Main Nav

Colleagues, Yesterday, we received news of an emerging malware threat called CryptoLocker Ransomware. Literally within hours after receiving this information, one of our campus users was infected. The malware encrypts the the files on the computer and then demands that the user pay a fee to unencrypt the user's files. As we observed, It also has the ability to spread to file shares. Are others seeing this emerging threat? What, if anything are you doing to mitigate it? Gary ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.

Comments

This has unfortunately been around a few months. CERT says: http://www.us-cert.gov/ncas/alerts/TA13-309A SolutionPrevention US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: * Do not follow unsolicited web links in email messages or submit any information to webpages in links * Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments * Maintain up-to-date anti-virus software * Perform regular backups of all systems to limit the impact of data and/or system loss * Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity * Secure open-share drives by only allowing connections from authorized users * Keep your operating system and software up-to-date with the latest patches * Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams * Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks Mitigation US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: * Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network * Users who are infected should change all passwords AFTER removing the malware from their system * Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: * Restore from backup, * Restore from a shadow copy or * Perform a system restore.
We've had a user fall prey to the same attack today. We have not yet found a solution other than reimaging and restoring from backup. Brent Harris Associate Vice President for Information Technology University of Mary Hardin-Baylor (254)295-4658
We we hit with this a few weeks ago. We had a recurrence a week later, but the second round didn't cause any damage because word had gotten out from the initial round and we were quick to block the inbound mail as soon as we had a report of it. The initial round did catch a few people and caused a couple of departments some grief. We have good backups here, so we were able to recover all of the files.

For mitigation: 

1. Submit the attachment to VirusTotal.com so that A/V vendors can be notified if it's a new marginally detected variant
2. Submit the attachment to your A/V vendor to ensure you get a signature update as soon as possible
3. Disconnect affected computers to stop the encryption of network drives as early as possible
4. Push Windows GPOs to prevent the execution of programs from the folder where attachments unpack to when clicked on. The reddit thread at the bottom of this message has details, it's lengthy so search for "GPO". The reddit thread has a lot of additional information in it and I recommend reading it. 
5. Get a signature into your email system as soon as a new variant is reported by users so that you can block the email asap. 
6. Remove unread messages from inboxes that match the signature in (5)
7. Recover files:

As for file recovery, you have only two choices: pay the fee or restore from backups. Hopefully all of your affected files are backed up. The "pay the fee" option has been reported to work however there are agencies working to take down the command-and-control servers for this ransomware. This has resulted in reports of some people paying the fee but then not being able to decrypt because the server had been taken down. Also, paying only encourages the thieves to continue this strategy. So, personally, I'd recommend against paying. If you lose some files due to insufficient backups, it's an excellent teaching moment for not clicking on everything that lands in an inbox as well as making regular backups. 


jeff



--
Jeff Murphy
Interim Information Security Officer
University at Buffalo





We experienced this last week, just as Microsoft came out with a patch to combat the malware. We, too, wiped the infected machine and restored from backups. Dan Navarro Director Office of Academic Computing Services College of Behavioral and Social Sciences Univresity of Maryland dnavarro@umd.edu 301-405-1661
Message from mike.caudill@duke.edu

Re-imaging the infected machines and restoring files from backup are your best options for this attack. However, before you restore files on a file share you should make sure that you have no other infected hosts with access to the same share. Mike Caudill Assistant Director, Cyber Defense and Response Duke Medicine Email: mike.caudill@duke.edu Phone: +1-919-668-2144 / +1 919-522-4931 (cell) On 11/6/13 1:50 PM, "Harris, Brent" wrote: >We've had a user fall prey to the same attack today. We have not yet >found a solution other than reimaging and restoring from backup. > >Brent Harris >Associate Vice President for Information Technology >University of Mary Hardin-Baylor >(254)295-4658 > >
How does this attack impact shadow copy...?
There is an informative discussion here that mentions shadow services and file history. http://community.norton.com/t5/Norton-Internet-Security-Norton/CryptoLoc... > On Nov 6, 2013, at 14:13, "Crow, Scott A" wrote: > > How does this attack impact shadow copy...? > > > >
Someone on this thread mentioned that Microsoft issued a patch for this. We can't find any patch referencing the CryptoLocker attack. Does anyone have any additional info on this? Or was this patch an update for Defender (which we do not use) and not an OS patch?
Mike,

The update was to Security Essentials (Defender). It should be detected by version 1.157.1563.0 and higher according to MS.


John Grover
Director | Enterprise Computing and Application Services
University of Maine System | (207) 561-3510 (desk) | (207) 949-4208 (cell)


An update some may have missed on this:

 

http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Grover
Sent: Thursday, November 7, 2013 8:49 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Ransomware

 

Mike,

 

The update was to Security Essentials (Defender). It should be detected by version 1.157.1563.0 and higher according to MS.


 

John Grover

Director | Enterprise Computing and Application Services

University of Maine System | (207) 561-3510 (desk) | (207) 949-4208 (cell)

 

Here’s a program touted to be effective against the current Cryptolocker variant

 

Note that the domain name is Foolish IT.  J

 

http://www.foolishit.com/vb6-projects/cryptoprevent/

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Grover
Sent: Thursday, November 7, 2013 8:49 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Ransomware

 

Mike,

 

The update was to Security Essentials (Defender). It should be detected by version 1.157.1563.0 and higher according to MS.


 

John Grover

Director | Enterprise Computing and Application Services

University of Maine System | (207) 561-3510 (desk) | (207) 949-4208 (cell)

 

Is anyone taking any particular steps to inform and communicate the risks or prevalence of Ransomware to your campus?
Did you use this opportunity to caution them to be deligent in general or have provided them with specifics?  Thanks
Shahra

We had a few users recently get infected with Cryptolocker.  We sent out a college-wide email from our help desk reminding users not to open unknown attachments, be cautious of following links, etc.

We also implemented a GPO to prevent EXE's from running from %APPDATA%.  We haven't had any reported infections since taking these two measures.

-Kevin

Kevin Moll
Manager, Network/Server Systems
Valencia College
1800 S. Kirkman Rd.
Orlando, FL 32827
We posted a notice to our helpdesk's webpage, to our information security webpage, and then had small story run in both of the campus newspapers.

- Quinn

It’s not been much of a problem here.  We have one known case, and perhaps a handful of other suspected infections.  When comparing those numbers to most other malware infections they are pretty low.  Both Forefront and Symantec appear to be catching at least some variants of the malware, and I think, for the most part, people are more suspicious of attachments than links.

 

Has this been a significant problem anywhere?

 

We had one confirmed case but that person was off campus at the time. We did send out a campus wide email containing specifics for CryptoLocker and also threw in the general “don’t open attachments or click links in suspicious emails” at the end.

Brett Weston | Security Administrator | Loyola University Chicago IT Services | 773-508-8202

From: Shahra Meshkaty <meshkaty@SANDIEGO.EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, November 14, 2013 at 1:29 AM
To: "SECURITY@LISTSERV.EDUCAUSE.EDU" <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Ransomware

Is anyone taking any particular steps to inform and communicate the risks or prevalence of Ransomware to your campus?
Did you use this opportunity to caution them to be deligent in general or have provided them with specifics?  Thanks
Shahra

We haven't had any cases about it, but were getting questions from faculty & staff about Cryptolocker due to recent media coverage.

We sent a warning about it - but it focused on users keeping backups of their important data (and keeping external backup drives disconnected when not actually backing up) as well as the general 'don't open untrusted email applications'.

There have been a number of attempts for this virus to come through email but all have been blocked (though by default all exe's including those contained within zip files are blocked here).


Paul Chauvet
Senior Linux Systems Administrator
Chair, Information Security Oversight Committee
Computer Services
State University of New York at New Paltz

Phone: (845) 257-3828
chauvetp@newpaltz.edu



Is anyone taking any particular steps to inform and communicate the risks or prevalence of Ransomware to your campus?
Did you use this opportunity to caution them to be deligent in general or have provided them with specifics?  Thanks
Shahra