Cryptolocker virus

50Twuncle

There has recently been a very large number of emails sent out to people across the UK containing an attachment that, if opened, will being to encrypt the contents of your PC and anything attached to it. You are then given a limited amount of time to pay the ransom to unlock your files or they become lost forever.


(ANOTHER GOOD REASON TO BACK UP REGULARLY)

These emails are mostly appearing to be emails posing as banks and other financial institutions but you should always be wary of any attachment that you were not expecting, even if it appears to be from someone you know. Check the wording of any suspicious email closely and if in doubt either ask the sender to confirm its authenticity, do not be ashamed to do this.

Although the anti-virus that checks your incoming email should catch this you should never assume that all email is clean.


New variants of virus’ are coming out daily (sometimes 10’s per day) and anti-virus software can’t always catch the latest versions.

http://www.bbc.co.uk/news/technology-24964426

paddyrg

When backing up it is crucial that you unplug the external drive you backed up to immediately after you finish - cryptolocker will enumerate all drive letters and lock your backups if the backup drive is still plugged in/turned on.

50Twuncle

I still see people without any antivirus at all on their PC's - that's just inviting trouble ....

espresso

Anti-virus is not the answer when you have idiot users who will open any attachment, click on any link etc!

PICNIC "Problem In Chair Not In Computer"

50Twuncle

The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to "tens of millions" of Brits, Blighty's crime-busters warned today.
According to an alert from the UK National Crime Agency (NCA), a fresh round of ransomware-loaded spam posing as bank notices has been sent out, with small and medium-sized businesses targeted in particular. The messages, described as a "significant risk", carry booby-trapped attachments and claim to be official documents from financial institutions.


Lurking within the attachments is a Trojan called Cryptolocker that, when executed, silently installs itself and quietly begins encrypting documents one by one on the Windows PC using tough-as-nails AES256. When it's finished, it demands a ransom payment of 2 Bitcoins (at least 500 quid or 800 bucks) to decrypt the data, which must be paid within a time limit.
The software nasty is particularly fiendish: The malware first contacts its master's control server, which generates a new public-private 2048-bit RSA cryptographic key pair and sends the public half to the malware.
Then for every file discovered on the computer, Cryptolocker generates a new 256-bit key and uses it to encrypt that document using the virtually unbreakable AES256 algorithm. That AES key is then encrypted using the RSA public key and stored with the obfuscated document.
Only when the victim pays up does the Trojan download the private half of the RSA key, which is used to decrypt the per-file AES keys and ultimately restore all the protected documents. Targeted files include anything with .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dwg, .dxf, .dxg and .jpg extensions and plenty more.
Users are urged to maintain regular backups of their data, kept separate from their computers, as the encryption is essentially uncrackable, and consider using tools to thwart the software nasty. The Trojan infects systems running Windows 8, Windows 7, Vista, and XP.
"The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular," the UK's NCA said.
"This spamming event is assessed as a significant risk."
Cryptolocker's operators are also apparently developing a keen sense of economic opportunism, upping their Bitcoin demands at a time when the digital currency's exchange rate has never been higher.
While authorities have yet to finger any suspects behind the Cryptolocker epidemic, the NCA believes the operation is the work of a tech-savvy crime ring.
"The NCA are actively pursuing organized crime groups committing this type of crime," said Les Miles, deputy head of the NCA's National Cyber Crime Unit.
"We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."
In addition to installing and updating trusted security software, users and administrators can protect against infections by using best practices (read: common sense) such as avoiding links and attachments from unknown or suspicious sources and scanning all attached files for malware.

50Twuncle

I was sent two unexpected emails from Nat West today
(I do not and never have banked with Nat West)
both had attachments - so they were both sent to email heaven by webmail !

espresso

50Twuncle wrote: »

The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) ..................

Have you learn how to copy and paste today!

Forum rules state that you should post a link to info and not copy it from other sources e.g. here

forgotmyname

Same here i had a natwest email. Not with them either.

It had an attachment. I opened the email on my phone so no issues.

I wonder if email was random or have they got it from somewhere. Normally i get these on my spam account.
But this one is one i use for shops etc.

Toolstation, Screwfix, Camping and caravan club, Jackson camping, Orange, Money Saving Expert, Excalibur Computer Fairs, Scan, Vodafone, Pub Carvery.

Any links to match anyone else who also had the Natwest email?


OK i downloaded the file for you all. Its a html file. and runs a script on a website ..

shevchenko.pro
rbsg_script.js
SpryValidationTextField.js

Also in the file...
totalsystemservices.112.2o7.net
omniture.com


Also mentions cardservices.natwest.com not sure if thats genuine. Displays whilst it runs the script maybe?

Unless you want to risk your computer DO NOT VISIT THOSE SITES.

Deneb

I have CryptoPrevent and HitmanPro.alert with Cryptoguard both running very nicely together and alongside my normal AV and MBAM on my local network with no discernible issues. CryptoPrevent is freeware if you don't mind manually checking for and applying updates, or you can get the automated version for $15 US. HitmanPro.alert is freeware and currently in beta, but very stable on my machines.

http://krebsonsecurity.com/tag/cryptoprevent/

http://www.foolishit.com/vb6-projects/cryptoprevent/

http://www.surfright.nl/en/cryptoguard

Johnmcl7

The news outlets have been very slow in picking this up as this malware has been in the wild for over two months now. The following topic is a very good source of information on the malware:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

The e-mail format has changed a few times, so far the fake mails have been US orientated or very general. The current mails are using an encrypted zip file (with the password in the mail body) in an attempt to bypass AV scanners:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/?p=3210453

I'm surprised the malware has managed to spread as far as it has as I've found mail systems to be very restrictive on sending exes, even within an encrypted zip file but it appears some companies do allow zips and exes.

The worrying part is that this is only the first wave, the current virus is relatively straightforward in that it relies on the user executing the file within the attachment and it runs from the user profile only requiring write access to the files to encrypt them. With the success it's had it's likely it become more advanced and start using browser exploits or unpatched windows vulnerabilities to spread itself.

John

forgotmyname

Mine was a HTML file.