back to article Gamer ransomware grows up, now infecting UK, Euro businesses

Companies across Northern Europe are being smashed by the TeslaCrypt ransomware as net scum switch from extorting individuals to targeting deeper--pocketed organisations. Those worst affected are located in the United Kingdom, France, Italy, and Spain, where a highly capable phishing campaign regularly tosses out juicy baits …

  1. Mayhem

    Details

    It will infect the victim's machine and impressively all those attached to the same network, encrypting files using any of 187 extensions

    It would be good if you could provide some information as to HOW it can encrypt everything on the network since none of your links cover that titbit.

    Are we talking mapped network drives same as Cryptolocker, or does it use some other mechanism like crawling file shares?

    1. Anonymous Coward
      Anonymous Coward

      Re: Details

      I know it can do mapped drives, not sure about the rest. I know this as last week there was an email saying our mail server was getting spammed, then another saying "These shares are down" a third saying "Remember only open attachments from trusted sources", then the "We have a virus" before another email that all but ensured everyone knew which department opened the offending email.

      Fun times.

      1. Peter2 Silver badge

        Re: Details

        Does your network admin have macros enabled in office by any chance, and do you actually use office marcros for anything? (other than getting virus infections)

    2. Frumious Bandersnatch

      Re: Details

      Upthumbed.

      Infecting all (eg, Linux, Mac, BSD) machines would be impressive. Accessing available Windows network shares, not so much.

  2. TJ1

    Windows only; Infection due to continued bad security policy - nothing new

    "TeslaCrypt will be pulled down from external malicious websites once the JavaScript attachment is activated."

    So the PC is already configured to be a vector by the users.

    When convenience still trumps security for one of the commonest vectors then I find myself thinking these organisations have to take responsibility and blame. If those infected systems can access personal data held under the Data Protection Act they're failing in their duties both legally and for their own protection.

    0. Do NOT allow untrusted executable content

    1. Only allow plain-text email

    2. Strip and quarantine attachments

    3. Do NOT use Adobe Flash

    4. Sandbox any HTML user-agent in an unprivileged account, that is NOT the same account the users routinely use, and does NOT have access to their user profile

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Windows only; Infection due to continued bad security policy - nothing new

      Do NOT allow untrusted executable content

      Welcome to Windows. You will like it here.

      Only allow plain-text email

      That train has already left the station and pretending it's still boarding is disingenious

      Strip and quarantine attachments

      Yeah right

      Do NOT use Adobe Flash

      I would but "internal communications" sometimes demands it be used

      Sandbox any HTML user-agent in an unprivileged account, that is NOT the same account the users routinely use, and does NOT have access to their user profile

      Good idea but no-one is gonna follow that either.

      1. Peter2 Silver badge

        Re: Windows only; Infection due to continued bad security policy - nothing new

        This would have still gotten through your security precautions. It arrives as a semi convincing email just as a word/excel document, which has a macro in it which then compromises the PC. Arguably blocking the executable content (via SRP) would prevent certain payloads from executing so I shall give you half a point here.

        Disabling Macros via GPO or setting the security level high enough that the users actually get asked if they want to execute them first would have prevented or seriously reduced the probability of this particular nasty infecting anything.

        Quarantining attachments only works when the users don't unblock them. If you quarantine *every* attachment then you just train your users to constantly unblock attachments all of the time to get their jobs done which leads to less security than just blocking things that have a serious probability of being dodgy.

        And how pray tell do you set up HTML User agents in different accounts? I can restrict the permissions of processes, but unless I have missed a trick you can't inspect a UA string until after the program is running (and processing a request, surely?)

    2. Anonymous Coward
      Anonymous Coward

      Re: Windows only; Infection due to continued bad security policy - nothing new

      5. Do NOT use Microsoft Office unless you can do so without running macros, and block users from re-enable macros. Actually, it may be easier to switch to LibreOffice instead, just to give the Microsoft marketing people on this forum something to downvote :).

      6. Make sure to have backups that work in sufficient generations, and test frequently.

      7. The installation of unauthorised software (even just a toolbar) is a sackable offence.

      8. Admin rights. Just say no.

      1. James O'Shea

        Re: Windows only; Infection due to continued bad security policy - nothing new

        "5. Do NOT use Microsoft Office unless you can do so without running macros, and block users from re-enable macros. Actually, it may be easier to switch to LibreOffice instead, just to give the Microsoft marketing people on this forum something to downvote :)."

        Sigh. There are simply some things (yes, including macros) which MS Office does better than Libre Office. Indeed, there are some things that MS Office does which Libre Office either doesn't do at all or makes a dog's breakfast out of it. Libre Office will work for a lot of people. It won't work for a quite significant number of people.

        Blocking macros can have its problems, too, as there are those who simply must run macros as part of their jobs. Once again, a large number of people don't need macros, but those who need them, need them badly.

        I have tried all of the alternatives for MS Office. (Libre Office. Open Office. Word Perfect Office. Symphony. iWork. Even Microsoft Works and AppleWorks, which showed true desperation. Others.) I always ended up going back to MS Office because there was something which none of the competition could do and which I needed. I might only need it once in months, but when I needed it, I needed it badly and immediately, and getting the supporting work out of whatever format the competition used and into a format that MS Office could access without mangling the file too badly was more work than just using MS Office and taking precautions while doing so was. (Have you seen the mess that results when you take a 100+ page report saved in the native formats for Open Office, or, worse, Pages, and tried to pour it into Word 2010? Yes, Open Office and Pages will 'export' the file to something they claim is .DOC format, but Very Strange Stuff Happens(tm) to anything remotely complex, such as a table. And a 100+ page report is going to have a lot more than just one table.)

        1. Palpy

          Re: Sigh. MS Office does things.

          Agreed, James. A given set of users may be highly skilled at, say, metal fabrication, but when they have to fill out a complicated materials-and-time spreadsheet on Excel, or a boilerplate-language invoice on Word, a cleverly-implemented macro may be all that saves them from madness.

          Eventually the LibreOffice Python or Basic macro programming may become as useful as Office VBA. At that point, of course, it will also be as dangerous to run.

          Perhaps: any programming which is sufficiently powerful to be deeply useful is also powerful enough to damage the system on which it runs? Dunno if that holds water as a general rule. Have to think about it.

          The line about "Only three of 55 antivirus products detect the ransomware..." points up the sorrowful state of reactive security.

          1. Destroy All Monsters Silver badge

            Re: Sigh. MS Office does things.

            Perhaps: any programming which is sufficiently powerful to be deeply useful is also powerful enough to damage the system on which it runs? Dunno if that holds water as a general rule. Have to think about it.

            Unless sandboxed: yes. This is related to Langsec

        2. Anonymous Coward
          Anonymous Coward

          Re: Windows only; Infection due to continued bad security policy - nothing new

          I might only need it once in months, but when I needed it, I needed it badly and immediately, and getting the supporting work out of whatever format the competition used and into a format that MS Office could access without mangling the file too badly was more work than just using MS Office and taking precautions while doing so was. (Have you seen the mess that results when you take a 100+ page report saved in the native formats for Open Office, or, worse, Pages, and tried to pour it into Word 2010?

          I would agree with you that if you have to stick to Microsoft formats you will be stuck with Microsoft Office as the only Office product that can render that correctly (provided you run the latest version, because even that is an issue). They've been running that specific scam for literally decades (and are still doing it, by the way - we have some MS goons alleging on this forum that MS Office renders ODF files better than LibreOffice, which is a clear sign that such statements are made by people who have never even been close to ODF).

          We have the luxury that we rarely exchange MS formats with other companies so we're ODF internally and only have a few MS Office licenses for importing/exporting the mess known as MS OOXML. In our experience, using the non-X formats exchanges just fine which is probably why Microsoft makes it hard to default to that, the horror of making files backwards compatible must keep them awake at night..

          Sometimes it's good to be in control - we managed to make LibreOffice work for us.

  3. Anonymous Blowhard

    Thor Point

    I tried to check out Heimdal Security's site, but can't access any content without enabling JavaScript; seems like a poor effort for an IT security company.

    1. NotBob
      Trollface

      Re: Thor Point

      If you don't need security services yet, we can fix that, too.

      Just another invaluable service we offer.

  4. Dadmin

    Oh Noes!

    Gamer Ransomware?! HAHA! Did you guys just make this up? This sounds just really really stupid. Do I need to get "afraid really quick" that my non-networked Sega Dreamcast is going to get hacked and my progress in Ooga Booga will get encrypted? Wow, colour me unimpressed, but I'm not buying into the "ransomware" hype. Next?!

    1. Destroy All Monsters Silver badge

      Re: Oh Noes!

      The next message from Dadmin was "I have wee problem reading my files.... anybody can help?"

  5. Ernie Mercer

    "Only three of 55 antivirus products detect the ransomware"

    Which three?

    1. Gordon861

      Agree ... you would have thought that this would be an obvious bit of additional information to include with the article.

    2. rally_champ

      I realise this is a bit late but googling around I found:

      https://heimdalsecurity.com/blog/wp-content/uploads/full-antivirus-detection-rates-teslacrypt-december-11-2015.png

      Which reports only AhnLab-V3, Bkav, and Qihoo-360 picked it up. All the others, including all the famous names, e.g. Kaspersky, missed it (as evidenced by the green tick).

      This is a summary https://heimdalsecurity.com/blog/security-alert-teslacrypt-infections-rise-spam-campaign-hits-companies-europe/

  6. g00se

    Only three of 55 antivirus products detect the ransomware through static VirusTotal analysis, however this is not necessarily indicative of real-world dynamic scanning results.

    Why not? Have enterprises access to better/different AVs? Or is it fewer than three in the real world?

  7. Anonymous Coward
    Anonymous Coward

    Nice Scare Tactics

    I dunno why these articles are so click-baitey tbh. I mean realistically you should have a backup solution ie acronis, true image, rollback rx...anything really. So if you aren't setting up a recovery option you really are vulnerable. I have a couple disk images and I use rollback so should be fine for the most part *knocks on wood*

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like