Don't get this virus vCryptolocker

NYSpeed Automotive NYSpeed Off Topic
1

Cliffs: virus encrypts *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, .cdr, ???.jpg, ???.jpe, img_.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif and you can’t recover the key only way to decrypt is pay $300

http://computertutorflorida.com/2013/09/cryptolocker-ransomware-means-changes-to-our-backup-process/

2

too late

3

Depending on the dropper this could stop it

"to block this infection from running on other computers on your computer.

You can use Software Restriction Policies to block executables from running when they are located in the %AppData% folder, or any other folder, which this thing launches from. See these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

This can also be setup in group policy :slight_smile:

File paths of the infection are:

C:\Users\User\AppData\Roaming{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is:

Path: %AppData%*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData.

With the bundling of Zbot with Cryptolocker, it is now also recommend that you create a rule to block executables running from a subfolder of %AppData%. This can be done with this path rule:

Path: %AppData%**.exe
Security Level: Disallowed
Description: Don’t allow executables from immediate subfolders of AppData.
"

4

Good info…surprised it uses the same GUID all the time.

5

If you get this you’re best of paying the $300 then disputing the charge with your CC company.

6

Also keep in mind %AppData% variable directs to C:<blahblahblah>\AppData\Roaming in Vista+. I’ve seen a few different viruses operate in AppData\Local as well.

7

Time to make a quick backup of my source and unplug my external drive before one of the geniuses over in support opens some random email attachment.

8

I just read through this… Sent info to privacy and security to look at. Good idea to restrict through GPO, as I can’t think of any applications that require %appdata% as a file path for executable’s.

9

On the downside you could probably do all this in memory and avoid that application folder entirely.

PS Powershell is the greatest thing to help hackers in a long time :lol:

10

GPO in place and email sent out:

There have been some recent findings on a new virus making it’s rounds to PCs. The virus is called CryptoLocker and is classified as “Ransomware”. This particular virus will encrypt almost all files on a computer and make them inaccessible to you unless a Ransom is paid (ransom varies between $100 and $300). If you don’t pay ransom, the files are irrecoverable and lost forever.

As always you should make backups of your important files. There are numerous online backup sites like DropBox, Microsoft SkyDrive, Box, Carbonite, etc. You can also purchase physical media for backups such as USB Flash drives or Hard drives.

Please make sure you check your emails carefully, especially ones with attachments. Verify that you know the sender and are expecting an email that may contain an attachment. If the email looks suspicious and/or contains a ZIP file attachment, please use extra caution. If you’re unsure of an email please contact the Helpdesk (Helpdesk@*) for assistance before you open it.

11

You should (hopefully) be able to use http://www.shadowexplorer.com/ to recover any files it encrypts (If you have previous versions enabled).

12

We have VSS on our shared folders.

13

You’re going to give a miscreant your credit card number? Have fun with that…

      • Updated - - -

I wonder if you could capture the key by running a pcap on a freshly infected machine. If it pulls it down from C&C, it’s plausible.

Either way, we’re not fucking with that. We are recovering from snapshots and mounting read-only until this mess is under control.

BTW, if anyone reputable wants some samples, hit me up. We had a second round of messages come through this morning and I am currently working on getting my hands on the binary. Luckily forefront is swallowing some of them up from today, but we’re pulling them down from the quarantine folder there now.

14

^What A/V?

15

Mostly McAfee (we’re in the middle of migrating to Symantec)… Also have spoke with another reputable university that is a large McAfee shop and they got hosed.

16

Any stories of this seriously messing up a company/university?

17

I work for Duke University Medical Center…

18

Do you even fucking read? lol

You pay with Green Dot - MoneyPak

Another alternate method is paying then telling greendot the wrong person redeemed the money

19

yeah good point, just being snarky… but still, your credit card company isn’t likely to take kindly to your request seeing as how you really did authorize the payment… Worth a shot I suppose.

Just got done looking at today’s binary. New signature, same behavior…

20

This is public key encryption

If the key pair is generated on the server and public key is sent and used to encrypt you can only decrypt with the private key on the server that is never transferred to the infected machine.