Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

Just got it at my workplace. Man, I hate this hacker crap. Here's what it does

Trojan.Cryptowall
Risk Level 1: Very Low
Discovered:
June 19, 2014
Updated:
March 3, 2015 12:41:26 PM
Type:
Trojan
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, Windows XP
SUMMARY
Trojan.Cryptowall is a Trojan horse that encrypts files on the compromised computer. It then asks the user to pay to have the files decrypted.

The threat typically arrives on the affected computer through spam emails, exploit kits hosted through malicious ads or compromised sites, or other malware.

Once the Trojan is executed on the compromised computer, it creates a number of registry entries to store the path of the encrypted files and run every time the computer restarts. It encrypts files with particular extensions on the computer and creates additional files with instructions on how to obtain the decryption key.

This threat family attempts to convince the user to pay money in order to get the key to unlock their files. It uses a variety of different techniques in order to encourage the user to pay the ransom.

Note: Trojan Cryptodefense is a variant of Trojan.Cryptowall.

Infection
The Trojan is mainly distributed through spam campaigns, compromised websites, malicious ads, or other malware.

In Cryptowall spam campaigns, the emails usually contain a malicious attachment and include a message attempting to convince the user to download the file. The email could claim that the attachment is an invoice, an undelivered package notice, or an incoming fax report. If the user opens the attachment, then their computer will be infected with Trojan.Cryptowall.

The Trojan may also be distributed through exploit kits hosted on compromised websites or malicious ads. Some of the exploit kits that have been used to compromise users’ computers with the threat include the Rig exploit kit and the Nuclear exploit kit. Symantec has extensive IPS protections in place against these kits.

The Trojan may also arrive through other threats that have already compromised the computer, such as Downloader.Upatre or Trojan.Zbot.


Functionality
The Trojan was designed to prevent the user from accessing their files and force them to pay the attacker in order to regain access. It does this by encrypting a wide variety of files on the compromised computer using public/private key encryption with a strong 2048-bit RSA key.

Once the files are encrypted, the Trojan displays a text document or HTML page with a message. The message informs the user that their files have been encrypted and gives instructions on how to obtain the decryption key needed to unlock the files. It may also warn users that the decryption key will be deleted after a certain time period to pressure the user into paying sooner. The attacker may demand hundreds of US dollars in payment and the amount may increase after a specified time period.



The message also contains a link to a website where the user can make the payment. These sites are typically hosted on the anonymous Tor network, which helps the attacker hide their identity. The threat may ask the user to download a Tor network browser in order to view the site, though newer versions of the threat do not require the user to do this. The user may have to pay using cryptocurrencies such as bitcoin to further prevent the attacker’s identity from being traced.



Even if the user pays the ransom, there’s no guarantee that the attacker will provide the decryption key needed to unlock their files.


Geographical distribution
Symantec has observed the following geographic distribution of this threat:

They should make fake coins with tracers for the law enforcement community to use.

Victim goes to police, police log in and 'pay' ransom in special coins, bitcoins are traced back and then self destruct, flagging and freezing the bitcoin account.

 Orlanth wrote:
They should make fake coins with tracers for the law enforcement community to use.

Victim goes to police, police log in and 'pay' ransom in special coins, bitcoins are traced back and then self destruct, flagging and freezing the bitcoin account.

I mean, if it worked like that, that would be cool. One of the points of bitcoins is that there's no real way to do that.

Look's gak. Not for the first time, I'm glad I have an iMac...

Bitcoins are still a thing.

Also never open spam lel

And Im sure the "marked" coins would get discovered or sold on so quickly even if it was possible to do that it wouldnt be worthwhile.

 angelofvengeance wrote:
Just got it at my workplace.

Whoever gets "infected" with any of these trojans should be fired immediately and never be allowed near a computer again in their life.

And what kind of crap security does your workplace have installed that allows users to have any interaction with files infected with a trojan?!

Out of interest what anti virus software do you guys use?
I've been using Avast for about 5 years and have had few problems. I also run malwarebytes and spybot regularly as well as a standard firewall.

For home? I just use Microsoft Defender. Never had any issues.

 Ratius wrote:
Out of interest what anti virus software do you guys use?
I've been using Avast for about 5 years and have had few problems. I also run malwarebytes and spybot regularly as well as a standard firewall.

At home: AVG Free 2015 + Windows Firewall

PhantomViper wrote:

 angelofvengeance wrote:
Just got it at my workplace.

Whoever gets "infected" with any of these trojans should be fired immediately and never be allowed near a computer again in their life.

And what kind of crap security does your workplace have installed that allows users to have any interaction with files infected with a trojan?!

It was attached to a CV lol.

I haven't gotten this particular virus, but I have gotten virus that are similar. One thing you can do, not sure if it always works, is to boot your computer in safe mode and then restore a session prior to downloading or activating the virus. This can deactivate the virus long enough for you to have an anti-virus remove it.

 Grey Templar wrote:
I haven't gotten this particular virus, but I have gotten virus that are similar. One thing you can do, not sure if it always works, is to boot your computer in safe mode and then restore a session prior to downloading or activating the virus. This can deactivate the virus long enough for you to have an anti-virus remove it.

If it's a personal computer, system restore to a safe point. If you're a competent user you should have several recent backups.

PhantomViper wrote:


And what kind of crap security does your workplace have installed that allows users to have any interaction with files infected with a trojan?!

To be honest this was only the first time we've been attacked properly. Most of the time crap like this just bounces off.

Anyone can be infected. No matter how good your online security is. Some jerk at a computer will always be looking for an excuse to ruin someone's day by writing a virus programme to spread around the web.

 thedarkavenger wrote:

 Grey Templar wrote:
I haven't gotten this particular virus, but I have gotten virus that are similar. One thing you can do, not sure if it always works, is to boot your computer in safe mode and then restore a session prior to downloading or activating the virus. This can deactivate the virus long enough for you to have an anti-virus remove it.

If it's a personal computer, system restore to a safe point. If you're a competent user you should have several recent backups.

And most importantly, the only IT support advice you should take from Dakka is that you shouldn't take IT support advice from Dakka.

@Daedalus: Lol! I wasn't really looking for IT support on here anyways. Was giving you lot a heads up is all!

 angelofvengeance wrote:
Was giving you lot a heads up is all!

Not sure that's necessary. There's like 3 or 4 new threats like this discovered every day, and it's not like we're gonna have a thread for all of them. It's a low-priority threat competent IT infrastructures have patched for nearly a year, and there have been variants of type this since 2013.

 Ratius wrote:
Out of interest what anti virus software do you guys use?
I've been using Avast for about 5 years and have had few problems. I also run malwarebytes and spybot regularly as well as a standard firewall.

I use Avast as well. It's solid. I don't think there's a huge advantage to be had over Avast, AVG, or Microsoft Security Essentials, they are all very good.

I had a similar virus before, the way i got rid of it was to go on a Ubuntu OS, and manually find and delete the virus. It should be a .bat or an .exe file. However i dont know if this still works.


Also, 800th post. Omnisiah be praised.

 sarpedons-right-hand wrote:
Look's gak. Not for the first time, I'm glad I have an iMac...

Mac users are just not important enough to suffer the brunt of malware and viruses, besides what self respecting malicious programmer uses a Mac?

 juraigamer wrote:

 sarpedons-right-hand wrote:
Look's gak. Not for the first time, I'm glad I have an iMac...

Mac users are just not important enough to suffer the brunt of malware and viruses, besides what self respecting malicious programmer uses a Mac?

Now, when you say "Mac", do you mean OSX, or do you mean that you gave money to Apple for a laptop?

Cause....

PhantomViper wrote:

 angelofvengeance wrote:
Just got it at my workplace.

Whoever gets "infected" with any of these trojans should be fired immediately and never be allowed near a computer again in their life.

And what kind of crap security does your workplace have installed that allows users to have any interaction with files infected with a trojan?!

Happened at my workplace. Luckily, it never got to our server, so damage was minimal. Only one computer was infected and when we realized it we cut the connection.

When you have dozens of clients or suppliers and aren't particularly tech-savvy, it's not hard to miss the signs you and I both know so well. Especially because you're not really counting on it, it looks enough like any other invoice, and you have to pay it (and this takes longer than you'd think), because if you don't do it within a certain time frame it means it can make or break a deadline.

On a funnier note, we got a spam mail from the post, someone actually printed it and sent someone to pick it up

 Destrado wrote:

On a funnier note, we got a spam mail from the post, someone actually printed it and sent someone to pick it up

Now you've gone and made me feel old...

I remember when spam snail mail was common, you would get letters in the post that read "send this letter back to 10 people or bad things will happen to you".