Darth Turbogeek
Nov 7th, 2013, 06:11:32 AM
Hey all,
You might notice there's a new spam like notice about an scary new virus called CryptLocker that will destroy your files unless you pay the bad guys money. Now, you know I'd be the first to call bullshit and laugh at how gullible people can be.....
http://www.news.com.au/technology/online/cryptolocker-virus-holds-your-computer-for-ransom/story-fnjwnj25-1226754940841
This is not bullshit or a stupid FW: FW: FW: FW:. This is very real and really really nasty. I've come across this at the company I work for and I guarenttee the IT staff that work with me are smarter than you are about computers - so take this as an expert warning that even the good IT people can do nothing about it and if you see the ransom notice you are fucked. Your files are already toast.
The really ugly thing we found is this prick of a thing is network aware and will have a go at your "cloud" storage (SkyDrive, Dropbox, GoogleDocs etc) and will trash your files in those network locations too. We have had file servers nuked as this thing crawled file shares and encrypted everything.
Now, these guys who wrote this thing are very very smart - it's a morphing trojan and has been clearly tested against traditional AV and malware detection because it walks straight past it and gets to work. IF it is detected and removed, then the option of paying for your files will be gone, the private encryption key is deleted and your files will remain encrypted.
The encryption is so far not reversable, at least not reliably.
Your two defences are -
1) Dont get it in the first place. We have seen it's attack vector as mainly malicious email attachments altho we think malicious downloads and drivby installs may also be possible. Thence do NOT open unknown email attachments from any source, protect your browser using FlashBlock, AdBlock and a script killer like Ghostery or NoScript.
2) Cold backups. So far we have seen this bastard attack anything network attached thence "backups" to the CLOUD!!!! are more than likely useless and if you have seen the ransom note already unless you do it via FTP. Your absolute best insurance is a cold backup, ie spinning disk hard drive and a proper versioning system that works and goes back before infection date, a non mirroring backup to an offsite FTP server etc.
There is a third option -
3) Pay up. So far the bad guys have been handing over the private key and deencrypting files if you pay the ransom. I cant guarenttee that will keep staying the case.
So as I said, we have seen this bastard of a thing at work, it does exactly what it says, this is not some stupid scary spam and if you have it, you are screwed unless your cold backups are good.
If your backups are good, a simple hard drive format will clean it out. It's not a boot sector nasty so we have a pile of PC's we're rebuilding. And thankfully we have a pretty good cold backup system in place. However we have had a few laptops with un backed up files...... yep, gone, too bad for them.
My guess is CryptLocker is going to get a lot bigger very fast so it's a good time to make sure your backups are good.
You might notice there's a new spam like notice about an scary new virus called CryptLocker that will destroy your files unless you pay the bad guys money. Now, you know I'd be the first to call bullshit and laugh at how gullible people can be.....
http://www.news.com.au/technology/online/cryptolocker-virus-holds-your-computer-for-ransom/story-fnjwnj25-1226754940841
This is not bullshit or a stupid FW: FW: FW: FW:. This is very real and really really nasty. I've come across this at the company I work for and I guarenttee the IT staff that work with me are smarter than you are about computers - so take this as an expert warning that even the good IT people can do nothing about it and if you see the ransom notice you are fucked. Your files are already toast.
The really ugly thing we found is this prick of a thing is network aware and will have a go at your "cloud" storage (SkyDrive, Dropbox, GoogleDocs etc) and will trash your files in those network locations too. We have had file servers nuked as this thing crawled file shares and encrypted everything.
Now, these guys who wrote this thing are very very smart - it's a morphing trojan and has been clearly tested against traditional AV and malware detection because it walks straight past it and gets to work. IF it is detected and removed, then the option of paying for your files will be gone, the private encryption key is deleted and your files will remain encrypted.
The encryption is so far not reversable, at least not reliably.
Your two defences are -
1) Dont get it in the first place. We have seen it's attack vector as mainly malicious email attachments altho we think malicious downloads and drivby installs may also be possible. Thence do NOT open unknown email attachments from any source, protect your browser using FlashBlock, AdBlock and a script killer like Ghostery or NoScript.
2) Cold backups. So far we have seen this bastard attack anything network attached thence "backups" to the CLOUD!!!! are more than likely useless and if you have seen the ransom note already unless you do it via FTP. Your absolute best insurance is a cold backup, ie spinning disk hard drive and a proper versioning system that works and goes back before infection date, a non mirroring backup to an offsite FTP server etc.
There is a third option -
3) Pay up. So far the bad guys have been handing over the private key and deencrypting files if you pay the ransom. I cant guarenttee that will keep staying the case.
So as I said, we have seen this bastard of a thing at work, it does exactly what it says, this is not some stupid scary spam and if you have it, you are screwed unless your cold backups are good.
If your backups are good, a simple hard drive format will clean it out. It's not a boot sector nasty so we have a pile of PC's we're rebuilding. And thankfully we have a pretty good cold backup system in place. However we have had a few laptops with un backed up files...... yep, gone, too bad for them.
My guess is CryptLocker is going to get a lot bigger very fast so it's a good time to make sure your backups are good.