Fiendish CryptoLocker ransomware: Whatever you do, don't PAY A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds. CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185 …
Customer on Tuesday was sending files over saying they were unreadable so I restored them from a backup and sent them back. Few hours later, more bad files so I looked at their shared drive. 25Gb of unreadable files. Ouch.
At the time it didn't make sense, I could restore to an alternative location and they were readable, but as soon as they were put into the shared dirve they were corrupt.
Few hours later I get a phone call from a staff member that 'had something on her screen the night before and ignored it'. Well, sh*t, you just wiped out all the data (yes, AV was everywhere, but it didn't see it)
You can't kill this virus in normal ways. If you try and end task, it says 'ill be back', and there's other kernel errors, I was fortunate that she was using a VM'ed desktop so I was able to roll it back and then restore a previous 'previous' back up as the backups back'ed up the corrupt files.
Very messy. Seriously changed my view on viruses and backup routines.
>"You can't kill this virus in normal ways."
So, it manages to run despite having a software restriction policy in place preventing any vaguely executable code from running outside of program files or authorised network shares?
I've been receiving the companies house emails regularly. I've had a few users run them with nothing more harmful than the standard SRP prohibited text since outlook opens attachments in a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.
Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will vanish overnight because the users can't run the bloody things if they try.
Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer instead of task manager and PSKILL to kill things instead of the "end task" button in task manager. If you want malware dead, don't allow it to gracefully close through a task manager request to close. That's just letting it run more instructions. Figure out where the file and all it's dependencies are from process explorer and then either suspend or terminate it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete it.
"Anti virus software is not enough."
Neither is running Windows. Seriously , this security swiss cheese of an operating system really has had its day. Its time for it to be booted out of the corporate world for good and leave it to muppets at home to update their facebook status with or vomit up some more banalities on twitter because frankly thats all its good for.
Windows only has security like swiss cheese because most people don't secure it competently. Most people are in total ignorance of what you can do to secure windows, which is a lot when you break open the group policy editor and apply permissions sensibly through security groups.
The problem is that people just don't use those features and use it out of the box, usually running everybody as a local admin just to make sure that no security things get in the way of them downloading stuff.
Given that the same people doing this would be deploying any other solution I don't have any great degree of confidence that any of those competing solutions would fare better security wise with a bunch of morons running as root.
So what? In the corporate world those files should be held in some kind of version control and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not be the master, they should be the published version of a document under proper control (also, users don't need write access to *everything*). As for local files that are being worked on; well, those are backed up as well aren't they?
And why the HELL do people open an attachment without first scanning it? When coming in from outside, open it on a machine which has actual work files on it. Are they totally mentally deficient? Run Outlook in a separate VM. Problem solved.
If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame, look in the mirror.
Then call MS and ask them why their software is so shit.
I can see this being a serious worry for home users. Top-tip: stop opening random files.
"Obviously never worked for a large corporation then."
Wrong.
"Release documents will (should) be in a document management system, but there are always many documents which are not."
Then they breach compliance, fail audits and lose contracts. Simple. A version control system is a piece of piss to deploy. Back-ups are basic commons sense. There is no excuse, not a one.
>A version control system is a piece of piss to deploy.
Is a version control system really the tech to use for a binary files, such as docs and xls?
I seem to recall git gets binaries, but doesn't something like subversion just store an entire binary file every time there is a change? unlike text files?
Honest question icon needed.
This post has been deleted by its author
"Is a version control system really the tech to use for a binary files, such as docs and xls?"
Yes. There are products from the more code-orientated (e.g. GIT) which wouldn't be best, I grant you. Through to the middle-weights (e.g. Alfresco). Then the big boys (e.g. Documentum). If you are an SME, you won't be going to the latter. But one of the former may fit the bill.
"And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?"
It's not "enterprise level procedures" it's common sense. Off-site, redundant servers and mobile disaster servers are "enterprise level" but I never mentioned the like; did I?
If the SMEs are running so close to the wire that they cannot provision for a HDD failure or a server blowing, then they are already running on borrowed time. This new virus has less impact that either of those and yet the exact same procedures mitigate against it.
"Sure, can we have a couple more petabytes of storage please, oh and back drives for those, oh lets not forget months worth of tapes, plus archives,oh a few hundred gig of extra bandwidth while we at it."
Petabytes? Only if you are doing it wrong. The virus won't be able to attack files in the version control system, the users shouldn't have write access to the network shares (well, not many) and you don't need to back them up anyway as they are under version control. Local user files are still at risk, but they will be few.
And the version control should *already* be getting backed up.
"the same way that IT Experts are not brain surgeons."
Which is why I don't do brain surgery.
"Users are .... users..."
Indeed, which is why there are system an procedures in place to protect them.
"Yes good practice is always good, but recovery is expensive in lost time and resources."
Never said it wasn't, but if the procedures are in place the risk from this virus (any virus!) is much lower than if everything is on one server, with public write access and no back-ups.
I suspect the next step(s) for crypto malware are:
(1) hibernate first so as to increase the odds of getting INTO the backup, The idea being should one try to use a backup to restore the OS and files, it'll just wake up again.
(2) stick around after the ransom so as to hit the victim again (what business doesn't want a repeat customer).
(3) look for ways to invade the MBR, BIOS, and/or EFI to get around OS safeguards and try to gain nuke-resistant.
" look for ways to invade the MBR, BIOS, and/or EFI to get around OS safeguards and try to gain nuke-resistant."
Oh dear, when will evil M$ (and others) do *ANYTHING* to stop this happening to us! Oh if ONLY they could do something, you know make the boot secure, hell maybe even call it SecureBoot
/sarcasmmodeoff
"DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week."
And that, people, is how bloody easy it is to have version control; even in an ad hoc manner (although handing potentially sensitive files to an external party is risky).
"If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?"
Thats exactly what happened too, they use BTSync to keep a live copy at an external location, but as soon as the files were modified those encrypted ones went out too. As there were too many to check we are resyncing from 0
A solution that I implemented years ago for an SME (when the Internet was still called the Internet, before the marketing guys with a weather fixation arrived in town), worked thusly:
- Machine A is a file server where basically all the company's data is stored.
- Machine B is an off-site computer with approx five times the storage capacity of machine A. It stores versioned backups of machine A's data directory.
- A VPN server runs on machine B, to which machine A is permanently connected via ADSL (there was also the option of a radio connection--the machines are about 1 km apart at separate facilities).
- At 20 minute intervals, machine B launches rsync over ssh over the VPN and synchronises any changes since last backup. Backups are versioned at irregular intervals; e.g., there are three backups for the last hour, one every hour for the past two days (I think), one every three hours for the last week, every twelve for the month, etc., etc., and finally something like one per month after two years or some such. Only files that have actually changed are stored multiple times. Whatever hasn't changed, there's only one copy of, with multiple hard links (the data is read-only), so storage is not that much of a problem (generally, files get added and only relatively small files change frequently).
- The data directory on machine B is mounted read-only on machine A, so that access to backups is possible.
- Note that the backup is triggered from the backup machine, which has read-only access to the file server. At the same time, the file server has read-only access to the backup machine, so remote data corruption is highly unlikely.
- As machine B is a VPN host (so is machine A), backups can be accessed from any location by any client of machine B's VPN, not just from machine A.
- No third-party storage (aka "le nuage" / "die Wolke") is involved, and all comms between hosts are encrypted, giving a reasonable expectation of privacy and protection against non-targeted attacks. Not to mention that it's actually cheaper to have your own machines than pay for online storage anyway.
The cost of this solution was an inexpensive computer with a few big drives RAIDed together, plus the monthly charges for a normal ADSL connection, which copes well with the amounts of data involved. Over the years disks on both machines have failed, which was dealt with by replacing and rebuilding the RAID. Data corruption, accidental deletion of files, and machine A's location becoming inaccessible has been seen and the solution performed as expected, with complete success.
I'm not so much bragging about this (for there is nothing to brag about), as using it as an example of how successful SMEs use a bit of ingenuity to keep their business running and their costs under control.
It never ceases to amaze me how many people open and click on links in emails without knowing who they're from. Even my employer (who shall remain nameless) has become infected despite there being a fairly recent and high profile campaign targetting computer security and phishing emails. Some people are just dumb.
To be fair, a bit of social engineering is involved here by making the file look like something that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs are normally harmless viewable documents. If they possess a little geekiness, they might know that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and they'd know that executables can be camouflaged like this.
I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need a life.
I was talking to someone a week ago who got a popup in their browser warning they were downloading pirated software and to click to acknowledge this. The sad thing is that while they didn't click, they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which would just be malware of some kind.
I assume the criminals wouldn't bother with these scams if people didn't fall for them.
From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't take place until the virus is able to phone home to one of its many servers, which have their domains automatically created using a Domain Generation Algorithm.
Is there not any software that can block all domains which are obviously gobbledygook and are therefore likely to have been automatically generated by a nasty? It appears DGAs are used by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).
So what have you got against gobbledygook speakers? [Thanks, JKR]
Seriously, once you've considered every language, and acronyms in those languages, you'll find it a major challenge to differentiate between a legitimate domain name and a DGA generated one.
You might have some success if you...
1) Reverse engineer the malware, identify the DGA
2) Predict all possible outputs of the DGA
3) Make legal arrangements with appropriate registrars to screen or revoke domain applications by the predicted output
But, as soon as the criminals realise their domain are being revoked, they'll change the algorithm.
"or pay the bad guys with a credit card to get the unlock code (assuming there even is one) to recover the locked data, then - one would assume - attempt to get the money back."
Yea, thanks for that...
Us people in the bitcoin world love to have our accounts frozen and police knocking on the door cause we used a business to steal money from people.
Way to screw over small businesses.
"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."
NSA could!
Does the extortion-ware show up in Task Mangler as its cooking your files? Or does it obfuscate itself by running inside a legitimate service or driver or other windows subsystem's code?
How does a machine become infected beyond the obvious i.e. opening an infected attachment? The article makes reference to a botnet style attack. This is an attack looking for weak backdoors? i.e. WinVNC, Remote Access? If yes, how does it first find its weak targets, random IP scanning?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
