Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices

Reply
 
Thread Tools
Old 6th August 2014, 4:27 PM   #1
|Renegade| Thread Starter
Member
 
|Renegade|'s Avatar
 
Join Date: Oct 2011
Location: Sydney, Australia
Posts: 83
Default Today, one of our network shares were hit by a new Cryptolocker variant

I thought I'd share this little story with the teams out there in Corporate IT land. May I hope that you avoid this issue entirely and that you catch it quicker than we could.

05-08-14 - 5:48pm - User reported to the IT Support desk that they are unable to access files within a folder under the shared drive. User quoted by saying "the folders and files all seem to look different". Despite this, it was treated as a general permissions issue and forwarded to the appropriate team.

During this time, the user who accidentally "activated" the ransomware left her machine on overnight. Worse still, our DAT update for McAfee was at the latest version, however the signature of the file had changed slightly and was not detected.

06-08-14 - 6:38am - After hours on-call support received a call about a large amount of files and folders being inaccessible. Not a lot of detail.

06-08-14 - 8:05am - Located the affected folders and located the affected user by determining the username that created the affected files.

06-08-14 - 8:15am - Confirmed discovery when the user who opened the malware also had this html page on the network drive:

06-08-14 - 9:30am - Several meetings later, the business stakeholders are notified and the

06-08-14 - 4:00pm - most of the file shares have now been restored. One of the larger folders will need to continue late into the night.







The machine was immediately removed from the network.

We estimate that in the evening, approx. 9GB of documents and files were encrypted. By morning, we were facing a huge epidemic with about 90-100GB of data being completely encrypted.

By the time we had commenced the data roll-back, we had approx. 500,000 files affected. The total size is not known as we were on a closely monitored time frame. Needless to say, we had essentially lost a days work.

Further investigation has determined that this was likely to be a new variant of Critroni, possibly only just created within the last 2 or 3 days.

Most of the Office 365 hosted email environments should already actively block this, but as you can see - this hasn't worked in this case.

Cause:
The user had received an email from Microsoft Quarantine advising of the email from "Australia Post".



By coincidence, the user was waiting for a package from Australia Post and was duped by the email. After entering a tracking ID into the website containing the malicious link from the email, a prompt was received and software was downloaded to the machine. Because McAfee did not detect the file or the site due to the change in the ransom-ware signature, it went bonkers.

Cryptolocker details - McAfee

Kaspersky Cryptolocker details

Australia Post Warnings - Computerworld



May you all avoid this mishap.

Last edited by |Renegade|; 8th August 2014 at 9:57 AM.
|Renegade| is offline   Reply With Quote
Old 6th August 2014, 4:58 PM   #2
Gunna
Member
 
Gunna's Avatar
 
Join Date: Dec 2001
Location: Brisbane
Posts: 5,298
Default

Bad situation to be in, sounds like you got hit pretty bad

Easily avoided by stopping exe files being run from %appdata%

Set exclusions for business apps that may run from this location.

Last edited by Gunna; 6th August 2014 at 5:02 PM.
Gunna is offline   Reply With Quote
Old 6th August 2014, 5:53 PM   #3
kombiman
Re-Member
 
kombiman's Avatar
 
Join Date: Dec 2006
Location: viva brisvegas
Posts: 10,596
Default

How much were they asking for?
__________________
this space left intentionally blank
kombiman is offline   Reply With Quote
Old 6th August 2014, 6:32 PM   #4
|Renegade| Thread Starter
Member
 
|Renegade|'s Avatar
 
Join Date: Oct 2011
Location: Sydney, Australia
Posts: 83
Default

Quote:
Originally Posted by Gunna View Post
Bad situation to be in, sounds like you got hit pretty bad

Easily avoided by stopping exe files being run from %appdata%

Set exclusions for business apps that may run from this location.
We're actually quite close to getting the appdata limited to business apps. I believe there's a few legacy apps that seem to go funky when we stop the appdata executables.

Quote:
Originally Posted by kombiman View Post
How much were they asking for?
When it was checked early in the morning, it was the BitCoin equivalent of $462,000.
|Renegade| is offline   Reply With Quote
Old 6th August 2014, 6:42 PM   #5
Iceman
Member
 
Iceman's Avatar
 
Join Date: Jun 2001
Location: Brisbane (nth), Australia
Posts: 6,646
Default

Had this problem about a month back. User stupidly opened something they shouldn't have. They let it encrypt their home and shared network drives.

2 things saved our arse.

1. Principal of least access
2. Hourly NAS based snapshots.

The trickiest thing to determine was exactly which files had been changed when considering which files to roll back. In the end we determined the particular user group hadn't done any work in that folder since COB so we just rolled the snap back for the half dozen shares they had access to.
__________________
_,`,_,`,_,`,_

WTB: Cisco 1801-M PM me
Please rehash my posts and pass them off as your own ideas! Triple points for doing it in the same page of the thread. Plagiarism is the sincerest form of copyright infringement.
Iceman is offline   Reply With Quote
Old 6th August 2014, 7:00 PM   #6
wazza
Member
 
wazza's Avatar
 
Join Date: Jun 2001
Location: NSW
Posts: 3,218
Default

Quote:
Originally Posted by Gunna View Post
Easily avoided by stopping exe files being run from %appdata%
Going by the screenshots the malware makers know people are blocking %appdata%, this one appears to be in %ProgramData% which would be much more of an issue to block.
wazza is offline   Reply With Quote
Old 7th August 2014, 9:17 AM   #7
|Renegade| Thread Starter
Member
 
|Renegade|'s Avatar
 
Join Date: Oct 2011
Location: Sydney, Australia
Posts: 83
Default

Quote:
Originally Posted by wazza View Post
Going by the screenshots the malware makers know people are blocking %appdata%, this one appears to be in %ProgramData% which would be much more of an issue to block.
You'd be correct as well Wazza.
The file itself was downloaded automatically as well, it appeared to take advantage of a security flaw in the older Internet Explorer version.
|Renegade| is offline   Reply With Quote
Old 7th August 2014, 9:48 AM   #8
cbb1935
Unregistered / Not Logged In
 
Posts: n/a
Default

Am I wrong, or is that IE8/IE9 I see?
  Reply With Quote
Old 7th August 2014, 9:50 AM   #9
|Renegade| Thread Starter
Member
 
|Renegade|'s Avatar
 
Join Date: Oct 2011
Location: Sydney, Australia
Posts: 83
Default

Quote:
Originally Posted by Mitch01 View Post
Am I wrong, or is that IE8/IE9 I see?
IE8

10char
|Renegade| is offline   Reply With Quote
Old 7th August 2014, 10:29 AM   #10
Falkor
Member
 
Falkor's Avatar
 
Join Date: Jun 2001
Location: Sydney
Posts: 3,957
Default

We got hit by one a couple weeks ago, a user called us and noticed some files on the shares had .ctbl extensions.

Instantly put some screens on the fileservers to stop them being written, did some reconnaisance and found the user.

Luckily only a couple thousand files got encrypted and only 1 user had it, it was a completely new variant noone had even seen. Symantec put a page up about it like 2 days later.

Luckily we stopped it early, and we had full backups of all the files so we simply removed them and restored all the files. Didn't affect many of our users.
__________________
Save the whales, Collect the whole set! .:|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1
Falkor is online now   Reply With Quote
Old 7th August 2014, 10:51 AM   #11
7nothing
Member
 
7nothing's Avatar
 
Join Date: Feb 2002
Location: Brisbane
Posts: 1,370
Default

Quote:
Originally Posted by Iceman View Post
The trickiest thing to determine was exactly which files had been changed when considering which files to roll back.
Cryptolocker kindly lists them in the registry

Also saw this on HardOCP this morn: http://www.bbc.com/news/technology-28661463
__________________
blbk. My domain name expired.
7nothing is offline   Reply With Quote
Old 7th August 2014, 10:56 AM   #12
shredder
Member
 
shredder's Avatar
 
Join Date: Dec 2001
Location: Dec 1991
Posts: 9,145
Default

Quote:
Originally Posted by |Renegade| View Post
You'd be correct as well Wazza.
The file itself was downloaded automatically as well, it appeared to take advantage of a security flaw in the older Internet Explorer version.
Did it run itself too?
shredder is offline   Reply With Quote
Old 7th August 2014, 11:15 AM   #13
|Renegade| Thread Starter
Member
 
|Renegade|'s Avatar
 
Join Date: Oct 2011
Location: Sydney, Australia
Posts: 83
Default

Quote:
Originally Posted by shredder View Post
Did it run itself too?
According to the user's advice, they received the prompt to download and they "clicked cancel", but already had loaded and installed itself.

This could have been an accidental keystroke, but it was interesting how they declined the download prompt, then it proceeded to download and run anyway.
|Renegade| is offline   Reply With Quote
Old 7th August 2014, 11:26 AM   #14
7nothing
Member
 
7nothing's Avatar
 
Join Date: Feb 2002
Location: Brisbane
Posts: 1,370
Default

Quote:
Originally Posted by |Renegade| View Post
According to the user
Users have a lot of things to say, maybe they're not intentionally being dishonest, but most pay absolutely no attention to what they're doing.
__________________
blbk. My domain name expired.
7nothing is offline   Reply With Quote
Old 7th August 2014, 11:51 AM   #15
cbb1935
Unregistered / Not Logged In
 
Posts: n/a
Default

Quote:
Originally Posted by |Renegade| View Post
According to the user's advice, they received the prompt to download and they "clicked cancel", but already had loaded and installed itself.

This could have been an accidental keystroke, but it was interesting how they declined the download prompt, then it proceeded to download and run anyway.
Might have been one of those fake "OK or CANCEL" popups that come up.

They've innocently thought there were cancelling, when they've just clicked a popup image/page which links cancel to "OK"
  Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 8:36 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!