True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

Why is CryptoLocker still a threat?

Standard

 

It has been over 9 months since CryptoLocker started encrypting systems and demanding a ransom. In most cases, when a new threat starts attacking computers, a fix or patch that will effectively nullify the threat is released within weeks. It is estimated that over $40 million dollars have been paid to the hackers so far, with no end in sight.

CryptoLocker

The dialogue box that appears on victims’ screens, once it is too late.

 CryptoLocker is currently accepting payments via Bitcoin and MoneyPak. Since bitcoins are not regulated, it is impossible to trace anything beyond into which account the coins were deposited. As for MoneyPak, it is basically an international prepaid card into which people (in this case, victims) can transfer funds.

Is there any way I can protect myself?

Currently, the most common infection method is via email. Here is a list of some of the emails subject lines used to trick the user into opening the message.

Frank - cryptolocker post 2

*Thanks to BleepingComputer.com for this chart

By opening the email, the user is effectively granting permission for the virus to install.
There are a few things that will help prevent infection and minimize its impact:

  1. Prevent applications that exist in the known location from running. This works because most applications that are downloaded from the internet are stored in common locations. This will not only prevent CryptoLocker from running, it will also prevent you from running any application you download, good or bad.
  2. Do not open attachments, in any email, that seem out of place or suspicious. This is a good rule of thumb in general, but it is not a complete method of prevention. This is because they are very clever in getting you to believe the email is valid.
  3. Backup, Backup, Backup. Although sometimes you can get your files back via Shadow Copies, this is not always available — and is being circumvented in later releases of CryptoLocker. By backing up your files and storing them offline, you will only lose data since that last, good backup. (This also means that you should keep several older versions of files in case you accidentally backup encrypted files.)

One important note: CryptoLocker will ONLY encrypt files on drives (local and mapped network). This means if you do not have a drive letter for it, it will not be encrypted. In technical terms, CryptoLocker cannot follow UNC paths.

Like most viruses, it is only a matter of time before a reliable method to block, remove, or decrypt files is discovered and made available. It is taking longer-than-your-average-virus-time to “crack” ransomware. But sooner or later it will be cracked.

Will Ransomware Cell Phone Attacks Reach the U.S.? (And what to do if you get infected)

Standard

 

cell phone attackTwo weeks ago they hit iPhone users in Australia and New Zealand. This week the reports came in that they’d hit Android users in Eastern Europe, specifically Ukraine. We’re watching, waiting to see if-and-when one of them will hit Western Europe and the U.S. — Oleg Pliss and his kin, Simplocker. They’re not people; they are a new round of cell phone viruses, and the difference is that they’re ransomware. Pay them money, or they threaten to hold your contacts, pictures, or even your whole cell phone hostage.

Sound familiar?

No, viruses for cell phones aren’t new. In fact, there’s a whole slew of mobile device virus protection software (Lookout, AVG, Avast, etc.). Trouble is, ransomware is notorious for getting around anti-virus protection.

Early reports indicate that, at least in the case of Ukraine’s Android virus, Simplocker, the level of encryption isn’t as complex as Cryptolocker. That doesn’t make it any less annoying, though. And according to some reports it does no good to try to pay Oleg’s ransom because the payment is linked to a PayPal account that doesn’t exist.

So, being a bit freaked out about this (even though my phone is a Windows platform, which hasn’t yet been affected), I asked my guys, the techs here at Everon, what I should do if my phone were hit by ransomware.

“The best thing you can do is to just wipe your phone,” Jeff Woods, one of our experienced L2s, said.

“And then reload all of your info from your backup,” Frank Lindsey, the L1 Supervisor added.

Um, okaaaay…? I felt like a kindergartener in college. Wipe my phone? And… is it automatically backed up? How do I do that if it’s not?

“Well,” Frank said, “if your cell phone is registered with us, at Everon, you could call and we can do a factory wipe for you. Or most cell phone providers can also do that, if you just call Sprint, AT&T, Verizon, or whomever.”

“Alternately,” James Schaffer, another of our L2s, said, “you could perform your own wipe in your phone’s settings.”

I checked my phone’s settings and couldn’t find where to do this. James told me to go to “Settings” -> “About,” and then click the button that says “Reset Your Phone.” (Of course, this only works if your phone isn’t locked by a virus.)

As far as doing backups, it turns out most phones do have automatic backup features. But iPhones, for instance, have to be plugged into your computer to perform their backups – something many iPhone users never do (they only charge the battery). And then there are the settings on the backup. If you’ve only told it to back up your contacts, you run the risk of losing any pictures you haven’t manually saved. (Or already posted to Facebook.)

There are programs you can use to do your auto-backups, too. Google Drive will automatically backup your mobile data. Dropbox, Picassa, Facebook, and Google+ are other sites that will also perform auto-backups on your data and/or photos if you adjust their settings correctly. (Ah, more settings. Good thing I have tech support here!)

So if your mobile data is all backed up, and you do get infected with something evil that needs last-resort measures, like ransomware, all you have to do is wipe and restore. (One site I found estimated this process would take no more than an hour.) Easy-peasy. If you’ve backed up your data.

Sometimes the best defense is just the ability to recover.

Wolverine