Date: Sat, 26 Oct 2013 13:09:29 -0400
From: mark <whitroth at 5-cent.us>
To: undisclosed-recipients:;
Subject: [WSFA] Fwd: [GT-PFRC] Cryptolocker: Another _bad_ malware
Reply-To: WSFA members <WSFAlist at KeithLynch.net>
Folks,
This is from a good friend of mine, who is who is says he is, and has
been doing programming, then consulting, a very long time. This is not scare
email by someone who doesn't know anything....
mark
-------- Original Message --------
Subject: [WSFA] [GT-PFRC] Cryptolocker: Another _bad_ malware
Date: Fri, 25 Oct 2013 16:40:26 -0500
This is a message I sent to my clients today; I figured y'all would want to
check it out, and maybe warn employers, friends, & etc. about it.
----- Forwarded message from Dave Ihnat <dihnat at dminet.com> -----
Greetings,
Again, I don't often send out notices like this, but this looks to be one
to be definitely on-guard against.
It's called "Cryptolocker", and it's one bad piece of malware (malicious
software). It essentially gets in the door, and then runs out to encrypt
every file it can find--on the local machine AND mapped drives from a
server that you have write permissions on--that match a long list of
extensions (e.g., all document, spreadsheet, etc. files).
It gets in through one of three mechanisms described by various authors in
the E-TradeRags:
o Mail attachments. Especially watch out for anything purporting to be
from a business copier delivering a scanned PDF; anything from a major
deliver service like UPS or FedEx; or anything purporting to be a bank
letter confirming a wire or money transfer. (I've also noticed
recently a bunch of messages claiming to be "voice messages"--avoid
those, too.)
o Infected websites.
o Requests to download a "codec" when trying to view videos on infected
sites. A codec is normally a valid piece of software to decode video
files--but not in this case.
Once it's encrypted everything it can get its paws on, it tells you that if
you want your data back, you have to pay them. The amount, as reported in
news items in the trade so far, isn't specified other than "hundreds of
dollars".
There is, as yet, no reported way to decrypt the files. The only
recovery is to pay the Danegeld, or recover from backup--both are
extremely painful. Anti-virus and anti-malware programs "have a
particularly difficult time stopping this infection".
If you pay them, there's no guarantee they won't use the credit card or
account for further mayhem. (One author recommended using a pre-paid
card if you go this route.)
Blocking instructions are given for setting up rules from our server(s)
to block execution of this thing, but they're time-consuming to set up,
and also may block some legitimate programs (e.g., GoToMeeting reminders).
Right now, there's no good answer to this thing. Be extremely careful,
and follow my usual guidelines:
o Don't open ANY attachment you didn't explicitly expect to receive.
Call the sender if you suspect it's real and it seems to be from
someone you recognize.
o Don't click on ANYTHING from a website that doesn't seem normal. Be
very suspicious of any request at all to enable, allow, download, etc.
anything from any website.
o You don't need to see a video that badly--don't download any codecs.
o Contact me if you have *any* questions.
Make no bones about it--if they're reporting this accurately, this will be
a very, very painful one to try to recover from. I'll be watching it
closely, and am evaluating the instructions for blocking it to determine if
the cure is worse than the disease.
If you want details, this is a good article about it that came out today:
http://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_?taxonomyId=125&pageNumber=1
(I hate these guys...)
Be careful,
--
Dave Ihnat
President, DMINET Consulting, Inc.
dihnat at dminet.com
----- End forwarded message -----