Over on the patching email discussion list, there's been a long discussion over the past couple days about the growing proliferation of Ransomware, or CrytpoLocker activations. This problem is growing at an alarming rate, so it's definitely worth warning all of you here at Windows IT Pro.
What it is
Ransomware is usually distributed through email attachments, but can sometimes be pushed through other methods directly to the end-user's PC. Once the user clicks on the file the damage is done. The attachment locates specific file types on the computer AND on the network (it maps network drives, seriously) and encrypts the files so they are inaccessible. The malware gets its name, Ransomware, because it will demand money to get access back to the encrypted files and provide payment options.
What it does
Per a Reddit postthe CryptoLocker infection does the following:
Payload: The virus stores a public RSA 2048-bit key in the local registry, and goes to a C&C server for a private key which is never stored. The technical nuts and bolts have been covered by Fabian from Emsisoft here. It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif
It will also access mapped network drives that the current user has write access to and encrypt those.
Is anyone safe?
It has been confirmed to infect computers running Windows XP through Windows 7 64bit. No Windows 8 infections have been reported yet. Again, once the CryptoLocker has been activated, it's too late. There are currently no patches to solve this problem, AntiVirus will not protect, and the Trojan does not rely on administrative rights to infect, i.e., anyone can be infected. Several AntiVirus vendors offer cleanup tools.
Sophos has a blog post that talks more about the recent warnings and offers suggestions and help. Read that here: Information regarding the Cryptolocker ransomware Trojan making the rounds
Remind your users to NEVER click on attachments or files from an unknown source. If there's ANY question, have them contact the HelpDesk or official support group within the company.
Be careful out there.