) by Windows Secrets subscribers and by anyone else, at:
hxxp://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/

Ms. Bradley's judgment is that "AV software probably won't protect you."  She then lists a set of actions to reduce the risk, probably with at least some information overlap with the links given here in the preceding post.

I am following her suggestion to backup data frequently, to an external disk that is not connected to my computer, except when receiving backups (and, I would add, internet access is temporarily turned off, so new malicious emails can't arrive during the backup).  I'm doing daily backups.

My next step is to prevent Windows7 from automatically opening zip files.  I don't think I have any other zip-opening programs on my computer, but I will do a search for famous programs such as WinZip.

Ms. Bradley reports that "Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss."

In my opinion, her article is worth reading, as are the sources in the preceding post.

I am running Eset NOD32 v6.0.316.0.  I hope that Eset's new v7.x will be able to deal with CryptoLocker.  Preventing encryption might be one way to do it --- but that's just a guess by someone (me) who is not a computer programmer.

R.N. (Roger) Folsom
 

Link to comment
Share on other sites

Roger. Its good that your interested.

Backing up data is paramount these days.

Offsite backup or cloud back up are best options.

Here is a quick rule of thumb on defense. You can encrypt your drive yourself using bitlocker or a third party like truecrypt or my personal favorite Pointsec.

If your data is already encryted, the cryptolocker wont be able to encrypt over the top.

As far as software defensive , Eset will detect and block certain variants of cryptolocker already.

Afaik the carrier method by email or website thats common is a flag, usually jscript is involved and the method of delivering the payload is also blocked by Eset.

I think im on par but please wait for an official response from ESET on the defense against crypto in their product.

:)

You must have up to date definitions, an expired lincense will not be up to date.

Edited by Arakasi
Link to comment
Share on other sites

  • ESET Moderators

Hello,

Here is the write-up on the most prevalent version of Cryptolocker (or at least, what was the most prevalent version as of a few days ago--I haven't checked to see what the latest stats are):

ESET Virus Radar - Win32/FileCoder.BQ Description

There have also been several recent posts about CryptoLocker and ransomware in general on ESET's We Live Security blog:

New ransomware uses webcam and Homeland Security threat to scare victims

Remote Desktop (RDP) Hacking 101: I can see your desktop from here!

Filecoder: Holding your data to ransom

Nymaim: Browsing for trouble

Don’t pay up! How to avoid ransomware threats – and how to fight back

These should help with both general aware of this class of threat, as well specific information about malware family in question.

Ms. Bradley (aka "Mom") is correct in that Cryptolocker is not a virus (e.g., a recursively-replicating program that can create a (possibly evolved) copy of itself), but rather it is broadly categorized as a trojan horse (or simply "trojan," for short, these days) with a subclassification as ransomware. These days, perhaps around 10% (or slightly less) of the malware anti-malware companies see on a daily basis is actually viral in nature. The majority are various kinds of trojans, and that is something that anti-malware software does protect against. However, the criminals behind these ransomware schemes are diligent about updating their malicious code to avoid detection, so the race is always on, as my colleague Marcos noted, to update anti-malware software to protect against this class of threats.

Interestingly enough, ransomware is not a particularly new scheme, but rather a very old one dating back to the earliest days of computer viruses, worms and trojans--the late 1980s--and I actually wrote up a bit about my experience with the the very first piece of ransomware, the AIDS Introductory Information Trojan House, which occurred in 1989, here (PDF, 980KB), starting around page 5.

It sounds like your precautions are reasonable, especially with regards to backups, however, I'd just like to provide a reminder that you should periodically test backups by restoring some (or even all) data, preferably to a different machine, in order to verify they work. For more information, well, we also happen to have a paper (PDF, 861KB) on backups, too.

Regards,

Aryeh Goretsky

The odd thing about the CryptoLocker experiences described here is that no one has reported that CryptoLocker is a virus (maybe I should use a broader term) that encrypts a large variety of documents AND offers to decrypt the documents after payment.

My information source is the Windows Secrets Newsletter (to which I subscribe), Thursday 24 October 2013, in an article by Susan Bradley (a regular contributor to the newsletter).  But the article is available at Windows Secrets Lounge, where it can be read (and probably downloaded or at least copied) by Windows Secrets subscribers and by anyone else, at:

hxxp://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/

Ms. Bradley's judgment is that "AV software probably won't protect you."  She then lists a set of actions to reduce the risk, probably with at least some information overlap with the links given here in the preceding post.

I am following her suggestion to backup data frequently, to an external disk that is not connected to my computer, except when receiving backups (and, I would add, internet access is temporarily turned off, so new malicious emails can't arrive during the backup).  I'm doing daily backups.

My next step is to prevent Windows7 from automatically opening zip files.  I don't think I have any other zip-opening programs on my computer, but I will do a search for famous programs such as WinZip.

Ms. Bradley reports that "Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card — not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss."

In my opinion, her article is worth reading, as are the sources in the preceding post.

I am running Eset NOD32 v6.0.316.0.  I hope that Eset's new v7.x will be able to deal with CryptoLocker.  Preventing encryption might be one way to do it --- but that's just a guess by someone (me) who is not a computer programmer.

R.N. (Roger) Folsom

Link to comment
Share on other sites

Apparently you can just use EFS on some of your more important docs and put the key somewhere else and be shielded from crypto.

You could turn this on and off at will when checking emails if according to US Cert its the majority attack vector.

 

:)

Link to comment
Share on other sites

However, Sandboxie, our old friend Sandboxie, is effective in containing CryptoLocker. It's been verified that, if you were to put your email client and your web browser in Sandboxie, if you were to Sandboxie those two things, and we've talked about - we did a podcast on Sandboxie [sN-172]. Anybody could, like, google "Sandboxie Security Now!," I'm sure you'll find it, or go to GRC.com/sn, and I've got a search field that I pay Google handsomely for, and put Sandboxie in, and you'll find the podcast where we explain it. What happens is, if you get a CryptoLocker infection through email or web browsing, and you have employed Sandboxie, then an encrypted copy of your files are created in the sandbox, but nothing gets out of the sandbox. So your original files are all fine. And all you do is empty the sandbox, and CryptoLocker and all of its damage it tried to do is gone.

Link to comment
Share on other sites

Please see: ESET KB hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3433 Does ESET protect me from Filecoder (CryptoLocker) malware?
And: hxxp://www.virusradar.com/en/Win32_Filecoder.BQ/description

ESET is constantly updating it's virus signature database on emerging threats. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...