light bulb

Did You Know?



Reply
Highlighted
Posts: 9,104
Topics: 641
Kudos: 8,033
Registered: ‎02-03-2012

Alert (TA13-309A) CryptoLocker Ransomware Infections

 

NCCIC / US-CERT

National Cyber Awareness System:

TA13-309A: CryptoLocker Ransomware Infections

11/05/2013 10:58 AM EST

 

Original release date: November 05, 2013 | Last revised: November 13, 2013

Systems Affected

Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

Mitigation

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network
  • Users who are infected should change all passwords AFTER removing the malware from their system
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
    • Restore from backup,
    • Restore from a shadow copy or
    • Perform a system restore.

References

Revision History

  • Initial
  • November 13, 2013: Update to Systems Affected (inclusion of Windows 8)

https://www.us-cert.gov/ncas/alerts/TA13-309A

coollogo_com-133794099.gif


asapvip.png  SigSVIP.png EPA.png


Webroot® SecureAnywhere™ Internet Security Complete Beta Tester v9.0.0.65 on my main system Alienware 17R2, Windows 8.1 Pro x64 & HTC One M8 Android Lollipop 5.0.1 Phone v3.6.0.6722.


MVP.gif.png Microsoft® MVP Consumer Security  


Twitter1.png  Untitled-1.png  WBA.png

Posts: 1,222
Topics: 48
Kudos: 1,348
Ideas: 5
Registered: ‎02-03-2012

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

Thanks Daniel for the post. I've been getting many emails from American Express with a dozen links attached for new offers, up my credit limit ..... I called American Express, they have no record of sending me the emails. It's getting to a point where I don't trust any company's emails. Smiley Frustrated

Expert Advisor


WEBROOT SecureAnywhere™ Internet Security Complete. BetaTester.


No Wait For Security Updates ~ It's Done In The "Cloud"


 

Posts: 9,104
Topics: 641
Kudos: 8,033
Registered: ‎02-03-2012

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

[ Edited ]

The best thing to do is delete them. They usually come via a ZIP or RAR attachment but what I do is save to a folder and just scan with WSA and 99% of the time they are detected if not I send to support and I also upload to VirusTotal just to see how many detect it and I know VT does not have the full functions of any products but I like to see and most times WSA detects them and maybe 2 or 3 others and at times none and just WSA then I look back a few hours later and I see others starting to detect it and I just find it's interesting.

 

I don't recommend anyone to play with such malware unless you know what you are doing it's best to just delete such emails.

 

Daniel Smiley Wink

coollogo_com-133794099.gif


asapvip.png  SigSVIP.png EPA.png


Webroot® SecureAnywhere™ Internet Security Complete Beta Tester v9.0.0.65 on my main system Alienware 17R2, Windows 8.1 Pro x64 & HTC One M8 Android Lollipop 5.0.1 Phone v3.6.0.6722.


MVP.gif.png Microsoft® MVP Consumer Security  


Twitter1.png  Untitled-1.png  WBA.png

Frequent Voice
Posts: 39
Registered: ‎06-20-2013

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

Had someone tell me they became infected with this late last week - and I verified the vector - Came in an email with the attachment purporting to be a Voicemail message - anyone using VM to email is subject to infection - how many users check the "from" address to verify its actually from their system before opening these things? They are implicitly trusted in a users mind.

 

Wayne

Posts: 902
Topics: 58
Kudos: 596
Ideas: 72
Registered: ‎01-11-2013

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

Client-side security education is such a wasteland there isn't a lot to be done other than block these files at the border, use something with journaling, or use software restriction technologies (preferably all three).

 

Why the heck any email filter would allow a .exe file in an unencrypted .zip through is beyond me. 

----------------------------------------
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise and WSAWSS administrator of 1700+ computers
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Community LeaderCommunity Leader
Find me on Twitter!

Posts: 9,104
Topics: 641
Kudos: 8,033
Registered: ‎02-03-2012

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

[ Edited ]

 

My ISP uses Yahoo for email but with my ISP's name and we all know what Yahoo uses to protect it's users and I get so many emails with Attachments and I can't remember the last one that got stop by Yahoo's security partner

Spoiler
Norton

 before it gets into my inbox.

Daniel  whenpigsfly76x80.gif

coollogo_com-133794099.gif


asapvip.png  SigSVIP.png EPA.png


Webroot® SecureAnywhere™ Internet Security Complete Beta Tester v9.0.0.65 on my main system Alienware 17R2, Windows 8.1 Pro x64 & HTC One M8 Android Lollipop 5.0.1 Phone v3.6.0.6722.


MVP.gif.png Microsoft® MVP Consumer Security  


Twitter1.png  Untitled-1.png  WBA.png

Posts: 3,739
Topics: 2,202
Kudos: 2,988
Blog Posts: 0
Registered: ‎06-02-2014

Re: Alert (TA13-309A) CryptoLocker Ransomware Infections

The following artricle is a update on CryptoLocker Ransomware

 

(Feds declare big win over Cryptolocker ransomware)

 

July 15, 2014 09:45 AM 

 

Computerworld - Even as security researchers reported that the hacker gang responsible for the Gameover Zeus botnet had begun distributing new malware, U.S. government officials last week claimed victory over the original and said that the Cryptolocker ransomware that the botnet had been pushing has been knocked out.

On Friday, July 11, the Department of Justice filed a status update with a Pennsylvania federal court, telling the judge that both the Gameover Zeus botnet and Cryptolocker "remained neutralized."

"Analysis to date indicates that all or nearly all of the active computers in the [Gameover Zeus] network are communicating exclusively with the substitute server established pursuant to this Court's Orders," the document stated.

 

ComputerWorld/ Full Read Here/ http://www.computerworld.com/s/article/9249728/Feds_declare_big_win_over_Cryptolocker_ransomware

 

 

Community Leader