Recently we have noted infections also come in via a download from a web page. This may be a link from a spam Email or a link on a page you are browsing.
Typical Email infections may come in the following forms:-
A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. It could be contained in an Email which claims to have any of the following. (this is by no means an exhaustive list).
This macro is written in Visual Basic and once the document is opened it will download the malware from the WWW directly to the user’s machine. If you open a word document and get a message the same or similar to the below message you should be VERY suspicious about it and it would be best to contact your IT provider.
When first run, the payload installs itself in the user profile folder and adds a setting to the computer that causes it to run on startup. It then attempts to contact one of several designated command and control servers on the Internet; once connected, the server generates an encryption code and sends that back to the infected computer.
Whichever form it comes in, once the payload executes, it may attempt to send an email to all contacts in your Outlook contact list with the infection in it. Then it encrypts files across local hard drives and mapped network drives. Once completed, the payload displays a message informing the user that files have been encrypted, and demands a payment through an anonymous pre-paid cash voucher. Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key.
PLEASE, PLEASE, PLEASE, relay to your staff how UNSAFE it is to open ANY document you are not expecting, even if it says it comes from a known source.
If activated on your system, CryptoLocker and all its variants will encrypt ALL common files that the users workstation has access to, this includes:-
It does this very fast, we have seen it encrypt approx. 110,000 files in under 20 minutes. It is hit and miss if your Firewall, Antivirus, User Policy Restrictions or Email filtering software will filter out the infection. New Variants of this virus are written all the time and some of the variants seem to get caught and some do not.
The following are examples of some of the Emails used to deliver the Virus.
The most recent was the below Email: Yesterday 30/06/2015
You will still find these older infection types also doing the rounds…
Kia Ora ,
Kindly find attached the Payment copy that was transferred to your account and let us know when the shipment will commence.
Margaret C. Sykes
Sales/GM of Export
King- Stone Trading Limited | 105 Hanover Street | PO Box 5743 | Dunedin | New Zealand
Phone: +64 3 471 8730 Facsimile: 64 3 430 8771
You will be DOUBLY at risk of this virus if your staff have access to their WEB based email such as Gmail from a work computer because it can infect in the same way from this source also.
If you are a Focus client with a monitoring plan, Focus will be checking the backups each morning. If you are not then this task is completely up to YOU.
If you do get infected with this virus and you have GOOD BACKUPS, there is still a significant amount of time required to put things right. Backup files can be encrypted too, make sure your backup routine is right by talking to your IT provider.
If you are unsure or have any queries you should call your IT Provider. It’s much better to try to help prevent this than infection than to have to tidy up afterwards!