TA13-309A: CryptoLocker Ransomware Infections

celerymoldwarpΑσφάλεια

3 Δεκ 2013 (πριν από 3 χρόνια και 7 μήνες)

99 εμφανίσεις



National Cyber Awareness System:

TA13
-
309A: CryptoLocker Ransomware Infect
ions

11/05/2013 10:58 AM EST

Original release date: November 05, 2013 | Last revised: November 06, 2013

Systems Affected

Microsoft Windows systems running Windows 7, Vista, and XP operating systems

Overview

US
-
CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing
number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to
infected computers and demands the victim provide a paym
ent to the attackers in order to decrypt and
recover their files. As of this time, the primary means of infection appears to be phishing emails containing
malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails de
signed to mimic the look of legitimate
businesses and through phony FedEx and UPS tracking notices.

In addition, there have been reports that
some victims saw the malware appear following after a previous infection from one of several botnets
frequently l
everaged in the cyber
-
criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives,
external hard drives, network file shares and even some cloud storage drives.


If one computer on a n
etwork
becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the
attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the
victim’s reach.

噩s瑩洠晩汥猠m牥⁥ncry灴p搠畳d湧⁡sy浭e瑲楣te湣ryp瑩潮⸠䅳y浭e瑲楣⁥ncryp瑩潮⁵獥猠瑷漠摩晦e牥湴n步y猠景f
e湣ry灴png⁡湤⁤ncry灴png敳獡来献⁁sy浭e瑲楣te湣ry灴p潮⁩猠a潲 ⁳ecu牥⁦潲洠潦me湣ry灴p潮⁡猠潮oy
潮o⁰ 牴y⁩猠慷a牥映瑨f 灲楶慴i yⰠ睨楬攠扯,
栠獩摥猠歮潷⁴桥⁰畢汩c y.

t桩he⁶楣瑩 猠慲e⁴潬搠瑨ey⁨a癥⁴桲ee⁤ y猠瑯⁰ay⁴桥⁡瑴ac步爠瑨r潵g栠h⁴ 楲i
-
灡牴y⁰ y浥湴整桯搠
⡍潮(yma欬⁂楴c潩温Ⱐ獯浥⁶楣瑩浳⁨慶m⁣污業敤l潮汩湥⁴桡琠瑨 y⁰a楤⁴桥⁡瑴ac步牳ra湤⁤楤潴⁲ece楶攠瑨i
灲潭o獥搠摥cry灴p潮

步y.



-
C䕒吠E湤⁄np⁥nc潵牡ge⁵ e牳⁡湤na摭d湩獴牡瑯牳⁥x灥物r湣楮g⁡
牡湳潭睡re⁩湦 c瑩潮⁎o吠瑯⁲T獰潮搠s漠ox瑯牴楯渠n瑴e浰m猠sy⁡瑴e浰m楮g 灡yme湴⁡湤⁩湳nea搠瑯⁲e灯牴⁴桥p
楮捩摥湴⁴漠瑨攠oBf⁡琠t桥
f湴n牮r琠t物浥

C潭灬a楮i⁃e湴敲
fC㌩
.

Solution

Prevention

US
-
CERT recommends users and administrators take the following preventative measures to protect their
computer networks from a CryptoLocker infection:



Do not follow unsolicited web links in email messages or sub
mit any information to webpages in
links



Use caution when opening email attachments. Refer to the Security Tip
Using Caution with Email
Attachments

for more information on safely handling email atta
chments



Maintain up
-
to
-
date anti
-
virus software



Perform regular backups of all systems to limit the impact of data and/or system loss



Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known
malicious activity



Secure o
pen
-
share drives by only allowing connections from authorized users



Keep your operating system and software up
-
to
-
date with the latest patches



Refer to the
Recogniz
ing and Avoiding Email Scams

(pdf) document for more information on
avoiding email scams



Refer to the Security Tip
Avoiding Social Engineering and Phishing Attacks

for more information on
social eng
ineering attacks

Mitigation

US
-
CERT suggests the following possible mitigation steps that users and administrators can implement, if
you believe your computer has been infected with CryptoLocker malware:



Immediately disconnect the infected system from the
wireless or wired network. This may prevent
the malware from further encrypting any more files on the network



Users who are infected should change all passwords AFTER removing the malware from their
system



Users who are infected with the malware should con
sult with a reputable security expert to assist in
removing the malware, or users can retrieve encrypted files by the following methods:

o

Restore from backup,

o

Restore from a shadow copy or

o

Perform a system restore.

References



CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours
And Threatens To Encrypt H
ard Drive



CryptoLocker Wants Your Money!



CryptoLocker ransomware


see how it works, learn about prevention, cleanup and recovery



Microsoft Support


Description of the Software Restriction Policies in Windows XP



Microsoft Software Restriction Policies Technical Reference


How Software Restriction Policies
Work



CryptoLocker Ransomware Information Guide and FAQ

This product is provided subject to this
Notification

and this
Privacy & Use

policy.