PDA

View Full Version : User has CryptoLocker Trojan


Dave Schwartz
02-25-2016, 12:13 PM
Because of the severity of a CryptoLocker infection, I want to share the story of what happened yesterday.

CryptoLocker is "RansomWare" that holds your files hostage until you pay a ransom. While (apparently) there is a removal program for the infection, there is ABSOLUTELY NO WAY TO GET YOUR FILES BACK WITHOUT PAYING.

Read about CryptoLocker here: https://en.wikipedia.org/wiki/CryptoLocker


And my sources tell me that 80% of the time they take your money and never provide the decryption key!

Now, probably you tech-saavy guys already know this but for the less technically endowed, I am hoping that this message could be a wake up call.

About 9:15am I saw that 2 files had been added to my DropBox. (Just coincidentally I was watching the screen at the time.) Because it is rare for people to add files to my DropBox without me expecting it, I took a look.

What I found was 2 files:

1. _Lockey.txt
2. File with a long, encrypted name.

Immediately I began running around yanking power plugs from computers.

Then I called my tech guy and we went through a harrowing 4 hours or so.

In my system, DropBox is on an external drive, access by every computer, so my natural conclusion was that we had been infected and that it had spread through the entire network.

At the end of the day NONE of our machines were infected, but we got a lesson on how this works and how it presents.

The sequence of events was this:
1. One of our users got INFECTED.
This means that he actually has the Trojan.
(Note: It is a Trojan rather than a virus, but for practical purposes, the words are interchangeable.)

2. Some of his files became ENCRYPTED.
This means that many of his files had been encrypted with a password so that the only way they could be opened would be to have the encryption code.
(Note: This is a Windows function that allows files to be protected from being viewed.)

This manifests itself by changing the name of the file to a long string of characters like mdjagwe54kew98 (much longer than this). The extension or file type shows as "Lockey."

Thus, not only are the files locked, but in addition, you cannot tell which files are which!

3. Key point here: His files were ENCRYPTED but not INFECTED!
The infection is passed (usually) via email or some other "standard" virus transmission method.

4. Since our entire HSH group shares a folder on DropBox, those files were ENCRYPTED, and shared across about 75-100 computer shares!

(Note: My initial though was, "All of those people have been infected," but if you are following the principle of ENCRYPTION-versus-INFECTION, you know this wasn't true. Also note that I was helpless to contact anyone. I had no internet and most of my telephone numbers were locked up in the computer.)

5. Interestingly enough, this user and I share another folder, common just to the 2 of us. No files in that folder were encrypted, although I believe that given time they would have been.
(Note: It does take time for CryptoLocker to do its work. Although it is fast, most computers have a LOT of files.)

6. My next step was to take that external drive to my tech guy. He analyzed it using an air-gapped computer (i.e. one that is not connected to the web or network). Just to be on the safe side, he also did a virus check of the drive, which turned up nothing.

So, at the end of the day, all was well - except for the original infectee.


The Reason I Wrote This
The reason I wrote this is that we immediately went into our Disaster Recovery Plan. (Yes, we have one of those.)

We are always completely backed up. We also have data backups offsite at all times.

Real tragedy is the test of any Disaster Recovery Plan. This was ours. While the drive was being analyzed, and our computers were shut down, we took out our disaster plan and - of course - found some holes. I suggest that you do the same.



Kind Regards,
Dave Schwartz

ThinkingAlways
02-25-2016, 03:21 PM
Sorry to hear, Dave. I've "been there, done that." Backups are your best bet here but there are some other things you can do to prevent infections.

PaceAdvantage
02-25-2016, 03:32 PM
Dave, don't take this the wrong way...but you seem to have WAY more than your fair share of "incidents" concerning your IT infrastructure. I know you outsource a lot...perhaps it's time to review said outsourcing and see if they aren't the real problem here.

whodoyoulike
02-25-2016, 05:42 PM
Thanks for the info and I really appreciate the heads up.

Sort of related, I'm so afraid of opening email attachments from acquaintances most of the times I don't. Sometimes, I'm concerned about referenced links i.e., on this site and other similar sites.

I take it, the Trojan can access your computer(s) only if you open the email?

So, how could you be infected if you didn't open his email or email link?

Dave Schwartz
02-25-2016, 05:50 PM
PA,

I think you've missed the point. This was not ME. This was one of my users. My security was never threatened, although it was a little unnerving because, like most people, don't understand how CryptoLocker works until it is too late.


I was simply offering a heads up for people to be aware of the issue.

Dave Schwartz
02-25-2016, 06:16 PM
Dang, Editing timed out with interruption before I could post. Trying again.

PA,

I think you've missed the point. This was not ME. This was one of my users. My security was never threatened, although it was a little unnerving because, like most people, I didn't understand how CryptoLocker worked until it staring it in the face.

I was simply offering a heads up for people to be aware of the issue.

I am of the opinion that this Trojan is going to be hitting a lot more people than it is currently, so eventually almost everyone has the capability of being infected.

And do not expect your anti-virus software to prevent it. What they call "Zero-Day" versions of a virus will get past everything until a few are discovered, the signatures recognized, and the new virus definitions distributed. Having the CryptoLocker signature from last month's version just may not do much for you.

For us, this was a serious wake up call. Don't get me wrong... we are completely backed up. My security expert said that if you are using an automated offsite back up, you can wake up one day and find that you've been uploading encrypted files for several weeks.

This means your backups are as worthless as the encrypted files!

Our approach has always been to upload parts of backups manually. Now I know to search for encrypted files. (We keep about a year of weekly offsite backups.)

Our Disaster Recovery Program was fine, except we left out one small item: No working computer! If they're all infected, then we'll have to take at least one down to a reformatted hard drive and install from scratch.

Next week we will dedicate one computer to being COMPLETELY air-gapped. It will only go on the web once per month for updates, and new software installations. Before it connects to the network and internet, all other devices will be disconnected.

This is, to my knowledge, the only way to guarantee that we will always have a safe computer to be up and running in the case of a true emergency.

BTW, we implemented a system about 15 months ago where all our data is stored on a single external hard drive, mapped to by the other computers. The idea is that if that single computer ever fails I can be up and running simply by:

1. Connecting the external drive to a new computer.
2. Sharing it.
3. Re-mapping each computer that needs access.

We've had to do this twice because of small computer issues. In both cases the entire network was back in full operation inside of 20 minutes.



I am open to suggestions and commentary, especially from people with real security knowledge.

ThinkingAlways
02-25-2016, 07:03 PM
A good thing to do is to block binaries from running in %APPDATA% and %TEMP% paths. Most of the crypto stuff uses them. Now, this might cause some other practical issues but life is full of trade-offs.

Other good, in general, things to do: block all tor access, block/strip .exe and .zip files at your email gateway, block RDP sessions.

And, of course: keep systems patched and restrict users from running as an admin.

PaceAdvantage
02-26-2016, 09:56 AM
PA,

I think you've missed the point. This was not ME. This was one of my users. Dave, I understood perfectly, as I read your entire post closely, and I've read up on these encryption hijackers in the past.

Note that I used the word "incident" which includes all sorts of things...I never wrote or implied your systems actually became infected or hijacked via encryption.

Dave Schwartz
02-26-2016, 11:28 AM
Dave, I understood perfectly, as I read your entire post closely, and I've read up on these encryption hijackers in the past.

Note that I used the word "incident" which includes all sorts of things...I never wrote or implied your systems actually became infected or hijacked via encryption.

but you seem to have WAY more than your fair share of "incidents" concerning your IT infrastructure.

It sure sounds to me like you said it was "my incident."

PaceAdvantage
02-28-2016, 07:01 PM
It sure sounds to me like you said it was "my incident."Well, when you go around frantically pulling the plugs on your PCs to disconnect yourself from the outside world, as you said you did, that to me qualifies as an "incident."

But let's not quibble on the small stuff.

Hoofless_Wonder
02-29-2016, 06:04 AM
A good thing to do is to block binaries from running in %APPDATA% and %TEMP% paths. Most of the crypto stuff uses them. Now, this might cause some other practical issues but life is full of trade-offs.

Other good, in general, things to do: block all tor access, block/strip .exe and .zip files at your email gateway, block RDP sessions.

And, of course: keep systems patched and restrict users from running as an admin.

There are tradeoffs, that's for sure. I've found Windows is difficult to keep secure without becoming unusable, though Windows 10 (so far) seems to have improved the experience. A couple of other suggestions would be to run on a VM when browsing the net, or switch to Linux unless Windows is needed for programming or software purposes. Also, use a backup method/tool with versioning, to allow more choices when restoring.

I can't emphasize enough the need to test your D/R plan. I make a living with Backup/Recovery and Disaster/Recovery work, and it amazes me how unprotected much of the corporate data out there really is - and problems with viruses, trojans, hardware failures and user errors are going to be with us for a long time to come. Consumers need to be aware of these issues as well - it doesn't take owning a PC for very long to usually have some valuable data on it.

Just this past week one of my teammates asked about the Cryptolocker - one of our customers (Health Care) had a system that was compromised, and encrypted files were backed up, overwriting some valid unencrypted versions. Other files that had been renamed were now marked as deleted, but were restorable. A pretty big mess.

Hoofless_Wonder
02-29-2016, 06:16 AM
Thanks for the info and I really appreciate the heads up.

Sort of related, I'm so afraid of opening email attachments from acquaintances most of the times I don't. Sometimes, I'm concerned about referenced links i.e., on this site and other similar sites.

I take it, the Trojan can access your computer(s) only if you open the email?

So, how could you be infected if you didn't open his email or email link?

While it appears the trojan referenced in Dave's link gains access most often by clicking to open email attachments, the Wiki write up also mentions it spreading via botnets, which implies other viruses are used. I know that just clicking on an ad on a web page can cause infections, and certainly games, bad links and even being on the network at all can cause problems. Therefore having an "air-gapped" machine is not a bad idea for critical operations with data you don't want compromised or if a "clean" backup machine is needed.

I only see security issues persisting, and potentially getting worse, but I'm not a SME in that area. But I do have a good series of backups, plan on standing up a stand-alone machine and am very careful with copying data around on USB drives....

spiketoo
03-04-2016, 10:05 AM
Check out foolishit.Com (its actually foolish it - funny looking when I just type the URL).

Been using free version since Day 1. Just paid for auto updates as this becomes more prevent though honestly there isn't a whole lot to update.

As always, YMMV.