Today, one of our network shares were hit by a new Cryptolocker variant

Discussion in 'Business & Enterprise Computing' started by |Renegade|, Aug 6, 2014.

  1. |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    I thought I'd share this little story with the teams out there in Corporate IT land. May I hope that you avoid this issue entirely and that you catch it quicker than we could.

    05-08-14 - 5:48pm - User reported to the IT Support desk that they are unable to access files within a folder under the shared drive. User quoted by saying "the folders and files all seem to look different". Despite this, it was treated as a general permissions issue and forwarded to the appropriate team.

    During this time, the user who accidentally "activated" the ransomware left her machine on overnight. Worse still, our DAT update for McAfee was at the latest version, however the signature of the file had changed slightly and was not detected.

    06-08-14 - 6:38am - After hours on-call support received a call about a large amount of files and folders being inaccessible. Not a lot of detail.

    06-08-14 - 8:05am - Located the affected folders and located the affected user by determining the username that created the affected files.

    06-08-14 - 8:15am - Confirmed discovery when the user who opened the malware also had this html page on the network drive:

    06-08-14 - 9:30am - Several meetings later, the business stakeholders are notified and the

    06-08-14 - 4:00pm - most of the file shares have now been restored. One of the larger folders will need to continue late into the night.

    [​IMG]

    [​IMG]

    [​IMG]

    The machine was immediately removed from the network.

    We estimate that in the evening, approx. 9GB of documents and files were encrypted. By morning, we were facing a huge epidemic with about 90-100GB of data being completely encrypted.

    By the time we had commenced the data roll-back, we had approx. 500,000 files affected. The total size is not known as we were on a closely monitored time frame. Needless to say, we had essentially lost a days work.

    Further investigation has determined that this was likely to be a new variant of Critroni, possibly only just created within the last 2 or 3 days.

    Most of the Office 365 hosted email environments should already actively block this, but as you can see - this hasn't worked in this case.

    Cause:
    The user had received an email from Microsoft Quarantine advising of the email from "Australia Post".

    [​IMG]

    By coincidence, the user was waiting for a package from Australia Post and was duped by the email. After entering a tracking ID into the website containing the malicious link from the email, a prompt was received and software was downloaded to the machine. Because McAfee did not detect the file or the site due to the change in the ransom-ware signature, it went bonkers.

    Cryptolocker details - McAfee

    Kaspersky Cryptolocker details

    Australia Post Warnings - Computerworld



    May you all avoid this mishap.
     
    Last edited: Aug 8, 2014
  2. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    5,679
    Location:
    Brisbane
    Bad situation to be in, sounds like you got hit pretty bad

    Easily avoided by stopping exe files being run from %appdata%

    Set exclusions for business apps that may run from this location.
     
    Last edited: Aug 6, 2014
  3. kombiman

    kombiman Dis-Member

    Joined:
    Dec 3, 2006
    Messages:
    10,879
    Location:
    viva brisvegas
    How much were they asking for?
     
  4. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    We're actually quite close to getting the appdata limited to business apps. I believe there's a few legacy apps that seem to go funky when we stop the appdata executables.

    When it was checked early in the morning, it was the BitCoin equivalent of $462,000.
     
  5. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Had this problem about a month back. User stupidly opened something they shouldn't have. They let it encrypt their home and shared network drives.

    2 things saved our arse.

    1. Principal of least access
    2. Hourly NAS based snapshots.

    The trickiest thing to determine was exactly which files had been changed when considering which files to roll back. In the end we determined the particular user group hadn't done any work in that folder since COB so we just rolled the snap back for the half dozen shares they had access to.
     
  6. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,250
    Location:
    NSW
    Going by the screenshots the malware makers know people are blocking %appdata%, this one appears to be in %ProgramData% which would be much more of an issue to block.
     
  7. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    You'd be correct as well Wazza.
    The file itself was downloaded automatically as well, it appeared to take advantage of a security flaw in the older Internet Explorer version.
     
  8. cbb1935

    cbb1935 Guest

    Am I wrong, or is that IE8/IE9 I see?
     
  9. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    IE8

    10char
     
  10. Falkor

    Falkor Member

    Joined:
    Jun 27, 2001
    Messages:
    3,974
    Location:
    Sydney
    We got hit by one a couple weeks ago, a user called us and noticed some files on the shares had .ctbl extensions.

    Instantly put some screens on the fileservers to stop them being written, did some reconnaisance and found the user.

    Luckily only a couple thousand files got encrypted and only 1 user had it, it was a completely new variant noone had even seen. Symantec put a page up about it like 2 days later.

    Luckily we stopped it early, and we had full backups of all the files so we simply removed them and restored all the files. Didn't affect many of our users.
     
  11. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,398
    Location:
    Brisbane
    Cryptolocker kindly lists them in the registry :)

    Also saw this on HardOCP this morn: http://www.bbc.com/news/technology-28661463
     
  12. shredder

    shredder Member

    Joined:
    Dec 26, 2001
    Messages:
    9,799
    Location:
    Dec 27, 1991
    Did it run itself too?
     
  13. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    According to the user's advice, they received the prompt to download and they "clicked cancel", but already had loaded and installed itself.

    This could have been an accidental keystroke, but it was interesting how they declined the download prompt, then it proceeded to download and run anyway.
     
  14. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,398
    Location:
    Brisbane
    Users have a lot of things to say, maybe they're not intentionally being dishonest, but most pay absolutely no attention to what they're doing.
     
  15. cbb1935

    cbb1935 Guest

    Might have been one of those fake "OK or CANCEL" popups that come up.

    They've innocently thought there were cancelling, when they've just clicked a popup image/page which links cancel to "OK"
     
  16. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    We do have a pretty honest bunch tbh, especially when they do something wrong - they're pretty descriptive in the majority of cases. We did also pull her entire IE browsing history and the time frames all checked out.

    I wouldn't be surprised as well. When McAfee come and pay us a visit later today, it'll be interesting to find out more when they run some tests.
     
  17. kryzaach

    kryzaach New Member

    Joined:
    Aug 7, 2014
    Messages:
    3
    Hi Renegade,

    Just came across this, so signed up to ask you a question.

    Do you manage your endpoints with ePO and were you using GTI Artemis at all?

    If that is the case, then that is pretty troubling.
     
  18. azron

    azron Member

    Joined:
    Feb 27, 2004
    Messages:
    1,076
    Location:
    Melbourne
  19. OP
    OP
    |Renegade|

    |Renegade| Member

    Joined:
    Oct 11, 2011
    Messages:
    84
    Location:
    Sydney, Australia
    Hey kryzaach,
    First and foremost - welcome to OCAU!

    We do manage endpoints with ePO, But I don't believe we use GTI Artemis.


    Thanks! We've also submitted this with one of the files. According to McAfee, if it was the Zeus variant, they're convinced that it should have picked it up. We're still waiting on more details on their investigation.

    The other good news is, this issue has opened more business justification to get FireEye products implemented. As most of you probably know, it's never an easy task to go through the process to have a large scale change approved.
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,404
    GTI Artemis has been terrible in the past, with far to many false positives to be useful at all.

    @Renegade - How do you find McAfee support?
     

Share This Page