Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.
Ahh lovely...... you'd have thought the first expensive adventure would be enough.
Are you up to date on your browser and plugins? If a web page can download and run an exe on your computer without any user interaction... then something is wrong somewhere. Its unlikely that highly valuable 0-days would be wasted on something trivial like crytolocker. So I expect its probably using old exploits to run itself.
"Without interaction" isn't quite the same as "without user noticing" - do you know any users who would just click "yes" on that prompt anyway? I'm thinking the same idiots that think NSW OSR will send a blank speeding fine to them so they can fill in the blanks and pay it.
A remote user managed to get it on his laptop yesterday.
Fake speeding infringement email from VicRoads, actually looked 1/2 convincing. Gets you to click on a link to view the photo, which downloads and runs it.
A few users got the email and picked up that it was spam. Why is it middle management that fall for these things 75% of the time.
Nuked the laptop and reloaded from backup.
Just looking at the .com thing someone mentioned in the rant thread... We have the default rules applied by FoolishIT's Cryptoprevent, and it's blocking ".com" files.
But what I did find was that ".bat" was allowed to run - even if the content is an exe file not a batch file.
Edit: Oh, and we got 2 walk in customers today suffering from Crypto-shame. At least one of them was sensible enough to have backed up recently.
Probably right there.
We are now. Previously couldn't as the web based software we used was really anal and had to use IE9 only. Now we use Google Chrome Portable to run it.
New phishing variant;
Yeah got hit by loads of these this morning, only 1 user got infected and we stopped it early
you didnt happen to notice the domain that the payload is downloaded from did you?
if its anything like the one I got its a randomly rotating bunch of sites unique to each email.
I would expect the full url to be seemingly random, but would have thought though that the actual domain it's coming from would be somewhat static...
Sorry, didn't record it.
Email has since been delivered to the fires of hades.
This is an example of a URL my users were clicking
Nope, from what I've seen these are merely hacked servers that have had droppers placed on them to kickstart the call to the CNC server to do a proper infection.
Most of them seem to be sites that use php from what I've seen, so I assume they've been exploited.
This is the one my punter got hit with last week.
Do any of the sysadmins here train their users on how to look out for malicious or phishing emails? As great as it is to put in technical measures to reduce the risk of infection, training or at least alerting users of the dangers does go a long way.
Yep, but in the end it only takes one, and in this one instances that one infected 2300 odd files in 4 minutes before we got lucky and picked it up and a new variant of cryptowall. We were supremely lucky as his pc was a cad grade workstation and a beast of one at that.
Got hit with this late last week. The email was so blatantly fake it hurt to know someone clicked on it.
Email from the NSW Government - Office of State Revenue. Links for 'invoice' and 'view camera images', both pointed to liveinsrilanka.lk/wp-content/themes/realia/forum.php?eid=gibberish.
If it'd been an aust post email, maybe I could understand. But a 'traffic infringement' from the 'nsw gov'.. we're in central queensland ffs
I've seen basic office machines (core i3, 5400rpm hdd, GbE connected) romp through ~30k files in < 20mins.
Its just a quick first 2MB file encrypt. But its not reversible now without the key.
I had a client running Windows XP, who received the speeding fine variant, and
strangely when he opened the attachment on his machine it did nothing.
But, then this user forwarded it to reception, for confirmation and upon opening it on her Windows 7 Pro machine, it encrypted 222 files.
The email looked like this:
If you click "invoice" it links to here:
This website: malinoputra.co.id (Indonesia)
If you click on "view camera images" it links to here:
same website, but different folder:
The only way to restore the files was to restore them from Google Drive, as this variant deletes all restore points, and shadow copies, so you can't use the "Restore previous versions" trick.