Hi Dirk and List, FoolishIT has a locker that prevents CryptoLocker from running, called CryptoPrevent. It's a pretty nice little piece of code.
That said: Backups. If one hasn't learned to keep backups of files they care about by this point, CryptoLocker is probably a cheap lesson. CryptoPrevent can be had free here: http://www.foolishit.com/vb6-projects/cryptoprevent/ The premium version offers auto-updating. --- Jodie Friday, November 15, 2013, 2:01:03 PM, you wrote: > OT- Security Alert Issued- CryptoLocker Warning > List, This is important because we dont need this infection within > our list. Please read carefully. Thank you. Dirk Ross...Tokyo > CryptoLocker Warning > NEVER open attachments you are not expecting. Cryptolocker is a > particularly bad nasty that you never want to see. Microsoft issued a > critical alert about it, and today CERT issued a second alert. I've > already had to deal with two small infestations at work, and every > affected machine had to be wiped because this malware brings along a > bunch of 'friends' to party on the infected machine. > On Wednesday, Nov 13, 2013, at 15:55 >> Ghu > knows I hate the "sky is falling" notes that say "Read This!!! >> Important!!!. Well, this actually IS a "Read This!!! Important!!!" I >> just >> got this from the folks that host my Citrix system. They are good >> (heck, my >> son worked for 'em for 5 years!). When they say "this is nasty" they >> know >> of what > they speak. I was in Hot Spring, Arkansas, a couple of weeks >> ago >> talking with an IT guy. He was in the middle of rebuilding a >> customer's box >> that got hit. If you ARE hit, and you DON'T have appropriate backups, >> and >> you DON'T pay the ransom guys you are, to put it bluntly, screwed. >> >> Do NOT open an attachment you are unsure of, even if it comes from >> someone >> you trust. Emails can be spoofed. >> >> ================================== >> CryptoLocker is Trojan horse malware which surfaced in late 2013, a >> form of >> ransomware targeting computers running Microsoft Windows. CryptoLocker >> disguises itself as a legitimate attachment; when activated, the >> malware >> encrypts certain types of files stored on local and mounted network >> drives >> using RSA > public-key cryptography, with the private key stored only on >> the >> malware's control servers. The malware then displays a message which >> offers >> to decrypt the data if a payment (through either Bitcoin or a pre-paid >> voucher) is made by a stated deadline, and says that the private key >> will be >> deleted and unavailable for recovery if the deadline passes. If the >> deadline >> is not met, the malware offers to decrypt data via an online service >> provided by the malware's operators, for a significantly higher price >> in >> Bitcoin. >> >> CryptoLocker typically propagates as an attachment to a seemingly >> innocuous >> e-mail (usually taking the appearance of a legitimate company e-mail), >> or >> from a botnet. The attached ZIP file contains an executable file with >> filename and icon disguised > as a PDF file, taking advantage of Windows' >> default behaviour of hiding the extension from file names to disguise >> the >> real .EXE extension. Some instances may actually contain the Zeus >> trojan >> instead, which in turn installs CryptoLocker.[1][2] When first run, the >> payload installs itself in the Documents and Settings folder with a >> random >> name, and adds a key to the registry that causes it to run on startup. >> It >> then attempts to contact one of several designated command and control >> servers; once connected, the server then generates a 2048-bit RSA key >> pair, >> and sends the public key back to the infected computer.[1][3] The >> server > may >> be a local proxy and go through others, frequently relocated in >> different >> countries to make tracing difficult.[4][5] >> The payload then > proceeds to begin encrypting files across local hard >> drives >> and mapped network drives with the public key, and logs each file >> encrypted >> to a registry key. The process only encrypts data files with certain >> extensions, including Microsoft Office, OpenDocument, and other >> documents, >> pictures, and AutoCAD files.[2] The payload then displays a message >> informing the user that files have been encrypted, and demands a >> payment of >> 300 USD or Euro through an anonymous pre-paid cash voucher (i.e. >> MoneyPak or >> Ukash), or 2 Bitcoin in order to decrypt the files. The payment must >> be made >> within 72 or 100 hours, or else the private key on > the server would be >> destroyed, and "nobody and never will be able to restore files."[1][3] >> Payment of the ransom allows the user to download the decryption >> program, >> which is pre-loaded with the user's private key.[1] >> In November 2013, the developers of CryptoLocker launched an online >> service >> which claims to allow users to decrypt their files without the >> CryptoLocker >> program, and to purchase the decryption key after the deadline >> expires; the >> process involves uploading an encrypted file to the malware site as a >> sample, and waiting for the service to find a match, which the site >> claims >> would occur within 24 hours. Once a match is found, the user can pay >> for the >> key online; if the 72-hour deadline has passed, the cost increases to >> 10 >> > Bitcoin (which, in early November 2013, was valued at over $2000 >> USD).[6][6][7] >> >> Security software might not detect CryptoLocker, or detect it only >> after >> encryption > is underway or complete. If an attack is suspected or >> detected in >> its early stages, it takes some time for encryption to take place; >> immediate >> removal of the malware (which itself is a relatively trivial process) >> would >> theoretically limit its damage to data.[8][9] Experts instead suggested >> precautionary measures, such as using software or other security >> policies to >> block the CryptoLocker payload from launching at all. >> ================================== >> > ______________________________________________ > Visit the Archives at http://www.meteorite-list-archives.com > Meteorite-list mailing list > [email protected] > http://six.pairlist.net/mailman/listinfo/meteorite-list -- Best regards, Jodie mailto:[email protected] ______________________________________________ Visit the Archives at http://www.meteorite-list-archives.com Meteorite-list mailing list [email protected] http://six.pairlist.net/mailman/listinfo/meteorite-list
