It's called Cryptowall. One of my associates had this happen to his company. We had a discussion in one of our IT groups. Following is a description from the meeting:
Crypto Wall - Attacked a windows 7 machine behind a strong firewall on a members network It bypassed the anti-virus which was up to date and laid dormant for days before being noted. It infected local and mapped drives only. Malware bytes was able to find and remove the infection but was not able to unencrypt the already encrypted files. Anti-virus in use was Microsoft Security Essentials on windows 7 and Microsoft Defender on windows 8. Crypto Wall appears to have been released into the wild on Sept 14th. The backup files were stored "online" locally and also on mapped drives, the backup files were also encrypted and unusable. Offline backups is the only protection and the member did not have them. They were able to purchase bitcoins and pay the ransom directly. Bitcoins - One of our members recently purchased $500 US Dollars through a bank machine like physical device where you put in bills and it transfers bit coins into your account. Bit Sent was the company that told them about the machines. http://www.bitsent.ca/bitcoin-avm the listing shows 2 devices but the one in Guelph is closed, only the Mississauga device is in operation. Alan Lukachko [email protected] Software Strategies PO Box 265 Rockwood, ON N0B 2K0 Canada (519) 856-0700 DISCLAIMER: The information in this message (and any attachments) is directed in confidence and may be legally privileged. It is intended only for the addressee(s) listed above and any other use or disclosure is strictly forbidden. The contents of this communication may also be subject to lawyer-client privilege, and all rights to that privilege are expressly claimed and not waived. Access to this message by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by telephone, notify the sender by reply e-mail and delete this communication (and any attachments) without making a copy. We will reimburse you for any telephone and postage costs. Thank you. -----Original Message----- From: ProfoxTech [mailto:[email protected]] On Behalf Of Paul Hill Sent: Thursday, October 16, 2014 4:55 PM To: [email protected] Subject: Another ransomware Trojan infecting DBF files Hi All, Just a heads up. Today I was working with a customer that had corrupt DBF files. It was not possible to open the files in fox (not a dbf file). Looking at the files in HXD (a very good free WIndows hex editor) I could see that the contents were *totally* scrambled. In each file the first 16 bytes was the same. Luckily we had a backup from 03:00 in the morning (problem reported late afternoon). My local contact reported: "on the c:\ root there was a file called "decrypt instrutions.html" It's not CryptoLocker but something else. If I find out more I'll let you know! -- Paul [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/025701cfe98b$722a6260$567f2720$@com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
