Warning about Ransomware and Windows Computers

Post date: Nov 20, 2013 7:32:28 PM

Thanks to Dave Opperud for the information below about a new threat - ransomeware - that affects Windows computers. More info can be found here -http://www.sophos.com/en-us/support/knowledgebase/119006.aspx

Hello everyone,

We’re sending out an e-mail to warn of a relatively new cyber-attack that is making the rounds as a reminder to be extra cautious when it comes to opening attachments or downloading files from unknown sources or unexpected attachments from friends and family.

There is a relatively new type of malware out right now (ransom ware) called cryptolocker. Affecting Windows machines, this is particularly malicious attack often comes embedded in fake PDF files, may be linked to in e-mails (Some claim to be from FedEx or UPS) or can be embedded in website downloads. Cryptolocker will install itself invisibly after you open the attachment, and quickly scan your attached and network drives. Then it will lie dormant until you restart your machine and encrypt your data into an unbreakable vault. Everything you have will essentially be gone until it is decrypted with a key. At that point you will be prompted to go to either a website or (believe it or not) a call center where you will be asked to pay a ransom. I know, this all sounds like a something from a movie. If you do not pay the ransom within 72 hours, the key value that is used to encrypt/decrypt all of your data will automatically destroy itself, and your data will be gone forever. There is no known way to recover the data and there is no current anti-virus that is able to block the attack effectively. The only way to recover the computer is to completely format the machine (wipe it out) and hopefully restore from an uninfected backup or pay the ransom in the form of Bitcoins (an online currency that was selected because it is basically untraceable).

On our networks, this is extremely dangerous as cryptolocker attacks local and network drives. We do everything we can to defend from these attacks, deploying several different defensive systems in the process: We isolate networks as much as possible, we tightly control permissions on our resources to prevent someone from inadvertently spreading the attack or installing it, we scan attachments that come into the network and limit our network access to only the assets we monitor and control and we filter web destinations known to harbor these attacks. Still, we remind you to delete any e-mails from unknown sources and do not open unsolicited attachments. When in doubt, reach out to the helpdesk.

Though we do not support your home environments, we want to mention this to you as you are more vulnerable on your home machines since you likely do not have a web filtering service. Again, if you click on a malicious link or open an infected file, you will likely only know of the problem when the following popup appears:

[http://sophosnews.files.wordpress.com/2013/10/th-paypage-4801.png?w=480&h=376]

The sad reality is that the only known remedy at this time is to pay the ransom – which usually seems to work. Most companies infected are reportedly doing so at this time, most residential users just wipeout their machine and start over (hopefully from a backup). The average cost has been $300 per machine. There are no guarantees that you will receive the key as cryptolocker is tied to organized crime and unfortunately every ransom paid just furthers their campaign.

Our intent is not to scare you with this, it’s sad that these things are happening but it is indicative of the technical times we live in. There are many attacks, malwares, viruses, etc. that exist that are destructive, we felt that this example was severe enough to warrant a company-wide reminder to help us protect you by using common sense, if the e-mail seems bad, it probably is and you should delete it. If the website seems suspicious, close it.