Peter,
I've been using CryptoBlocker, which is supposed to block the methods
used by the Cryptolocker trojan. You can read about the methodology here...
https://www.foolishit.com/cryptoprevent-malware-prevention/
It looks good to me and I've been installing it on all of the systems I
manage for a couple of years now.
I did have 1 client who experienced an attack/infection, paid the ransom
and got his files back. I think it was $600 US. That's the first
encounter I've had with it and I came across CryptoBlocker -after- that
occurrence.
From what i could tell, the infection came from a zip-file attachment
sent to my client, supposedly by a business contact. As it turned out,
the website that the email originated from had been compromised and
actually was the source.
Since then, I send out a "do not open any email attachment" warning to
my clients about every 6 months. So far, knock on wood...
I hope this helps.
Mike Copeland
Peter Cushing wrote:
Hi,
We got hit with a crytolocker/bitlocker attack last week. Fortunately
we have good backups so were able to restore, although 3gb of data
took some time to do.
What I want to do is go over what happened and see what approaches
other people have for these threats.
First thing we noticed was on Friday morning when somebody pointed out
that their files had been mashed. Here's a few examples of what the
files got changed to:
/data/admin/misc files/FACTORY INFORMATION/fnwih0ocf.hoo7
/data/admin/misc files/FACTORY INFORMATION/g99q1kfz5.p9k0
/data/admin/misc files/FACTORY INFORMATION/og0u9pb.0gd
/data/admin/misc files/FACTORY INFORMATION/tb4qz.775x0
/data/admin/misc files/FACTORY INFORMATION/znxis7hgu.k7h
/data/admin/misc files/fi19fgq2r.69t
/data/admin/misc files/fjs6r76n.8gup
/data/admin/misc files/h2c0ew6pr.1gpd
/data/admin/misc files/h8jgb.c4v9
/data/admin/misc files/Halls Fashion/535p0e.ugc5a
/data/admin/misc files/Halls Fashion/halorr3vet.s9
/data/admin/misc files/Halls Fashion/nbhqgk5.a8ihp
/data/admin/misc files/hs93hlb9.9p
/data/admin/misc files/hxplu62l.mc9
/data/admin/misc files/i4jden.y7kx7
/data/admin/misc files/jaiytu55s.w2
/data/admin/misc files/kmp49j76.4b
Looking at the logs we soon found which machine it was although that
person had gone home on the Thursday and was not due back until the
Tuesday.
Restored data and when the user got back we booted the machine up (not
connected to network!) and have since done scan using AVG,
Superantispyware, Avira, spybot search and destroy, kaspersky and
malware bytes and still found nothing. We don't know if the virus was
just memory resident or how it worked but obviously want to find out.
Scanned all his emails and nothing (his files stored in IMAP
folders). Nothing obvious in internet logs. Checked all processes
running, startup programs, network setup etc etc. We'll probably just
wipe the machine and start again but would be nice to know what happened.
Lately we have been getting more and more phishing emails from random
users (pretending to be say DHL or some other company) with say an
attachment invoicexxx.doc or perhaps .docx .xls etc (where xxx is a
random number) which will turn out to be infected but not at the time
the email was received. I.e the virus is too new to be detected. We
have run lots of these through our own virus scanner (AVG) and say
https://www.virustotal.com/
and they have come up with nothing until hours later (which could be
too late). Some show infected a couple of hours later and some maybe
next day.
This latest development is very difficult to defend against if you
cannot scan the file and confirm it is infected. Our mail server as
AV software which scans files but didn't pick these up and even if
users are really conscientious and scan before opening it does not
show up as infected.
We have now started implementing a white list of people who can send
in invoicexxx.doc files. Anyone not on the list then the attachment
is removed and put a message in to inform the user.
We are now reviewing procedures to defend against a machine with admin
rights being infected.
What is important is to be able to detect ASAP when files are
starting to get renamed. I have just developed a standalone APP that
will scan network drives and look at file names. I got a list of
known extensions off the internet and put them in a table. The app
compares the file extension with the list and emails you anything
different. If these files are safe you can load them into an
exclusion table. If you run this regularly it should pick up these
names very quickly.
What other security approaches are you using?
TIA
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
