News

Cryptolocker Virus Alert

This is a service message from Exceed Consulting regarding a recent widespread virus outbreak.

Cryptolocker Virus Alert

A major virus threat has started making the rounds. Typically the virus is introduced by email. IN this case, the emails are often, but not always, just text with no (or very few) links and a single attachment. Typically the attachment is in a .zip format with a single file inside. The file inside is an infection program but appears to be a pdf. This can be especially difficult to distinguish as a .exe if file extensions are not visible to the user.

General methods for avoiding infection are provided below this alert.

How Cryptolocker Gets In

Information regarding the Cryptolocker virus. The key features & payload of this virus/malware are that it normally installs by opening an email attachment disguised as an invoice in a zip or pdf format. Most antivirus tools are still unable to effectively detect this virus, and most web filtering is only able to block a small portion of the compromised web addresses.

What Cryptolocker Does

  • The payload of the virus encrypts all of your documents in both local and shared storage (Word, Excel, PowerPoint, AutoCAD drawings, Photos, etc.) with 2048-bit encryption.
  • The virus can infect/encrypt both local and network attached storage, read this as ANY storage, the user has access to while logged into the infected desktop/laptop/server/Remote Desktop session/Citrix session.
  • The virus then ransoms your files for 100 hours at a cost of $300 to decrypt them.
  • Following the deadline or early termination and removal of the virus, the ransom increases to $2000 and requires sending sample files to the criminals behind the virus to retrieve the decryption key.

There is, of course, absolutely no obligation by the criminals to release the decryption key to the infected party.

How to Remove CryptoLocker and Repair the Damage, and Prevent where Possible

The virus itself can be fairly easily stopped and removed since it is typically only one to a few files. However, once the 2048-bit encryption of files has occurred rolling back to a pre-infected snapshot/backup is the only method to recover infected files.

As a side note, if it was actually effective for recovery the ransom would need to be paid in Bitcoin (an encrypted internet currency) to make the ransoms basically untraceable.

More information and sources

http://en.wikipedia.org/wiki/CryptoLocker

http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/

http://www.makeuseof.com/tag/cryptolocker-is-the-nastiest-malware-ever-heres-what-you-can-do/

The CryptoPrevent utility from Foolish IT can be effective at preventing infection at the desktop level.

http://www.foolishIT.com/vb6-projects/cryptoprevent/

Unfortunately, if you see this running on your desktop, it’s too late.

CryptoLocker

For reference, Bitcoin is in and of itself not a problem, it just adds a serious level of complication to tracking down the criminals behind this.

http://en.wikipedia.org/wiki/Bitcoin

General tips for avoiding computer virus infections

Email

Don’t click on links or attachments in your email unless you fully trust the sender. If the sender is you or someone you know that wouldn’t be sending this material, do not click on anything but the delete button.

If you use an email program that allows a preview mode, disable the preview pane. Email applications like Outlook, Thunderbird, and others often automatically load attachments for your convenience, this can automatically launch a virus. Contact us if you need assistance disabling preview in your email program.

If the email seems unusual, even (or especially) if it is from a company you do business with, it is probably up to no good – the email not the company. Scammers often use trusted companies to gain your trust by copying.

Businesses should never request sensitive information via email. Even if they do, be smarter than them and don’t use email to transfer sensitive information like passwords.

File Extensions

Watch out for files with a double extension. Examples: something.txt.vb or other.jpg.exe. By default Windows usually hides common file extensions, meaning that a program like Paint.exe will appear to you as simply Paint. Double extensions exploit this by hiding the second, dangerous extension and misleading you with the first (meaningless) extension. You can verify the full name with all extensions by right-clicking on the file, selecting Properties, and looking for the complete file name.

To make file extensions visible, find Folder Options in your Control Panel. (Note that it may be tucked away in Appearance and Personalization or something to that effect.) Under the View tab, scroll down to Hide Extensions for Known File Types and make sure it is unchecked.

USB Drives

Be careful when using USB drives. Just as a real virus can jump from person to person by shaking hands, the install process and handshake the connects a USB drive can transfer a virus to or from a PC for the purpose of spreading itself around. Most antivirus programs are capable of checking USB drives when they are connected, please let the scans complete.

Internet pop-ups

Pop-ups aren’t just annoying, they can often be misleading and dangerous. The primary concern here is when a pop-up mimics a known and trusted application. Rather than trusting the pop-up, close it and go to the source yourself or with the assistance of your system administrator. While you or your system administrator are investigating start a full scan for viruses. Better safe than sorry.

Knowledge is power

What do you do if you receive an email that seems fishy, but you were expecting a message from the company? Copy part of the message that doesn’t contain links into the search box at https://www.google.com/ Scammers and spammers love to reuse text, this can benefit you in detecting their tricks.

 

Protection

Prevention is great, but what if you make a mistake? First, it is better to have a message re-sent than to get an infection. Second, most (not all) infections that are good enough to pass the smell test, are still caught by web filters, anti-virus, and anti-malware tools. VIPRE Business Premium AntiVirus or Kaspersky AntiVirus, GFI Mail Essentials or Barracuda SPAM Filters, and Barracuda Web Filters can make a very strong layered approach in addition to your firewall solution.

Plan B (for Backup)

So you did all this and something still got through…now what?!? Time to pull out the backups. Before you get infected make sure you have a proper backup solution, properly scheduled, and ready to recover. Your system administrator can assist you with configuring and testing your backup solution.