Beware cryptolocker

[strawman]

One of my coworkers managed to get bit by this virus. It's a particularly nasty one. It encrypts your files on your computer and any attached drives, whether USB, network, or elsewhere, and then pops up a notice demanding payment of about $300 to decrypt your files. It's relatively new, about two to three weeks in the wild, I expect it'll hit the mainstream news outlets over the next two weeks if it isn't more aggressively managed by the virus scanning companies.

Don't open attachments in email that you aren't expecting, even if they're from people or companies you trust.
Do run a virus scanner and keep it up to date.
Do backup your important files weekly, and detach the backup drive from your computer when it's not actively backing up.

Getting infected is trivial these days, and virus scanning solutions don't always keep up. The infected computer here is running a good virus scanner that's up to date, and it wasn't able to stop or clean the infection. His email was something about payroll. Others report they were infected by an email about package tracking.

So backup, backup, backup.

It's not a matter of if you get infected, but when.

 

[PatrThom]

Some sites have been talking about this already.
I'm more impressed that someone was inspired by the new AES-NI capability of today's chips ... and turned it to Eeeevillll.

--Patrick

 

[strawman]

I like this one security professionals quote, "If you haven't got a backup and you get hit by crypto locker, you may as well have dropped your PC over the side of a bridge."

 

[PatrThom]

--Patrick

 

[Gared]

Dear god I hope no one around here gets hit by that. I'm sure we have backups of our main database, but there are some programs that scatter data all over the place and if that data isn't backed up, and we lose it, we may as well shut the shop's doors and send everyone home for a fortnight or two. On the plus side, our email system's spam blocker is, if anything, a little too zealous in its inclusions. On the other hand, a lot of our staff are, well, dumb.

 

[Ravenpoe]

Dear god I hope no one around here gets hit by that. I'm sure we have backups of our main database, but there are some programs that scatter data all over the place and if that data isn't backed up, and we lose it, we may as well shut the shop's doors and send everyone home for a fortnight or two. On the plus side, our email system's spam blocker is, if anything, a little too zealous in its inclusions. On the other hand, a lot of our staff are, well, dumb.

Don't you work in a place where people really should know better?

 

[GasBandit]

Everyone in my organization has virus protection, and our e-mail system is now on google apps which catches about 99% of bad stuff like this (and even some that isn't bad, unfortunately).

Man, though... I hate that guy's voice. Whimpery, mumbly, not-the-good-kind-of-limey-accent accent.

 

[Gared]

Don't you work in a place where people really should know better?

Heh... not really. I'm uh... not on contract to Microsoft anymore. I work for a commercial cabinetry shop. Sure, the drafters are fairly smart when it comes to computers, but the rest of the company? Not so much.

 

[bhamv3]

The people who invented this thing should be punched in the face and kicked in the nads. Or punched in the nads and kicked in the face, that works too.

 

[PatrThom]

I'm uh... not on contract to Microsoft anymore.

That's a shame.

--Patrick

 

[Gared]

Eh, I'm not fussed. My commute is much better now, the company is more laid back, the job more challenging, and I'm getting paid about $12k more per year.

 

[Dave]

All of my games are either Steam or physically available. All of my music is in the cloud, as is all of my really important files. Bring it, crypto-bitch!

 

[PatrThom]

All of my games are either Steam or physically available. All of my music is in the cloud, as is all of my really important files. Bring it, crypto-bitch!

So you're in the clear...as long as some idiot at the cloud storage place doesn't open the wrong email.

Whoops!

--Patrick

 

[Dave]

So you're in the clear...as long as some idiot at the cloud storage place doesn't open the wrong email.

Whoops!

--Patrick

Oh, it's on the cloud AND stored locally. It would have to be a major catastrophe, my friend.

 

[bhamv3]

Oh, it's on the cloud AND stored locally. It would have to be a major catastrophe, my friend.

Imagine if badBIOS and cryptolocker joined forces.

... actually I probably shouldn't try to give them ideas, should I.

 

[figmentPez]

This would probably screw over all my files on dropbox, wouldn't it? I should really make some real backups of important stuff.

 

[GasBandit]

Oh, it's on the cloud AND stored locally. It would have to be a major catastrophe, my friend.

Don't such services automatically update the other when the one gets a newer time stamp? I know dropbox does. It wouldn't know an encrypted file to be damaging in and of itself - it'd just overwrite the cloud-stored version with your "updated" local copy.

 

[papachronos]

Most cloud backup and storage services have versioning, I think. I know both dropbox and carbonite do.

Sent from my SPH-L900 using Tapatalk

 

[strawman]

This would probably screw over all my files on dropbox, wouldn't it? I should really make some real backups of important stuff.

It would, but as others have mentioned, dropbox keeps several of you past revisions for each file, so you can probably recover from it. I don't recall if the free dropbox account has this feature though, or how many recent revisions of each file it'll hold onto.

 

[figmentPez]

It would, but as others have mentioned, dropbox keeps several of you past revisions for each file, so you can probably recover from it. I don't recall if the free dropbox account has this feature though, or how many recent revisions of each file it'll hold onto.

Yes, apparently the free version does have this feature. I did not know that, nor is it obvious how to find it. (Right clicking on a file gives the "view previous versions" command.) The script I'm working on for my college's evening of short plays has 16 previous versions available, over the past month. I don't know how much that is limited by time, storage space, or anything, but it is available.

 

[Zappit]

This thing is coming in via Zip files and e-mail attachments. Thank god I have very, very little use for either. Thank god even more that my family has even less use for them.

 

[General Specific]

--Patrick

This video actually puts my mind at ease, my work uses Sophos and only 2 people in the entire org (I am not one) have admin access to disable the scanning.

 

[Krisken]

Wow, scary stuff.

 

[PatrThom]

So just had to remove this from my father-in-law's computer. I found this guide to be very helpful.

Unfortunately we will never be able to recover the encrypted files. Fortunately, since his computer is an older laptop, it was noticeably limited as to the speed with which it could encrypt his files, and so while he lost 138 files in total, the majority of them were things like Excel template files, images in help directories, default JPGs in other accounts, etc. Still, there were about 60-70 .PDFs and other files he will never see again because he couldn't afford to pay the $500 ransom (the price has apparently gone up since the infection first appeared).

He also had quite a number of other malware applications installed (about 70 total!), including a rootkit enabling remote installation of software (and preventing deletion of its files/registry entries), so I can't automatically blame him for cryptolocker's appearance, however he's gonna have to change all his passwords now and also change some of his computer habits. I'm just sorry I can't bill him at the going rate for the 6 hours it took me to sanitize his machine. Not because I don't think he deserves it, but because I know I'll never see it, and to be honest I'd feel a bit like the ransomware guys myself if I tried to do it.

--Patrick

 

[PatrThom]

Aaaand it's gone.

http://arstechnica.com/security/2014/08/whitehats-recover-victims-keys-to-cryptolocker-ransomware/

Through a partnership that included researchers from FOX-IT and FireEye, researchers managed to recover the private encryption keys that CryptoLocker uses to lock victims' personal computer files until they pay a $300 ransom. They also reverse engineered the binary code at the heart of the malicious program. The result: a [free] website that allows victims to recover the key for their individual content.

--Patrick

 

[PatrThom]

Just a reminder that copycats have sprung up, and the malware writers are getting more competent at what they do, and that there are now at least 4 different varieties of this out there.

Back up early, back up often, test integrity of backups, don't open strange attachments on autopilot, and most of all be extremely choosy about who you allow to use your computer when you're not around.

--Patrick

 

[Just Eric]

Howy carp!! I have backups to make!!! Glad all my email is done through Gmail.

 

[PatrThom]

Just in case you wanted to know the current state of things:

Crypto-ransomware has turned every network intrusion into a potential payday.
tl;dr: For the average user, make backups/snapshots of your important stuff, probably don't leave them connected to the computer unless you are in the process of making a new backup.

--Patrick

 

[PatrThom]

Another necro to remind anyone who hasn't yet heard about the newest threat, dubbed "WCry," that has become such a threat that Microsoft has even released patches for its discontinued OSes in order to help thwart it.

Basically if you have SMBv1 still enabled on your computer, you're probably gonna get it. Windows 10 users are not affected. Protection measures including blocking certain ports at your firewall if you still have vulnerable machines on your network.

--Patrick

 

[GasBandit]

WCry is adapting...

 

[PatrThom]

Some people will never get the message...if you find a strange cassette tape lying around, don't just go ahead and load it into your computer!

--Patrick

 

[GasBandit]

Two decryption tools to circumvent WannaCry's extortion have been released.

https://techraptor.net/content/wannacry-ransomware-wannakey-wannakiwi

 

[PatrThom]

And they found that the biggest vector was actually Win7-64 machines, not WinXP as originally thought.
How much longer until XP becomes the most secure OS just because modern 64-bit malware won't run on it? Security through obsolescence.

--Patrick

 

[sixpackshaker]

... Security through obsolescence.

--Patrick

Just like a Mac!

 

[PatrThom]

Just like a Mac!

Nah, that's more like Security Through Proprietary.

--Patrick