-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Well, shit. My office got infected by Crytolocker.
- Thread starter massoluk
- Start date
- Status
work in IT. this happened to us last week. We keep our computers pretty locked down. We think that it got through with a Google chrome add on exploit..
this was a much more advanced version of the software called "crypto defense", it setup shop on one of our administrative assistant's computers. It encrypted one of the network shares on Friday when i caught it in the act. thank God. She was only connected to three network shares.
it never showed up on the computer as a program, only a service. Thing is , these programs like to make themselves know so people can pay the ransom. this one was just quietly going through each directory she had access to and encrypting files. which is very strange because every account I've seen says that it makes it self known.
it started around 9 am , I caught it at 9:40 am shut down her computer . We assessed the damage by11 :30 am we had to roll back all of the files to 4:00 am in that share for the minim amount of damage. We couldn't risk just rolling back the files but keeping the "how to decrypt HTML files in each directory. the program makes a HTML link in every directory it encrypts.
only two people called us about missing files this week. we did copy the share off of server in is encrypted state, about 70 GB. to keep track of what files were truly lost. The one thing that happens is that when employees find out that something happen to the system they will claim that they lost things that never existed or they deleted themselves.
what more fucked is that HR really dosen't care that she wasn't doing her job and was on some shady website that compromised one of her department's shares.
this was a much more advanced version of the software called "crypto defense", it setup shop on one of our administrative assistant's computers. It encrypted one of the network shares on Friday when i caught it in the act. thank God. She was only connected to three network shares.
it never showed up on the computer as a program, only a service. Thing is , these programs like to make themselves know so people can pay the ransom. this one was just quietly going through each directory she had access to and encrypting files. which is very strange because every account I've seen says that it makes it self known.
it started around 9 am , I caught it at 9:40 am shut down her computer . We assessed the damage by11 :30 am we had to roll back all of the files to 4:00 am in that share for the minim amount of damage. We couldn't risk just rolling back the files but keeping the "how to decrypt HTML files in each directory. the program makes a HTML link in every directory it encrypts.
only two people called us about missing files this week. we did copy the share off of server in is encrypted state, about 70 GB. to keep track of what files were truly lost. The one thing that happens is that when employees find out that something happen to the system they will claim that they lost things that never existed or they deleted themselves.
what more fucked is that HR really dosen't care that she wasn't doing her job and was on some shady website that compromised one of her department's shares.
Jezbollah
Member
As an IT security consultant, I am facepalming at a lot of these posts (not aimed at the posters - rather the security policies enforced by the companies mentioned).
When it comes to general IT Security policy, it always comes down to the amount that the people with the money want to spend, and it comes down to their education. The old phrase of "you can lead the horse to the water, but you can't make it drink" comes to mind.
Unfortunately, with IT security, you see very little return on a big investment until the shit hits the fan. If you have bosses or directors who wont spend money, the best people can do is have a gameplan to recover from being hit, and hit hard.
I've seen so many companies bite the dust because of simple malware infections. If it wasnt Cryptolocker, it was conficker before then.
When it comes to general IT Security policy, it always comes down to the amount that the people with the money want to spend, and it comes down to their education. The old phrase of "you can lead the horse to the water, but you can't make it drink" comes to mind.
Unfortunately, with IT security, you see very little return on a big investment until the shit hits the fan. If you have bosses or directors who wont spend money, the best people can do is have a gameplan to recover from being hit, and hit hard.
I've seen so many companies bite the dust because of simple malware infections. If it wasnt Cryptolocker, it was conficker before then.
Every bitcoin transaction is publicly available so it's quite hard to make it 100% untraceable. You can see them at https://blockchain.info/ and if you write in an adress (where you send bitcoins). A bitcoin address looks like this: 19oZXVwrLxbdLQRPEBehgE6ZxKiDkqhFez
Paying the ransom is sadly the right choice if you have to retrieve the files. I think sandboxing saves you, but I know very little about computer security. You can actually download various versions of cryptolocker to test on computers, but make sure you know what you're doing
I use these methods to stop this kind of stuff happening where I work
Group Policy lockdown
Web browsing filtering
Whitelisting application software
Restricted local administrators
Desktop anti-virus software
Add in about 2 layers of mail and other inbound filtering I'm pretty confident I won't be seeing this at my work - though you never know
Group Policy lockdown
Web browsing filtering
Whitelisting application software
Restricted local administrators
Desktop anti-virus software
Add in about 2 layers of mail and other inbound filtering I'm pretty confident I won't be seeing this at my work - though you never know
And that is offsite toó.
This an odd point of contention.
diggmcbadass
Member
It never announces itself until the crypto is done because it doesn't want you to know about the encryption until it is done. If you had let it run it's course, it would most certainly announce itself.
I found this page that explains pretty thoroughly how this program works.
http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
Tatersalad
Member
Can't give in to terrorism, even at the low, low cost of $300.
You guys got hit RIGHT after you recently backed up your files? Sounds like whoever did this felt like their window of opportunity was closing. Could this have been an inside job? What if the low ransom isn't indicative of some big con but really something that reveals this as a crime of passion?
The perpetrator hit you at the worst possible time, at your exact weak point, and caused the most possible damage. Know any disgruntled employees or people who have been recently been fired who could somehow keep tabs on the work place? If someone got fired, did he leave anything like a pen or something when he came back to clear his desk? Stuff like this may not help you guys get your files back but it could help you punish the guy responsible.
The perpetrator hit you at the worst possible time, at your exact weak point, and caused the most possible damage. Know any disgruntled employees or people who have been recently been fired who could somehow keep tabs on the work place? If someone got fired, did he leave anything like a pen or something when he came back to clear his desk? Stuff like this may not help you guys get your files back but it could help you punish the guy responsible.
Yup, it's really hard to stop infection other than locking down the computer to the highest degree. If you've got permission to run arbitrary code and have write permission on your own files, you're already vulnerable.
Seems to me the best way to minimize risk is a proper backup system. You should have one in place anyhow.
diggmcbadass
Member
If they back up every day, and the encryption takes a certain amount of time (hours for a normal hard drive) , any day is the exact right moment to hit them. It would in fact be very difficult to find a moment when it was not right, given their backup scheme.
quickwhips
Member
Shadow Copy and Full and incremental backups ftw. Proxy servers are people's friends in office environments and most people just bitch about them.
Yeah... I'm not a 100%, they probably could of actually sued him as well for damages, he comes from an IT background, easily would of been able to prove he would of known it could of done damage by clicking on it and it was from personal email.
AFollowerNotALeader
Member
These people don't rest do they?
just got this one a min ago.
Hah. I've been getting a bunch of these and ignoring them because they were spam (although I was curious as to what they were).
Luckily I am safe because:
a) our mail is scanned, spam is flagged and infected attachments removed (and these were marked as such).
b) I'm on Linux and reading my mail in Alpine
c) I would never open an attachment from some random person.
The thing you have to wonder, is why isn't *every* company doing a)?
One of my major steps when securing a network is to disable the execution of ALL executables by default using hashing (Windows Server). It's then a case of stockpiling executables which should be allowed to run (ie WORD.exe, firefox.exe etc). The hashing works using the filename, size, company name etc so they can't just bring in a executable from home and name it WORD.exe.
I just read a little bit about this virus and I'm thoroughly impressed! That is some ingenious criminal energy at work here. Apperently they/he/she hasn't been found yet and ~30m is a really impressive amount of money to get from something like this.
Also the fact that the user can get his data back for relatively small money.. Really well thought out!
I'm guessing there is no information on which group/person invented this and which country it came from? Also I'm only rudimentary informed on Bitcoin. The transactions are not tracable for anybody? And the 'account' for your bitcoins is just the pure data and an encryption key?
Also the fact that the user can get his data back for relatively small money.. Really well thought out!
I'm guessing there is no information on which group/person invented this and which country it came from? Also I'm only rudimentary informed on Bitcoin. The transactions are not tracable for anybody? And the 'account' for your bitcoins is just the pure data and an encryption key?
Portugeezer
Member
So apparently it scans for document files and stuff like that (according to the video DieH@rd linked to), so...
WHAT IF:
You make custom extensions for your files, e.g.
A simple .bat files could be used to change any existing files' extensions.
Then choose the program to open it with. I don't know whether Crytolocker checks what files open with, it sounds like it just scans and encrypts various files with certain extensions.
WHAT IF:
You make custom extensions for your files, e.g.
A simple .bat files could be used to change any existing files' extensions.
Then choose the program to open it with. I don't know whether Crytolocker checks what files open with, it sounds like it just scans and encrypts various files with certain extensions.
Depends on the cloud backup. I use CrashPlan which lets me choose what version of a file to restore, so in the case of a CryptoLocker infection I could restore affected files from before the infection occurred.
Wolf Akela
Member
That would theoretically work, but it would be ass to do it for every common extension you use. You could probably write a registry script to automate that process.
lots of people have already posted what is effective. Including locking app data folders down with GPO, security software on client and email, blocking shady websites, not allowing users to have admin rights.
and? I'm sorry if I dont think of a local police department is the pinnacle of IT Security. Their IT department deals with the same crap we all do but probably worse since their budget is probably more limited by government.
No its not. Backups, backups backups. Almost no one likes doing backups, but having good backups will save your ass.
You'd be surprised.
Unfortunately until recently backups were largely a manual process.With tapes, someone has to go put tapes in the drive, but we all get busy etc.
we backup to azure so yea we call it cloud backup.
We also do tapes and send those offsite.
Do you realize a proper company that has an IT department should have a backup solution. Small companies, well i suppose they will learn their lesson eventually.
Has nothing to do with being disgruntled. I quite enjoy my job. But since when has holding people responsible for their actions become a bad thing? We can tell users not to open shady emails, not go to shady websites, not go to porn sites till we're blue in the face, but when THEY break shit, its always our fault.
Our SAN went down shortly after I started here, our vendor that was working on it forgot to add in the license key, well the SAN took down everything. Even though it wasnt his fault my boss put in his resignation for the fuckup. It wasn't accepted, thankfully as I think he is a good boss. But the point his he was willing to step up and take responsibility for what happened.
I don't understand this bit. The virus encrypts this user's remote files. Why do other users' remote files get encrypted as well?
Starwolf_UK
Member
"checked by Panda Security" Go home Panda you're drunk.These people don't rest do they?
just got this one a min ago.
I take it you got hit by the fixed version of CryptoDefense (original version had the design flaw of leaving the keys behind, this fact was published and strangely enough the ransomware was fixed)
Hiding file endings is so stupid. I hate it.
Even if not for security (people could send PDFs that exploit adobe reader's weakness, or whatever), hiding file extensions should not be possible at all.
shared drives.
It sounds like it goes through and tries every directory it can find and if the user has modify permissions on those files it then encrypts them, if they only have read or list then presumably it can't encrypt them. Which would be another point for best practices with user rights and permissions.
So it requires that the infected user have write access on everyone else's files?
That seems like the biggest security flaw; even if your anti-virus is working properly, a disgrunted employee could do significant damage.
deltatheta
Member
Showing file extensions really isn't much of a solution. Take a look at Microsoft's list of "high risk" file extensions (basically executables) on this page. There's so many that you can't really expect an ordinary user to remember them all.
And remember that this particular infection was caused by an Excel document. Any MS Office file can have arbitrary code in it. You're not going to be able to stop people from opening Office document attachments, and all it takes is someone opening one and clicking the "enable editing" and then "enable macros" to get infected. I've worked with a few people who have configured Excel to enable macros by default on every document, which really freaks me out.
It was nice doing business with you!
firehawk12
Subete no aware
The terrorists win. 
BronsonLee
Member
GET HIM BOYS *tackles*
shared drives meaning like Accounting drive and HR Drive, typically a majority of people do have access to a majority of the files in these shared department drives.
I've never been somewhere where all employees had access to everyone's personal drive.
but yes it is a security flaw, this is why when I disabled user accounts, not only do i disable their account, i reset their password and remove them from all security groups.
The Lamonster
Member
ha, I was just bitching about this in the meeting I just came back from.
Just_myles
Member
You should have archives.
The guy I originally quoted before you responded to me was saying that people around his company could not log in because their personal My Documents folder was stored on a network drive and had been encrypted by the infected machine.
They are not untraceable though.
Every bitcoin transaction is completely public, and you can easily trace back the source of funds.
Laundering BTC works the same as laundering real money, just the transaction fee is smaller and the cost to set up new 'accounts' (addresses) is free, so you can send it through more wash cycles.
On the other hand, the block chain is completely publicly available for anyone to data mine and discover your patterns of laundering if you are not very careful, as opposed to bank records, which actually requires law enforcement to do the work to get warrants and such.
Wow, what a necro bump. I thought this thing was happening all over again, but nope. I've not seen another case like this lately though. I'm curious if anyone has found a way around this by now.
Wait I thought this was still the other thread.
LOL i followed the link and got the browser tabs confused.
BossLackey
Gold Member
Shit man. That's no good.
- Status