Cryptolocker

[KeithP]

Microsoft Security Essentials definitely does not block this virus yet.

...reminds me to update to the most current version of kaspersky on my own computer...

I might be wrong, but while Kaspersky will remove the infection from a system it will not prevent it from being infected and it will not, of course, decrypt any affected files.

-KeithP

 

[heymrdj]

I might be wrong, but while Kaspersky will remove the infection from a system it will not prevent it from being infected and it will not, of course, decrypt any affected files.

-KeithP

This is correct. Microsoft Security Essentials and Forefront (managed through SCCM 2012 datacenter) will do the same. At this point, as far as I've read, *nothing* prevents this virus, only removes it.

 

[MustISO]

We've seen it at 3 or 4 sites. Always hits to shares the user has access to. We've just restored from backup but it's a pain at larger sites. In the cases where we can track the attack point it was an email. The files will have the ownership changed so it's easy to see who's infected.

 

[lenjack]

Found

http://www.foolishit.com/vb6-projects/cryptoprevent/

Anyone know if it works and is it legit?

 

[lenjack]

sorry...double post.

 

[blankslate]

Here is the bleeping computer FAQ on the virus
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent


Looks like they're keeping it updated. Has good information about attack vectors and how editing the group policy for Windows versions that have access to it can prevent the virus from encrypting files.

However it is expected that new variants will render the group policy changes currently mentioned in the FAQ obsolete.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer.

These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

How to prevent your computer from becoming infected by CryptoLocker

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:

C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)

In order to block the CryptoLocker and Zbot infections you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually. Both methods are described below.

Hope this helps anyone looking at this thread for the first time.



edited 2 add:

Found

http://www.foolishit.com/vb6-projects/cryptoprevent/

Anyone know if it works and is it legit?

looks like the tool that bleepingcomputer mentions in their faq.



Also the SHA hash is provided for the file so you can check that way to make sure the download you get is the one the author
wrote.



Hope this helps.

 

[fleshconsumed]

Damn... We've received a warning email from our IT staff about the virus, but I only read the bleepingcomputer article just now. I've been really cautious about the viruses in the last 5-7 years and have been lucky to stay "clean" for all these years, but I don't do daily backups, so if I got infected I'd probably have no choice but to fork up the $100/300. Unfortunately it looks like Cryptolocker creators realized the gold mine they're sitting on and upped the decryption price to 10 bitcoins or about $2000, and that's a steep price to pay to get your stuff back.

I have a few network drives mapped at home, it's mainly for convenience, not because I need it that way, looks like I'll be unmapping those when I get home, can't be too careful. I will also be adding restriction policies just in case. Sigh... And yes, now that somebody has done it once, it will be repeated over and over again. I totally foresee a ticking timebomb variation of this in the future where the virus silenty installs itself, and then activates itself all over across the globe on a certain time and date.

On the bright side, now I have a valid excuse for not giving out write privileges to everybody in the house.

Why does life have to be so complicated?

P.S. Is there any technical reason why the Cryptolocker cannot encrypt UNC shares that is has write privileges to? In other words if I unmap my network shares on the client, but leave those shares available through UNC to anyone on the network, are they truly safe? Or can future Cryptolocker versions potentially encrypt UNC shares as well?

 

[Chiefcrowe]

Thanks everyone for posting the SRP info and other details.

So if I enable SRP as a local policy on my workstation, how can I test it out to see if it is working as expected?

 

[postmortemIA]

Thanks everyone for posting the SRP info and other details.

So if I enable SRP as a local policy on my workstation, how can I test it out to see if it is working as expected?

Ran an .exe from restricted directory. It will give error message + log in system log.

 

[Chiefcrowe]

Cool, thanks.. i had a feeling that would do the trick.

edit -
Tested it out and it seems to work pretty well!

 

[KillerBee]

Also the SHA hash is provided for the file so you can check that way to make sure the download you get is the one the author
wrote.

Weird - I tried downloading the QuickHash tool from their site
and Avast alerted on it

URL: http://www.foolishit.com/download/quickhash/|QuickHa...
Infection: Win32:Evo-gen [Susp]

Avast has been oversensitive in the past and it could be a false positive
Has anyone else get an alert on it?

 

[SOFTengCOMPelec]

Weird - I tried downloading the QuickHash tool from their site
and Avast alerted on it

URL: http://www.foolishit.com/download/quickhash/|QuickHa...
Infection: Win32:Evo-gen [Susp]

Avast has been oversensitive in the past and it could be a false positive
Has anyone else get an alert on it?

If I try and go near that page (your full link seems to be corrupted or something), I also get an AVAST alert, even before I try to see the download page. (The warning is the same message as you got).

Further investigation found THIS webpage on that site which explains about the false AV detection issues, copied below :-

Bad A/V


Anti-Virus software isn&#8217;t just a pain in the ass for PC users and techs alike, but it can also cause major headaches for small developers. Compound aggressive and sloppy heuristics with the fact that my software in particular is very powerful and has many capabilities &#8211; for both good and evil so to speak &#8211; and you can easily realize that my software is a natural target for many A/V engines.

If you are receiving a detection, I encourage you to fill out a false positive submission with the vendor, via the software if possible or the website if not. Likewise I will do the same &#8211; in some cases an A/V vendor will have a special submission form for software developers. The more people we get filing false positives, the better the odds are of getting these detections removed/whitelisted. Below is a list of A/V vendors / links to their false positive submission forms:

Avast (email only)
AVG (20MB file limit, else use this email and compress it with a password.)
Avira (or this email)
Bitdefender (or this email)
ClamAV (or this email; uses Immunet Protect definitions)
Comodo (or this email)
Emsisoft (email only)
Kaspersky (or this email)
McAfee (email only)
Microsoft Security Essentials (or this email &#8211; good luck &#8211; major waste of time!)
NOD32 (email only)
Panda (or this email)
Sophos (or this email)
Symantec
Trend Micro
Vipre (or this email)
IF your product is not listed here, a more comprehensive list with links is available on techsupportalert.com here.
If you need to report a new detection to me, please use the contact form below. I will need details on the specific A/V and definitions version, and which components were detected and under what detection name, in order to successfully submit false positive reports with the vendor. If you do not have them, then please do NOT submit this form until you do. Note also that it is critical to report the A/V brand, version and definitions version, and detection name given &#8212; the A/V vendors ALWAYS ask for this information and rarely help if you don&#8217;t have it.

 

[KillerBee]

http://www.foolishit.com/vb6-projects/quickhash/

Ran a couple online scanners on it and so far they all say it's safe
so most likely it's a false positive for Avast

www.avg.com.au/resources/web-page-scanner/
urlQuery.net
www.webinspector.com/
sitecheck.sucuri.net

Then downloaded and ran linux clamscan on the QuickHash.zip file and it says safe

PS This site looks pretty cool for scanning: results was Detection ratio: 0 / 50
https://www.virustotal.com/
but for some reason they don't post Avast results(shown below)

=================================================
VirusTotal
URL: http://www.foolishit.com/vb6-projects/quickhash/
Detection ratio: 0 / 50
Analysis date: 2013-11-05 20:11:34 UTC ( 1 hour, 8 minutes ago )
0
0

Analysis
Additional information
Comments
Votes

URL Scanner Result
ADMINUSLabs Clean site
AegisLab WebGuard Clean site
AlienVault Clean site
Antiy-AVL Clean site
AutoShun Unrated site
Avira Clean site
BitDefender Clean site
C-SIRT Clean site
CLEAN MX Clean site
Comodo Site Inspector Clean site
CyberCrime Clean site
Dr.Web Clean site
ESET Clean site
Emsisoft Clean site
Fortinet Unrated site
G-Data Clean site
Google Safebrowsing Clean site
K7AntiVirus Clean site
Kaspersky Clean site
Malc0de Database Clean site
Malekal Clean site
Malware Domain Blocklist Clean site
MalwareDomainList Clean site
MalwarePatrol Clean site
Malwarebytes hpHosts Clean site
Malwared Clean site
Netcraft Unrated site
Opera Clean site
PalevoTracker Clean site
ParetoLogic Clean site
Phishtank Clean site
Quttera Clean site
SCUMWARE.org Clean site
SecureBrain Clean site
Sophos Unrated site
SpyEyeTracker Clean site
StopBadware Unrated site
Sucuri SiteCheck Clean site
ThreatHive Clean site
TrendMicro Clean site
URLQuery Unrated site
VX Vault Clean site
WOT Clean site
Websense ThreatSeeker Clean site
Webutation Suspicious site
Wepawet Unrated site
Yandex Safebrowsing Clean site
ZDB Zeus Clean site
ZeusTracker Clean site
zvelo Clean site

 

[blankslate]

If you're really concerned about the hash checker they link try a different one.

I downloaded multihasher portable from softpedia.com

and scanned it thrice before using it.

it does md5, sha-1 sha-256 & sha 512 hash checking.

 

[avos]

I had a client get a variant of it last week. There was no ransom request anywhere though. It made pretty quick work of their public network shares. Luckily this is a client that we had just setup a Datto backup device with. Which made it dead simple to get them back up and running quickly.

The client was running a fully patched AVG 2012 and it missed this new variant. They also were behind Sonicwall's gateway AV and that missed it as well.

We ended up applying group policy to heavily restrict where files can execute from. This is probably the smart move anyhow, though we are still finding small issues with this with certain software that executes from %APPDATA%. Things like java updates.

Just removing local pc admin rights isn't enough for malware like this.

 

[VirtualLarry]

http://gcpcug.org/CryptoLocker

 

[Chiefcrowe]

http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607

still going strong it seems...

 

[PliotronX]

Another client got hit with it today making this number three in a month. The two XP boxes users ended up paying the ransom but the Windows 8 box had backups. I've been deploying Cryptoprevent and HitmanPro Alert with Cryptoguard quite a bit...

edit- LOL police department pays ransom. I've also read of police departments thinking they'll shut down the operation by finding the IP of the command center server and shutting it down, condemning data from being decrypted because the private keys are stored on those servers. Cops and Cryptolocker don't mix...

I've deployed the Cryptolocker Prevention kit via group policy onto a server with clients that have been infected twice. I'll let you guys know how it works out...

 

[compman25]

ANd it's now spawned copycats Cryptolocker 2

 

[mechBgon]

I just go with full-blown SRP, fully audited to eliminate all loopholes. For my environments (home and SOHO), that works with just a few gotchas. Both Steam and Origin won't work with their loopholes closed, unless I elevate them to run when I want them to run. While that's not ideal, in that it hands them more privilege than I'd like, it's my solution for now.

Those interested in setting up SRP and closing the remaining loopholes, here ya go: http://www.mechbgon.com/srp If you use a Home version of Windows, you won't have a Local Group Policy and will have to settle for Family Safety whitelisting with a Standard User account.

Tangentially, set your UAC to "Always Notify" to eliminate an escalation-of-privilege issue that might be used against you. ZeroAccess was known for using it.

 

[John Connor]

So far the only protection I rely on is NoScript for Firefox and Pale Moon, Bitdefender, updating plugins and not clicking on E-mails with attachments I know are suspect.

The question is, do anti-virus programs detect Cryptolocker before it encrypts your computer? Surly you would see some activity on your computer if Cryptolocker were to start encrypting your HDD.

Oh, one more protection. Comodo's firewall and it's defense shield.

 

[PliotronX]

I just go with full-blown SRP, fully audited to eliminate all loopholes. For my environments (home and SOHO), that works with just a few gotchas. Both Steam and Origin won't work with their loopholes closed, unless I elevate them to run when I want them to run. While that's not ideal, in that it hands them more privilege than I'd like, it's my solution for now.

Those interested in setting up SRP and closing the remaining loopholes, here ya go: http://www.mechbgon.com/srp If you use a Home version of Windows, you won't have a Local Group Policy and will have to settle for Family Safety whitelisting with a Standard User account.

Tangentially, set your UAC to "Always Notify" to eliminate an escalation-of-privilege issue that might be used against you. ZeroAccess was known for using it.

That's really good to know, thank you!

So far the only protection I rely on is NoScript for Firefox and Pale Moon, Bitdefender, updating plugins and not clicking on E-mails with attachments I know are suspect.

The question is, do anti-virus programs detect Cryptolocker before it encrypts your computer? Surly you would see some activity on your computer if Cryptolocker were to start encrypting your HDD.

Oh, one more protection. Comodo's firewall and it's defense shield.

As geeks we're automatically suspicious of e-mail links and attachments but we can't protect laymen from themselves LOL It seems like the cases of infection I've dealt with have come through those fake e-mails from the USPS or Fedex.

Unfortunately this will slip by 99% of real-time scanners and begin doing damage before the next scheduled/manual scan which will probably pick up the payload and remove Cryptolocker which actually complicates the decryption process because it has to be present on the system to decrypt. By far the scariest virus I've seen. Brilliant but scary as heck.

edit- Actually there is a small tool that is specifically designed to look for the behavior of CL and runs nicely alongside any AV: HitmanPro.Alert with Cryptoguard.

 

[ringtail]

Here's a concise, easy-to-read article by Susan Bradley that explains step by step how to use Software Restriction Policies to defend against cryptolocker:
link


Also, Kaspersky has this from Nov 2013:
http://support.kaspersky.com/viruses/disinfection/8005

and from Aug 2013 Kaspersky also had 2 disinfection tools to download. I'm not sure if these tools were superceded by the newer Nov 2013 info above:


&#8226; http://media.kaspersky.com/utilities/Virus...stdecryptor.exe
&#8226; http://media.kaspersky.com/utilities/Virus...ordecryptor.exe

 

[goobernoodles]

A user of mine got hit with Cryptolocker a month or so ago. He called me up due to his computer being unusually slow and the loading/circle cursor wouldn't go away even after rebooting. Some random process was eating up 100% cpu. Popped open regedit and sure enough, Cryptolocker was sitting in the HKLM (or HKCU... I forget) run key. Luckily, it was one of our architects who had a ton of CAD files and old documents he transfers from computer to computer in C:\ACAD. This huge folder acted as a buffer that kept the network shares from getting hit.

Dodged a bullet on that one. I wasn't able to identify the source. Didn't see any bogus emails.

 

[John Connor]

edit- Actually there is a small tool that is specifically designed to look for the behavior of CL and runs nicely alongside any AV: HitmanPro.Alert with Cryptoguard.

Yeah, forgot to mention that I do have HitmanPro Alert.