Jump to content

The nastiest malware of all? ... Cryptolocker

jko

By jko
in IT and Computers

 Share

Recommended Posts

jko Silver Member

jko

Posted
Posted

Did not find any previous post on this --- and it looks horribly nasty.

Here is an excerpt from the UK Guardian newspaper:

"The email from the bank looked innocent enough. It was from [email protected], and Sarah Flanders, a 35-year-old charity worker from north London, didn't think twice about opening it. But the email contained software that immediately began encrypting every file on her computer – from precious family photos to private correspondence and work documents.

In just a short time all her files were blocked, and then a frightening message flashed up on her screen: "Your personal files have been encrypted and you have 95 hours to pay us $300."

Flanders is refusing to pay, but fears her personal files are now lost forever. She is one of the latest victims of a particularly malacious piece of "ransomware" called CryptoLocker, which is estimated to have targeted nearly 1m computers over the past month alone"

Full article here

More here

Tips to protect yourself here

I hope no TV members have been afflicted by this.

=

lopburi3 Legendary Member

lopburi3

Posted
Posted

Very serious and one more reason to back up now and often. Just restore to a previous back up and avoid anything more serious than a few days lost data.

  • Like 1
jko Silver Member

jko

Posted
  • Author
Posted

Very serious and one more reason to back up now and often. Just restore to a previous back up and avoid anything more serious than a few days lost data.

Folks should remember that if you are infected with this evil thing whilst your back up (external drive, thumb drive etc.) are plugged in - THEY will also be encrypted.

That's the frightening bit, and it means that someone could lose every single file thay have, backed up or otherwise, and face a personal disaster.

To be safe, they recommend you disconnect all your back up devices when on line, and then back up when you log off the internet. Alternatively, copy everything important you have to a Cloud option.

Better safe than sorry!

KittenKong Ruby Member

KittenKong

Posted
Posted

One of my customers got hammered by this recently, though she did ask for it by gaily installing software from a spoof link in a fake email.

Removing the malware was fairly easy but all her documents were encrypted, even images, and it took a long time to restore from a cloud backup due to her abysmal folder structure and total lack of document organisation.

KittenKong Ruby Member

KittenKong

Posted
Posted

Folks should remember that if you are infected with this evil thing whilst your back up (external drive, thumb drive etc.) are plugged in - THEY will also be encrypted.

That's the frightening bit, and it means that someone could lose every single file thay have, backed up or otherwise, and face a personal disaster.

Actually my customer had her external drive connected and Cryptolocker didnt affect it all.

Unfortunately she didnt actually have a backup of all her documents on that drive as she just uses it for transferring things to other machines and people, but what was on it remained intact.

YMMV of course.

Chicog Star Member

Chicog

Posted
Posted

One of my customers got hammered by this recently, though she did ask for it by gaily installing software from a spoof link in a fake email.

Removing the malware was fairly easy but all her documents were encrypted, even images, and it took a long time to restore from a cloud backup due to her abysmal folder structure and total lack of document organisation.

Was it a spoof link or an embedded attachment with a spoofed filename? (e.g. Openthis.pdf.exe)?

ThaidDown Gold Member

ThaidDown

Posted
Posted

The eMail attachment pretends to be a pdf file and has a pdf icon but the full file name is * .pdf.exe.

All the major anti virus programs should have been updated by now. Additional protection can be had by setting Group Policy to prevent .exe files from running in certain locations, I think this is only applicable to Pro and above versions on windows.

Found this which (is claimed) works on all windows versions and sets up GP. Suggest read the article first .Its clean via Virus Total.

http://www.foolishit.com/vb6-projects/cryptoprevent/

KittenKong Ruby Member

KittenKong

Posted
Posted

Was it a spoof link or an embedded attachment with a spoofed filename? (e.g. Openthis.pdf.exe)?

I don't know. The email had been deleted by the time I was on the case.

Chicog Star Member

Chicog

Posted
Posted

The eMail attachment pretends to be a pdf file and has a pdf icon but the full file name is * .pdf.exe.

All the major anti virus programs should have been updated by now. Additional protection can be had by setting Group Policy to prevent .exe files from running in certain locations, I think this is only applicable to Pro and above versions on windows.

Found this which (is claimed) works on all windows versions and sets up GP. Suggest read the article first .Its clean via Virus Total.

http://www.foolishit.com/vb6-projects/cryptoprevent/

Well I block all executable attachments and all attachments with more than one period, so no problem there.

Seen quite a few targeted attacks in the last week using an .scr attachment.

JusMe Gold Member

JusMe

Posted
Posted

A client of my sister's had this happen to him very recently. He's involved with loads of computer related business and had everything backed up. He refused to pay the ransom, and everything on his drive was encrypted and locked. In effect, everything was lost, but he was able to wipe the drive and use his backup to restore.

Very scary, though, with the possibility of having everything held to ransom. And if you don't pay, ....

Chicog Star Member

Chicog

Posted
Posted

That's a lot more difficult than just deleting phishing emails.

Sent from my GT-I9300 using Thaivisa Connect Thailand mobile app

MJCM Diamond Member

MJCM

Posted
Posted

That's a lot more difficult than just deleting phishing emails.

Sent from my GT-I9300 using Thaivisa Connect Thailand mobile app

True, I use Appguard so I don't have to do these things

Chicog Star Member

Chicog

Posted
Posted

Our school computer caught it too(and we do not go to porn sites.) Here is an instruction from one of the parents on how to get rid of cryptolocker: http://privacy-pc.com/how-to/remove-cryptolocker-virus.html

Getting rid of it is a doddle. It's getting your data back that's the problem (especially if you don't have decent offline backups).

You don't need to go to porn sites to get this kind of infection. If you get spam, you can get this.

It's vital that you do not click on any links in an email unless you are certain you know the sender and you reasonably expect to receive it. And the same goes for opening attachments, which can look like a PDF document or a JPG picture but can actually be a .EXE (an executable program).

We routinely remove all executables from emails and notify the users that we've done so. One of our users sent a snotty email saying he needed the attachment because it was work related - it purported to be a payment confirmation from a Middle East bank. The attachment was called:

"bankname.pdf .scr".

.SCR is a script file and not a pdf document, but he was none the wiser.

I phoned him up and asked him "Are you expecting a payment from this bank?".

His answer? "No".

Me: "So do you think a random stranger is going to send you money?".

Him: "No".

Me: "So you don't think there's something slightly suspicious about it then?"

Him: "Errrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr"

Me: "Bye".

There are five slides in this presentation which offer some simple but effective advice, I'd advise anyone who's unsure about Phishing to take a look:

http://www.itbusinessedge.com/slideshows/show.aspx?c=94496

lopburi3 Legendary Member

lopburi3

Posted
Posted

As a bitdefender user just read up on there site and note this:

.....When decryption ends, the Cryptolocker files are deleted, but the registry entries are kept. Bitdefender software detects and blocks Cryptolocker from installing, so Bitdefender customers are protected.

UPDATED: For brave souls who still refuse to use a proper antivirus, Bitdefender researchers have crafted a tool which prevents known versions of Cryptolocker from encrypting files. It can be downloaded here:

http://labs.bitdefender.com/2013/10/cryptolocker-ransomware-makes-a-bitcoin-wallet-per-victim/

http://labs.bitdefender.com/wp-content/plugins/download-monitor/download.php?id=BDAntiCryptoLocker_Release.exe' title="Version1 downloaded 46 times">

  • Like 1
lopburi3 Legendary Member

lopburi3

Posted
Posted

Appears so but was 46 downloads when I posted this morning and 53 now but just tried and got not found so likely being revised.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.



ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...