Anyone else have to deal with this yet? http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
There is no guarantee that they will unlock your drive if you pay them either.
YIKES! Encountered Cryptolocker this morning in one of the offices I service. NASTY!! Someone sent her a link for a gospel song and one click later, her files are being encrypted and a ransom screen pops up. It was super easy to remove the actual virus from the machine, but the data files are still encrypted. I think I have an Easy Transfer file for her from back in August, so at least she won't lose but two months of work.
Of course she did not have a recent back-up and even if she did, I am not sure it would have helped as this thing encrypted files on the office NAS where the back-ups are stored as well. I am taking this as a lesson learned for all of us and will be much more diligent with off-line back-ups just in case!
I've always been curious about that. I wonder if they do what they say they will. Good business, and smart economics dictates they unlock the files, but some people are dumb as bricks.
Somebody really smart is behind this.
Dealing with this this morning. Restoring 2.7TB from backups. An administrative user got the virus, and that user basically had mapped every storage drive so he could help any user quickly. We had warned him about such a practice a while back but never was dealt with apparently. So it encrypted 75% of the drives.
It's a difficult situation. Seeing as he is employed as an admin, taking away admin rights effectively means he gets the boot. He is obviously trying his best to meet the every increasing needs of the people that need his help.DAMN! after the restore do you just plan to wipe out this user's machine and lock them down more (maybe take away admin rights?)
I'm also wondering if AV software should block this by now?
It's a difficult situation. Seeing as he is employed as an admin, taking away admin rights effectively means he gets the boot. He is obviously trying his best to meet the every increasing needs of the people that need his help.
From the post by heymrdj it seems like he was one of few doing it and that he was given a "heads up", but i don't see it as a massive mistake.
Unfortunately these things happen. I don't think i would call it a mega f*ck on the admins part. Sure he should have been more careful while this virus is loose, but i mean these things happen. Thankfully a cold backup was available for a restore!
Yeah they do happen unfortunately.
Do you know the attack vector? If it was an email attachment is it possible to block those on the perimeter?
I'm also wondering if AV software should block this by now?
Wow, just saw this one for the first time today. Been a long time since a virus has been destructive. They've all been annoyances for the last 10 years. This changes everything... because this will be copied and used with every exploit found in the future...
You have to find the daily Command and Control server.Where's the web address for cryptolocker? I don't see it.
You got it right. He is an admin, basically the onsite IT coordinator/trainer/front line guy. We are the outside engineering/consulting/IT Management firm. Me and him work as a unit, as dealing with contracts this big I'd be constantly filtering printer calls and phone issues instead of working on server upgrades, system efficiency analyzing ect ect. He's a crucial first contact, and an actual employee of the location, so he's the liaison between his company and my company.
He won't be "punished" in any way (like removing admin privileges or mapped drives). He needs that stuff to do his job. Like you said this is just an unfortunate situation. But I have longed prepared for situations like these, and the plan of action has been followed to a T. Critical users were restored within 2 hours this morning, with them being back up to 100% by end of day tomorrow (which is pretty good from 3TB of deduplicated backups). At this point 0 data was lost. We kept good hot backups and cold backups, and in this case thank god for cold backups.
Came in as a false UPS link. He got trigger happy. He was waiting on a RED overnight hard drive shipment for a SAN that was flaking out.
That's my worry. I have my contracts basically at threatcon red. Critical file backups are taken every hour. Full backups are run every night, with verifies happening at noon and at end of the full backup. Virus scans run on the arrays and RDS servers every night. I just wonder if we'll ever leave red....
I probably don't fully understand the setup here, but in my opinion, no employee should have local (or god forbid, domain) admin rights on their workstation with their normal domain login account. A separate domain account should be used for any administrative work that needs to be done. In addition, an identity based web proxy should also be in place to prevent a support person using admin credentials from being able to connect to the Internet.
It is definitely less efficient to run this way, but over the long haul I think less time is spent cleaning up malware infections and it is possible to better isolate critical systems and data.
Just my $.02.
Where's the web address for cryptolocker? I don't see it.