Pine
Serious Thumper
Offline
SuzukiSavage.com Rocks!
Posts: 1694
Mississippi, USA
Gender: 
|
All I just got this from our IT dept ( I work in the same IT dept, but not in security)
Please be on your best behavior out in the wilds of the 'net
From: The Office of Information Security
Subject: New Ransomware "CryptoWall" Rapidly Infecting Systems across the United States
Key Points
• CryptoWall is a new form of ransomware that has impacted numerous organizations across the United States, including municipal agencies.
• The primary infection vectors for CryptoWall are spear-phishing emails, made to look like communications from legitimate companies, and compromised advertisements displayed on highly trafficked websites.
• Upon executing on a system CryptoWall immediately begins to encrypt any files the user has access to, including data on shared drives.
• The damage done to affected files by CryptoWall is irreversible and typically requires restoring locked files from existing back-ups.
• Currently, while some (but not all) major anti-virus software companies can now detect the attack after-the-fact, CryptoWall can still encrypt files on the infected computer before being discovered.
• If you believe your computer has been infected with the CryptoWall virus Immediately disconnect your systems from the wireless or wired network and contact The Service Desk at (601)984-1145
Background
CryptoWall is a new ransomware discovered in late April 2014 that affects all versions of Windows. The most common infection vectors for CryptoWall are spear-phishing e-mails with malicious attachments (e.g. PDFs which, when opened, executes CryptoWall) or compromised advertisements on highly trafficked websites, such as news or social media sites.
Upon execution, CryptoWall immediately encrypts all user-accessible files on the local drive and any mapped networks or storage devices. After encrypting the accessible files CryptoWall displays a message giving victims a 100-hour countdown while demanding a payment of approximately $500 in bitcoins in exchange for the decryption key – though this amount has varied according to open source reporting. If the user does not pay within the demanded timeframe, the amount of the ransom increases.
Several CryptoWall spear-phishing e-mails identified to this point have been crafted to look like communications from legitimate companies and requested the user download or open an "EFAX". Other malicious emails may be disguised as notifications sent from UPS or the "Payroll Department". In some cases, the email address of the sender may have been spoofed to appear as if the email is coming from someone within the user's own company and will ask the user to click on a DropBox.com link.
Thus far, the majority of victims are located in the United States, though numerous victims have been affected across multiple sectors. In at least one incident, CryptoWall masqueraded as a program that claims the user needs to decrypt a file before being able to read it. Once the user tries to open the file, CryptoWall replicates itself across multiple locations on the user's machine and demands payment. CryptoWall may also be disguised as legitimate software updates such as (but not limited to) Abode Reader, Flash Player, and Java Runtime Environment updates.
The success of CryptoWall is likely due to the widespread spear-phishing campaign, the effective spear-phishing lures used by the malicious actors, the diversity in infection vectors – including spear-phishing and malicious advertisements, the fact that numerous anti-virus providers still cannot detect CryptoWall, and the rapidity with which CryptoWall activates upon execution and begins causing damage.
It is very likely we will continue to see more ransomware similar to CryptoWall in the near future due to this successful campaign and due to the availability of "off the shelf" malware and exploit kits for sale on underground cybercrime forums.
CryptoWall Lock-Screen from 8 May 2014 Open Source Incident
Files that have executed CryptoWall include the following:
• A shortcut icon to a web page named "Decrypt Instructions"
• A file named "DECRYPT_INSTRUCTIONS.html"
• A file named "DECRYPT_INSTRUCTIONS.txt"
If users see these files on their computer they should be advised to delete them immediately and notify their systems administrator.
The following preventative measures are recommended to protect your organization from a CryptoWall infection:
• Instruct users not open any files that appear on the desktop with the name "DECRYPT_INSTRUCTIONS"
• Ensure all employees are aware of the threat and do not open suspicious e-mails or unexpected attachments, including those e-mails requesting the employee "open a Fax" or "EFAX".
• Instruct end-users to verify the identity of the sender of any attachments, whether through an informal consistency check of the e-mail address and content of the e-mail or formal communication with the sender.
|
Pages: 1
