bloody bloody cryptolocker bloody

Been on holiday, get back to find out we had 2 infections last week
one of them after a warning email went out saying NOT to open certain types of emails...

 

The example a few posts up which links of to some blokes personal sysadmin blog in the .VN space, this is a great example of this person being irresponsible and not patching and allowing a 'hacker' to compromise the site so that it serves up malware.

In this case the owner of the site still prolly has no idea he's participating in some pretty serious malware distribution, most likely his ISP is only just catching on.

In this case, the security knowledge lacking sysadmin should get a stern talking to for allowing malware to operate on his site, but, himself isn't responsible for the relay.

Multiple parties are at fault but there intent wasn't malicious. It was the opportunistic hacker who placed the malware there using unethical, and most likely, illegal methods, who needs to be put in jail.

 

I'm not a firewall guy, so I apologise if this is a stupid question, but is tor traffic hard to identify/block? I wouldn't think that many Businesses have business that needs to be conducted via it?

 

TOR commonly communicates over 443 so its not going to be the easiest thing to detect and block on standard firewall.

From memory Palo Alto has a product which does application inspection which would probably be your best bet at blocking TOR related traffic.

 

It's not hard but it's also not free. That type of control falls under NGFW (Watchguard/Fortigate/PaloAlto etc) which allows for a huge amount of control in terms of what application can run over your network and control (allow/deny) the type of behaviour of the application.

Example 1: allow login to dropbox but block access to download/upload.
Example 2: allow authority to access Facebook, Facebook Media but deny Facebook applications, Facebook Comments, Facebook Games, Facebook dating, Facebook Posts etc etc

Can't say we've had any outbreaks of crypto locker but we do actively stop at least a dozen per day

 

Again, my post is still pertinent. You clearly have no idea at the scope of it all. It's as silly as thinking spammers can be beaten easily. You need to think before you post sometimes, you're still stuck in the small IT support mindset.

There are millions of hacked and exploited websites around at the world at any one time. There are many thousands of new ones hacked each day. Thinking you're somehow going to make a difference by contacting the host manually is about as effective as trying to dam a fast flowing river by bucketing dirt out.

You really do miss the scale of which these things occur. If every person on OCAU reported 100 sites a day then you'd still make no measurable difference. There were over 1/2 a million users affected by the original variant, yet alone the dozens of other variants which have now replaced it.

The guys running these ransomware scams aren't fools. You need to either be much bigger than them (magnitudes bigger, even the FBI struggles) or much smarter than them. When you think you're smarter, remember that they're managing to get past AV platforms who each have dozens (if not hundreds) of people trying to stop them.

 

I was reading the other day about a variant that used a static bitcoin account to collect the "donations" - over $AU40,000 on that one version. And I would assume they switched it around every week or so, which makes it quite a good little earner. And there's the reason we won't stop them.

 

Ahhh gotcha now.

I'm still contacting web hosts/domain registrants for places that are spreading this infection. At least it gets one host taken down, thus nullifying the spread to anyone else who got that exact email.

Small steps, but its better than no steps at all.

Also advising the webmaster their site is compromised, means hopefully a more tech savvy and heavy handed approach to security in the future.

Less exploitable hosts, less chance of spreading an infection.

 

Nasty variant going around here that is a legit looking email from the NSW office of state revenue saying you've got a speeding fine, click here for photo - this will get a lot of people, beware!

 

Dad got hit with the NSW OSR email this morning. He was expecting a speeding fine anyway and just assumed the government had got with the times and the Internet.

Anyone know if this site still works with the new variants? Wanted to know before I make the 3hr drive down to see him - https://www.decryptcryptolocker.com/

 

I don't want to discourage you, but your efforts are wasted. The hackers are still smarter than you. The warning message after things like Cryptowall have taken effect have multiple domains and links listed. So blocking one of these won't have made any difference.

I manage infrastructure with thousands of webservers, so again you're just not getting the scale of the problem. We block hundred of thousands of exploit attempts a week, and they're just the known ones which can be defined by a IPS rule.

Many clients who are hacked don't comprehend what they need to do security wise unless they've lost everything. Even then, we've seen clients hacked multiple times. There's masses of malware targeting end user machines to get FTP passwords, so even if the server is 100% secure they'll find a way.

For every one you take down, there's another thousand ready to go. You can "buy" a list of 10,000+ hacked sites for less than $100 on a regular basis if you're too lazy to run a script yourself. The scale at which sites are hacked and at which those running randomware scams get access to them will never be beaten by small IT guys reporting them. It's akin to thinking you'll beat Ebola by washing the hands of one individual.

The time you spend reporting these things would be far better off on your own infrastructure. Ensure you have a working, multi-layer defence and continue to expand and evolve the system. Educate users. Ensure you have regularly tested backups. If every small business did this then we wouldn't have a 13 page thread of horror stories.

 

Sums it up nicely.

 

I tried this on a PC on Monday and it says something like "This file does not appear to be infected by Cryptolocker."

 

And 2 more infections since i posted this...
Multiple emails getting sent out saying DO NOT OPEN anything from someone you don't know..
And now spam messages are not being released unless specifically asked... so much lol

 

Try this software, http://www.shadowexplorer.com/downloads.html

you can use it to explore your Volume Shadow points, I have used this a few times with cryptolocker and it's worked out great. I did use it on Win 7 PC's, it didn't work on XP machine. Remember to run Malwarebytes to clean the virus

hope this helps

 

How stupid are your users? Incredible.

 

Cheers guys, will have a look. Its already past the 72hrs or whatever timeframe but hoping it will work. Worse case, I restore from backup.

 

Have you done Example 1 or 2, if so, with what platform?

 

Palo Alto can do ex 2, haven't tried ex 1