Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit
. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit
. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail
. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
Cryptolocker Prevention Kit
Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
21 Oct 2013
The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
Oct 23, 2013
Last Updated: 2013-10-22 14:09:38 UTC
CryptoLocker: Its Spam and ZeuS/ZBOT Connection
Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
(Screenshot of spam with malicious attachment)
Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
(CryptoLocker infection chain)
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources
. Email reputation service also blocks the spam related to this threat."
Oct 20, 2013
Edited by AplusWebMaster, 24 October 2013 - 09:21 AM.