Recently there has been a dangerous new virus going around which poses significant risk to both personal and business computers alike. Cryptolocker, as it is commonly known, is a new virus variant which seeks to encrypt all useful files on a computer and then hold the user for ransom to unlock them. This virus preys upon users who click or preview an attachment in an email; typically disguised as a bill of lading from a shipping company. Once the attachment is opened or previewed, it will utilized a vulnerability in older versions of java to execute and encrypt not only the entire contents of the offending computer, but all files over a network which that computer has access to. The virus is difficult to detect and is sophisticated enough to evade capture by even modern anti-virus solutions. Worse yet, if you are infected, removal of the virus removes the encryption key needed to unlock your files, rendering all of your data completely useless.
Once a machine is infected,
anything with the following file extensions will be encrypted (you will notice
these are just about all useful files):
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb,
*.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb,
*.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd,
*.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2,
*.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef,
*.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
Recovery from such an attack is
limited to 2 options. Pay the ransom (a dangerous idea by basically dealing
with criminals) or restore from a backup. This emphasizes the importance of
maintaining incremental backups on a regular basis. Even more insidious, unless the backups are themselves encrypted (a common feature available in
business class backup solutions) or the backup system is separated from view of
users on the network, then the backups themselves risk being encrypted.
Prevention, as most risks in the
virus landscape, involves layers of preventative measures. The most important
is awareness and common sense when handling email attachments. Only open
attachments which you are clearly expecting to receive from an individual, and
even better, contact the individual who sent the attachment to verify they sent
one. Also, turn off any preview options within Outlook to prevent accidental
selection of emails from automatically opening bad attachments. Organizations
should review their business critical data, and ensure that access is limited
to key individuals, rather than globally through group policy. The last thing
you want is for a weekend book keeper to take down all of your data because
they had access to more than just the accounting network share. Users should be
compartmentalized to access only what is necessary to perform their job function.
Finally… backup, backup, backup, backup. It cannot be stressed enough that
maintaining good, encrypted, incremental backups on a regular basis is not just
a good idea, but critical for any business.
For more information see http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
Or contact your account manager for network assessment.
Chris Bodenhamer
Sierra Computer Group Dispatch
No comments:
Post a Comment