A note from our Network Services professional, Tom Warren, on the dangerous randomware by the name of CryptoLocker. (& source: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information)
To All, I want to alert you to a randomware that has just struck another company in the Harrisburg area. It is called Cryptolocker. This is a particularly brutal virus in that it takes your files hostage, encrypting them at the level of 1024-bit or above, then sends you a ransom note. The ransom note received by this company required payment of $400 to un-encrypt the files. If you do not pay, then you do not get your files back.
What is CryptoLocker
CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.
How do you become infected with CryptoLocker
This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
The current list of known CryptoLocker email subjects include:
|USPS - Your package is available for pickup ( Parcel 173145820507 )||USPS - Missed package delivery ("USPS Express Services" <email@example.com>)|
|USPS - Missed package delivery||FW: Invoice <random number>|
|ADP payroll: Account Charge Alert||ACH Notification ("ADP Payroll" <*@adp.com>)|
|ADP Reference #09903824430||Payroll Received by Intuit|
|Important - attached form||FW: Last Month Remit|
|McAfee Always On Protection Reactivation||Scanned Image from a Xerox WorkCentre|
|Scan from a Xerox WorkCentre||scanned from Xerox|
|Annual Form - Authorization to Use Privately Owned Vehicle on State Business||Fwd: IMG01041_6706015_m.zip|
|My resume||New Voicemail Message|
|Voice Message from Unknown (675-685-3476)||Voice Message from Unknown Caller (344-846-4458)|
|Important - New Outlook Settings||Scan Data|
|FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]||Payment Advice - Advice Ref:[GB2198767]|
|New contract agreement.||Important Notice - Incoming Money Transfer|
|Notice of underreported income||Notice of unreported income - Last months reports|
|Payment Overdue - Please respond||FW: Check copy|
|Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages)||past due invoices|
|FW: Case FH74D23GST58NQS||Symantec Endpoint Protection: Important System Update - requires immediate action|
For more information you can refer to: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.
Please make staff aware that they need to be extra vigilant when they are opening e-mails with attachments. If they do not know where the e-mail came from or were not expecting an e-mail from UPS, for example, then do not open it.