1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. cbb1935

    cbb1935 Guest

    Ahh lovely...... you'd have thought the first expensive adventure would be enough.
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Are you up to date on your browser and plugins? If a web page can download and run an exe on your computer without any user interaction... then something is wrong somewhere. Its unlikely that highly valuable 0-days would be wasted on something trivial like crytolocker. So I expect its probably using old exploits to run itself.
     
  3. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,421
    Location:
    Narrabri NSW
    "Without interaction" isn't quite the same as "without user noticing" - do you know any users who would just click "yes" on that prompt anyway? I'm thinking the same idiots that think NSW OSR will send a blank speeding fine to them so they can fill in the blanks and pay it.
     
  4. dave_dave_dave

    dave_dave_dave Member

    Joined:
    Mar 17, 2004
    Messages:
    2,922
    Location:
    Gold Coast
    A remote user managed to get it on his laptop yesterday.

    Fake speeding infringement email from VicRoads, actually looked 1/2 convincing. Gets you to click on a link to view the photo, which downloads and runs it.

    A few users got the email and picked up that it was spam. Why is it middle management that fall for these things 75% of the time. :sick:

    Nuked the laptop and reloaded from backup.
     
  5. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,421
    Location:
    Narrabri NSW
    Just looking at the .com thing someone mentioned in the rant thread... We have the default rules applied by FoolishIT's Cryptoprevent, and it's blocking ".com" files.

    But what I did find was that ".bat" was allowed to run - even if the content is an exe file not a batch file. :Paranoid:


    Edit: Oh, and we got 2 walk in customers today suffering from Crypto-shame. At least one of them was sensible enough to have backed up recently.
     
    Last edited: Nov 18, 2014
  6. cbb1935

    cbb1935 Guest

    Probably right there.

    We are now. Previously couldn't as the web based software we used was really anal and had to use IE9 only. Now we use Google Chrome Portable to run it.
     
  7. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    New phishing variant;

    [​IMG]
     
  8. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,123
    Location:
    Sydney
    Yeah got hit by loads of these this morning, only 1 user got infected and we stopped it early
     
  9. kjparker

    kjparker Member

    Joined:
    Jun 28, 2001
    Messages:
    1,592
    Location:
    Sydney
    you didnt happen to notice the domain that the payload is downloaded from did you?
     
  10. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,185
    Location:
    NSW
    if its anything like the one I got its a randomly rotating bunch of sites unique to each email.
     
  11. kjparker

    kjparker Member

    Joined:
    Jun 28, 2001
    Messages:
    1,592
    Location:
    Sydney
    I would expect the full url to be seemingly random, but would have thought though that the actual domain it's coming from would be somewhat static...
     
  12. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Sorry, didn't record it.

    Email has since been delivered to the fires of hades.
     
  13. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    4,123
    Location:
    Sydney
    This is an example of a URL my users were clicking
    [​IMG]
     
  14. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,185
    Location:
    NSW
    Nope, from what I've seen these are merely hacked servers that have had droppers placed on them to kickstart the call to the CNC server to do a proper infection.

    Most of them seem to be sites that use php from what I've seen, so I assume they've been exploited.
     
  15. mooboyj

    mooboyj Member

    Joined:
    Sep 13, 2005
    Messages:
    1,074

    This is the one my punter got hit with last week.
     
  16. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Do any of the sysadmins here train their users on how to look out for malicious or phishing emails? As great as it is to put in technical measures to reduce the risk of infection, training or at least alerting users of the dangers does go a long way.
     
  17. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,185
    Location:
    NSW
    Yep, but in the end it only takes one, and in this one instances that one infected 2300 odd files in 4 minutes before we got lucky and picked it up and a new variant of cryptowall. We were supremely lucky as his pc was a cad grade workstation and a beast of one at that.
     
  18. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,944
    Location:
    elsewhere
    Got hit with this late last week. The email was so blatantly fake it hurt to know someone clicked on it.

    Email from the NSW Government - Office of State Revenue. Links for 'invoice' and 'view camera images', both pointed to liveinsrilanka.lk/wp-content/themes/realia/forum.php?eid=gibberish.


    If it'd been an aust post email, maybe I could understand. But a 'traffic infringement' from the 'nsw gov'.. we're in central queensland ffs :(
     
  19. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,651
    Location:
    Brisbane
    I've seen basic office machines (core i3, 5400rpm hdd, GbE connected) romp through ~30k files in < 20mins.

    Its just a quick first 2MB file encrypt. But its not reversible now without the key.
     
  20. Loop Goose

    Loop Goose Member

    Joined:
    Jul 20, 2001
    Messages:
    1,118
    Location:
    Sydney, 2077
    I had a client running Windows XP, who received the speeding fine variant, and
    strangely when he opened the attachment on his machine it did nothing.

    But, then this user forwarded it to reception, for confirmation and upon opening it on her Windows 7 Pro machine, it encrypted 222 files.

    The email looked like this:

    http://imgur.com/Vh4GbIU


    If you click "invoice" it links to here:

    This website: malinoputra.co.id (Indonesia)

    This folder:

    /wp-content/uploads/forum.php?eid=21135634677943388622283866147971326873687196684843458884486974985452385177947


    If you click on "view camera images" it links to here:

    same website, but different folder:

    /wp-content/uploads/forum.php?eid=52325876128921779238325969852564798286559882547561427533418135824958732114992



    The only way to restore the files was to restore them from Google Drive, as this variant deletes all restore points, and shadow copies, so you can't use the "Restore previous versions" trick.
     

Share This Page

Advertisement: