Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

Posted by samzenpus on from the cash-for-corrupted-computers dept.

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

83 comments

  1. How? by ArcadeMan · · Score: 0, Flamebait

    How weak is your operating system and your browser if visiting a website can end up with this situation?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:How? by Anonymous Coward · · Score: 5, Informative

      I was wondering too, it's in the article "The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file."

    2. Re:How? by Cramer · · Score: 1

      Sad, but true. All software has bugs. Some of them are in your browser.

      (Windows does tend to have more (exploited) holes than most, 'tho)

    3. Re:How? by KiloByte · · Score: 5, Insightful

      This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:How? by Anonymous Coward · · Score: 0

      It is spread through email clients for the most parts, people downloading spam email which you often do and it's put in the spam box with all the infected files contained...

    5. Re:How? by Cramer · · Score: 2

      ... except when your application(s) and OS hide file extensions making it difficult for people to see it's an "exe".

      (But yes, people are dumb.)

    6. Re:How? by rtb61 · · Score: 2

      You missed out one bit, the critical part, the ability to get away with the crime, bitcoins seem to have found their true market, criminal enterprise. Interesting side note the same countries were targeted each time and a very unlikely set, it would seem the logical relationship between the perpetrators in each targeted location would be a family relationship. There really isn't all that much secrecy in bit coins like anything else digitally transmitted across the internet bit coins have a recognisable bitmap and there movement can be readily traced.

      --
      Chaos - everything, everywhere, everywhen
    7. Re:How? by thegarbz · · Score: 4, Interesting

      You don't need to hide the .exe extension. People will click on it anyway if they believe they have something to gain or something to lose.

    8. Re:How? by tlhIngan · · Score: 5, Informative

      This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.

      It's really just another form of Dancing Pigs social engineering attack. You give the user a plausible reason for downloading and installing software, and you'll find users go out of t heir way to install it.

      Doesn't matter the OS. And it can be anything - be it porn, a "private porn browser" or other such tool and any OS is vulnerable. (Yes, "private porn browser" - download now and browse your porn in privacy and even your wife won't find out...).

    9. Re:How? by Anonymous Coward · · Score: 4, Interesting

      I've received dozens of these. All via hijacked SMTP hosts.

      The interesting thing is that all are plain-text with the attachment. The attachment is only few kilobytes long. No HTML, no javascript, nothing. Even more telling was that they came in batches of about 5. I'd start my day with about 5 in my inbox that all arrived within few minutes of each other; all pretty-much the same. Then nothing all day until the next morning when the same thing happened.

      They appear plausible, except the most recent one was "We noticed you haven't collected your tax refund of $few thousand." That's interesting because, in Australia, the ATO sends you a cheque or direct-deposits into your account for you. You don't collect anything. I've had parcel tracking ones, and all manner of other variations. There was one claiming to be a building approval. A "vehicle tax rebate" form. Then a "late fee" for something, etc.

      A few years ago I would have expected them to contain some malicious HTML or javascript,to try and force the attachment to execute in outlook. I guess these days most clueless n00bs are using web based mail, which would make that a little more difficult.

      It's crap like this that makes me glad I gave my (technology) clueless mother a Linux machine with all the security bells and whistles enabled. I'm sure she got more than her share of these emails, which she can try to run to her heart's content. I'm even more sure that she is the reason I got them (forwarding my mails, or sending mails To: a hundred people).

    10. Re:How? by Anonymous Coward · · Score: 0

      But how would anyone actually pay? I know I woudn't trust a party that has just hijacked my computer and messed it up to do anything even if I paid. There is nothing so important on my computer anyways that would make me take the chance, not even for a very cheap price. I'd feel like a loser if I did. Do NOT negotiate with terrorists or kidnappers.

    11. Re:How? by Imrik · · Score: 1

      I would guess that most of those that pay are corporations that actually need that data.

    12. Re:How? by Anonymous Coward · · Score: 0

      ...corporations that actually need that data.

      And don't have a backup regime? Unlikely. Small businesses rather than corporates, I'd guess, where there's less of an IT safety net.

    13. Re:How? by Anonymous Coward · · Score: 0

      Could be worse. Some operating systems can execute files even if they don't have a .exe ending.

    14. Re:How? by Anonymous Coward · · Score: 0

      I think you might be surprised how many CEOs have critical, rarely or un-backed-up data on their laptops.

    15. Re:How? by AmiMoJo · · Score: 1

      The main attraction of Bitcoin is that it can't be shut down. Any kind of credit card payment system or Western Union can be shut down easily and then there is no way for them to collect the money.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    16. Re:How? by sjames · · Score: 2

      And still, MS won't make opening something and running something distinctly different actions.

    17. Re:How? by jedidiah · · Score: 2

      > I've received dozens of these. All via hijacked SMTP hosts.

      Any time I see one of these I examine the headers and invariably it is some end user desktop running off of a dynamic IP from some ISP.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    18. Re:How? by jedidiah · · Score: 1

      Those require certain filesystem attributes to be set regardless of what the name on the file is.

      On the other hand, if your OS and user shell and email application simply avoid the equivalent of "bash you-don't-know-where-I-came-from.zip", you easily avoid a lot of this nonsense.

      You would never consider taking random things you find on the floor or street and putting them in your mouth, but that's exactly what some "modern" software does.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    19. Re:How? by Anonymous Coward · · Score: 0

        I have a coworker whose husband got a phone call that their computer generated an automated email for some hardware issue.
      They needed him to go to a URL so they could further diagnose the issue. He did it, no questions asked.
      Luckily, about 5-10 minutes later his wife got home and said 'What the hell are you doing?' and yanked the ethernet out of the wall.

      capcha: Syndrome

    20. Re:How? by Overzeetop · · Score: 1

      "You would never consider taking random things you find on the floor or street and putting them in your mouth"

      You clearly don't have kids. Kids don't know better and are curious. Now extend that to every person who doesn't manage computers for a living or as part of their hobby. Interestingly, that includes almost everyone born before 1960 and after about 1995. The younger generation understands computers as little as the elderly - we've simplified the UI to the to the point that they're magic boxes to both age groups.

      My 12 yo though her computer was "kind of slow". Turns out, she was out of drive space - filled up the 100GB on the SSD and never even realized it.

      --
      Is it just my observation, or are there way too many stupid people in the world?
    21. Re:How? by nosfucious · · Score: 1

      Very true. I was working in our office in Milan when two users PCs were hit.

      Email avoided Barracuda mail firewall device, Sophos on two Excahnge servers, Sophos on the endpoint and Outlook junk-email filters. It also came in through our Cisco firewall with an IDS module.

      Email appeared to be a legit email from a logistics company in Italy (in Italian). Only three users out of 60 got the email, those that deal with the company. Two users opened the mail and the attachement.

      So, one, it avoided a lots of checking. Secondly it worked very fast. It encrypted hard drives and network drives to the tune of 170k files in a few minutes. Thirdly, seems there were a few critical leaks of email databases (corroborated by the IT manager having spoken with her former colleagues and they had a similar problem only a few days before hand). Lastly, it seems that the attack was highly targetted.

      Backup procedures are heavilty audited in our company and the Italian IT backup nightly and test restores daily. It took a while to load data from the tapes, but within 24 hours, all network data was restored with only a few files (those created that day) lost. Pc files lost amount to a few inconsequential files, plus lots of personal photos that the users had been warned NOT to store on company IT equipement.

      --
      Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
    22. Re:How? by mspohr · · Score: 1

      So on Linux, this malware can install itself without asking for a password?

      --
      I don't read your sig. Why are you reading mine?
    23. Re:How? by davester666 · · Score: 1

      On Windows 8.1, using IE [non-Metro], just visiting a website using the default configuration for security settings, lets it display the drivers that are installed, with version numbers, which presumably could also be uploaded to the server, without needing further interaction with the user [after clicking a link to go to that page].

      You might as well just have the web browser directly publish the vulnerabilities...

      --
      Sleep your way to a whiter smile...date a dentist!
    24. Re:How? by dohnut · · Score: 1

      I don't think young people are *that* bad. When we were kids, only people that could understand the lower level operation of a computer could use one, because there was no "high level" interface, i.e. they were not user-friendly. Since modern computers are relatively friendly and they are more useful to your average person now (the web, social platforms, etc.), you have many more people from *all* generations using computers. There are probably more young people today that understand computers well at a low level than in the past but they are outnumbered by all of their clueless peers, peers that didn't exist when we were kids.

      Recently I attempted to download a user manual (pdf) for some old device from a shady website and it ended up having an .exe extension. As it was downloading it popped-up a nice graphic showing me step-by-step how to "view" the document. Which included me clicking on the "document", saying "yes, I'd like to run this" at the first dialog, and then saying "yes, I allow this application to make changes to my computer" at the second dialog. I'm hoping anyone under the age of 60 sees this and laughs whilst deleting the "document" but (most) older people will follow these steps to the letter.

      --
      Stupider like a fox! - H.S.
    25. Re:How? by rtb61 · · Score: 1

      Actually bitcoins can be quite readily shutdown, they can simply be detected and filtered off the internet between points of transmission and either kept or destroyed. Likely to become a growing target of opportunity for corrupt ISP employees or management.

      --
      Chaos - everything, everywhere, everywhen
    26. Re:How? by Imrik · · Score: 1

      Most small businesses are incorporated.

  2. Hey Vegeta... by Anonymous Coward · · Score: 0

    N/T

  3. It's Over 9000! by dillee1 · · Score: 4, Funny

    http://dragonball.wikia.com/wi...!

    1. Re:It's Over 9000! by ArcadeMan · · Score: 1

      OMG I was blind to miss that.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:It's Over 9000! by Anonymous Coward · · Score: 0

      It's Over 9000!

    3. Re:It's Over 9000! by loosescrews · · Score: 1

      Don't feel bad, Oprah missed it too:
      https://www.youtube.com/watch?...

    4. Re:It's Over 9000! by Anonymous Coward · · Score: 0

      Holy shit it was right in the headline and I didn't notice.

      Even TFA has it. Now I'm wondering if it was coincidence or not.

  4. 9000 by Ultra64 · · Score: 1

    So, like half?

  5. Do people actually get their files back?? by Anonymous Coward · · Score: 0

    Because it seems to me these hackers are preying on desperation and have little incentive to actually provide the key once they have the money?

    1. Re:Do people actually get their files back?? by Anonymous Coward · · Score: 1

      Except that if the victims do even the sightest research (say, oh, I don't know... a "Google" perhaps) and find that NO ONE is getting the key (or, conversely, that keys are being given for the ransom)... You think THAT might give the hackers incentive? Keeping the gravy train running? For the price of an emailed key, to keep those hundreds of thousands of dollars flowing in?

      Fucking derp.

  6. 9000? by Piripipiu · · Score: 0

    Nappa: Vegeta, what's the power level of this malware? Vegeta: It's over 9000!!!!! Nappa: 9000?! There's no way that can be right.

  7. TorrenLocker? by Anonymous Coward · · Score: 0

    Or TorrentLocker? Inquiring minds want to know!

  8. I can't believe people would fall for this! by Irate+Engineer · · Score: 1

    I'm surprised people are still gullible enough to click on links and attachments in emails, but apparently some still are. This is a pretty good explanation of the attack vector: https://www.youtube.com/watch?v=dQw4w9WgXcQ

    --

    Left MS Windows for Linux Mint and never looked back!

    Vote for Bernie in 2016!

    1. Re:I can't believe people would fall for this! by deek · · Score: 5, Funny

      Yeah, like I'm going to click on that link you posted! Can't fool me.

  9. Backups solve much of the problem: by Hartree · · Score: 4, Insightful

    As computer files become more valuable to ordinary people (rather than just IT geeks and businesses), backup plans become more important.

    Most general users don't do this, but as the data becomes more damaging if it's lost, encrypted or maliciously destroyed, they may need some sort of solution.

    Even a pretty sophisticated ransom-ware would have a hard time if you take an occasional backup and check it by restoring/reading the file on another machine.

    1. Re:Backups solve much of the problem: by Anonymous Coward · · Score: 3, Interesting

      Word.

      Posting Anon because I'm embarressed, but our business got hit hard by a rootkit two weeks ago (not TorrentLocker). Proved damn near impossible to get rid of.

      In the end we erased the physical desktops and rolled all the VM's back to our August DR backup. Fortunately all our work is done in VM's and we backed up data offsite religiously (with version histories).

      So we had a shitty virus protection policy but were saved by good backups.

      We now have WebRoot rolled out via group policy, firewalls, windows update and defender are enforced by same. I've added a task to randomly picking a VM to boot scan via a KAS rescue disk once a week.

    2. Re:Backups solve much of the problem: by Anonymous Coward · · Score: 0

      In other news, version controlled file systems like ZFS/Btrfs have been giving you CoW clones/copies for years now - you really should have jumped on board by now.

      HFS+ has versions, not as transparent but almost as viable.
      NTFS has had shadow copies from day 1.

      The fact defacto system setups aren't already using these is a worry, the overhead of proper CoW copies or equivilent block-diff based version controlled filesystems all have a pretty low overhead for most data structures, the exceptions being things like compressed video/audio (for which there are auxiliary systems in place on most systems that let you exclude trees from protection and/or limit their revision history).

    3. Re: Backups solve much of the problem: by Anonymous Coward · · Score: 0

      I use http://www.crashplan.com

      Cheers

      John

    4. Re:Backups solve much of the problem: by Anonymous Coward · · Score: 1
      Anon too for the same reasons.

      We got hit by this in a small way a few weeks ago, driveby download exploiting a Flash vulnerability for which a patch had been issued just the previous day but not rolled out. Not a huge impact on us, but Flash was just one day out of date and everything else was fully patched.

      Backups are the only real defence though. Offline backups too, as it is perfectly possible for ransomeware to encrypted mapped network drives, USB devices and even in theory some cloud backup services.

    5. Re:Backups solve much of the problem: by DigiShaman · · Score: 1

      I've ran into CryptoWall. Before it rears its ugly head to the end-user, its programmed to first encrypt data both local and via mapped shares. Next, it purges all local shadow copies of whatever local volumes are enumerated to the local host (so as to prevent quick restoration of corrupted data). I can't imagine any of the servers OS getting infected as that would require a user directly executing the malware from console, but in theory yeah, locally attached backup drives could get whacked as well. It's nasty. REAL NASTY!

      --
      Life is not for the lazy.
    6. Re:Backups solve much of the problem: by houghi · · Score: 1

      Most users don't do backups. They take copies. Not the same. Sure, I have had hardware issues and lost a drive. However what happens much more is that I do something stoopid and delete or edit something that I shouldn't have deleted or edited. Obviously I only notice it after a copy of the data. So now I have two broken files.

      Incremential backups resolve this.

      I have two systems:
      1) copies. These are basically larger files. Music, images and movies. They are in mostly read-only directories on read-only drives. (1 RW directory for current downloads). I use a scipt that mounts the backup drive, runs rsync and unmounts it again.
      2) Icremential copies. These are from my working directories. Mostly smaller files and /etc and what not. For that I use StoreBackup

      --
      Don't fight for your country, if your country does not fight for you.
  10. Karma by Anonymous Coward · · Score: 0

    Commit crimes (steal). Pay.

  11. Sandbox before browsing by ITRambo · · Score: 2, Interesting

    We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again. I do not comprehend why the "partial" sandbox of existing browsers is considered to offer protection. Full sandboxing is the only way to do so. Nothing short of a full sandbox is safe. The sandbox in 360 Total Security looks promising also. But, it needs to be selected from the right mouse click menu, when clicking on the browser icon. My experience is that people get lax and won't do this all the time. Of course, if someone uses a cloud backup service, like Carbonite, they can clean the viruses on the PC and then restore their files as long as their cloud files are not encrypted also.

    1. Re:Sandbox before browsing by mjwx · · Score: 2

      We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again.

      That's completely useless in this case as the malware fools the user into installing it. The user downloads a zip file containing an executable, so its well outside the sandbox by that point.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    2. Re:Sandbox before browsing by ihtoit · · Score: 1

      I'm running a browser in a VM. Everything that happens happens inside the VM. Shit goes south, kill the VM, start it up again from a read only image. What malware?

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:Sandbox before browsing by Anonymous Coward · · Score: 0

      IIRC, Sandboxie's paid version has an option to automatically run everything in sandbox.

      Even in free version it would be sandboxed by inheritance if it was launched by a sandboxed browser/mailer.

    4. Re:Sandbox before browsing by Le+Marteau · · Score: 4, Informative

      > I'm running a browser in a VM... What malware?

      Your faith in the security of VM sandboxes is misplaced.

      It is trivial to write a program which can detect if it is in a VM. And then, attack the hypervisor and escape the protected environment. As virtualization has become more common, such malware has gone from academic exercises to real-world exploits.

      http://www.symantec.com/avcent...

      My favorite line:

      Finally, the most interesting attack that malicious code can perform against a virtual machine emulator is to escape from its protected environment.

      With virtualization becoming more and more common

      --
      Mod down people who tell people how to mod in their sigs
    5. Re:Sandbox before browsing by stoborrobots · · Score: 1

      Full sandboxing is the only way to do so.

      How do you attach documents to an email in a full-sandboxed world?

      How do I receive a document by email, update it with my comments, and pass it along to the next reviewer?

      --
      "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
    6. Re:Sandbox before browsing by Anonymous Coward · · Score: 0

      Just run the browser in a VM in a VM.

    7. Re:Sandbox before browsing by Anonymous Coward · · Score: 0

      It's VMs all the way down!

    8. Re:Sandbox before browsing by Anonymous Coward · · Score: 1

      1) Run a VM on hardware.
      2) Run a VM in the VM.
      3) Move the first VM into the second VM.
      4) Remove hardware.

    9. Re:Sandbox before browsing by Anonymous Coward · · Score: 0

      Run it in a container inside a VM running in a container on another VM running in a chroot jail!

  12. Humans are the weakest chain.... by Anonymous Coward · · Score: 1

    The software pretends to be from the post office and asks a use to execute an executable that is thought to be some sort of package tracking program.
    Since the logos and other stuff all match up with the real post office's stuff, many users are tricked into believing that it is indeed some legit executable.

    As usual humans are the weakest link in the chain.

    But someone should offer a big reward for cracking this type of ransomware to our more skilled and knowledgable readers....

    1. Re:Humans are the weakest chain.... by camperdave · · Score: 1

      "How the devil did the Post Office get my email address?" would be one of the first questions to pop into my mind.

      --
      When our name is on the back of your car, we're behind you all the way!
  13. What kind of statement is this by TrollstonButterbeans · · Score: 1

    "Most general users don't do this" How can you even say that. "General users" are the ones who have to format because they get viruses.

    They sure as hell know how to backup their stuff, and they've had a lot of practice.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    1. Re:What kind of statement is this by Neil+Boekend · · Score: 2

      In my experience: not really. They just have virusses and don't know it.
      Most users still don't backup. They just don't think about it.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    2. Re:What kind of statement is this by Hartree · · Score: 1

      "How can you even say that."

      It's been my observation over years of dealing with them.

        Most people who use computers aren't the Slashdot crowd. They "kinda, sorta" know enough to be able to check their email, surf the web, or play some games.

      Usually when they have a failure from malware, they've been infected (perhaps with other things as well) for some time. If they can even find the original system restore disk, they're way ahead of the game.

      They get Cousin Jimmy (or one of their kids), cause he's good with computers, to clean up or reinstall their computer. Usually leaving many of the same holes that got them zapped in the first place.

      Or, they get some computer store to deal with it. They just gripe about losing some stuff, but it was a game they liked and can no longer find, or an email from momma before she died, etc. not something life and death. They may start copying some things to a thumb drive, if you're lucky.

      So many times I've asked "When was your last backup?" and get a vacant stare even from people with PhDs at the university I work at. Let alone the everyday person on the street who has a computer at home.

  14. A virus news by ruir · · Score: 1

    Where they talk about targeting Windows boxes both in the editorial and the slashdot post. How refreshing. This publication is mile aheads of the ass-licking Microsoft of Zdnet and pcworld.

    1. Re:A virus news by Anonymous Coward · · Score: 0

      Wow, who pissed in your eggnog? Get out, get laid, and give up the grudge.

  15. Why single out Australia? by rebelwarlock · · Score: 1

    According to the image right at the top of the article, there were over 11000 in Turkey. If we're singling out the most infections, that should be the headline. Is Australia somehow more significant?

    1. Re:Why single out Australia? by Imrik · · Score: 1

      Most people on Slashdot are from the US. Australians speak more or less the same language so we care more what happens to them.

    2. Re:Why single out Australia? by dwywit · · Score: 3, Interesting

      We care about you, too. Seriously - the support from other countries during the recent tragedy in Sydney is very much appreciated.

      --
      They sentenced me to twenty years of boredom
  16. Not as such by dbIII · · Score: 2

    Just clicking on a link should never be enough not matter what you think the "weakness in wetware" is.

  17. What malware? This malware by dbIII · · Score: 1

    That malware then corrupts files in whatever network shares you can attach to from your VM - so congrats, your operating system is safe but your co-workers still get their files stuffed up.
    Hopefully it's scaring people into having REAL backups that can't be corrupted without loading/attaching external media or deleting snapshots.

  18. No US numbers by Anonymous Coward · · Score: 0

    I want to know how many infections in the US.

  19. Company I work for got hit... by felixrising · · Score: 4, Interesting

    We had two employees access the torrentlocker website, right through out proxy portal with Kaspersky and McAfee running, and they downloaded it to their PCs running McAfee and then ran the bloody thing. By the next morning, we had more than 50000 files encrypted. I spent the next two days scripting deletion and restores across several multi-terabyte file shares. What I REALLY don't get is, why the heck did a known piece of malware like that make it through all of those antivirus/antimalware systems and heuristics and succeed in ruining two perfectly good days? (just ignoring all of the staff downtime).... Anybody?

    1. Re:Company I work for got hit... by BitZtream · · Score: 3, Interesting

      Because anyone who has been in IT for any length of time knows McAfee is complete shit? Proxies trying to stop the spread of things distributed by sites that bust their ass to avoid being caught by a blocking proxy?

      I.E. If you DEPEND on anything from a 'security' company like McAfee, Kaspersky, F-secure, whoever ... you've already failed. Those are backups that hopefully help to catch the things that the user didn't.

      Your first and only REAL line of defense is the user and proper administration like only letting people access files they NEED to access.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:Company I work for got hit... by felixrising · · Score: 1

      That sounds like a security argument that forgets the convenience part of the equation. If you have departments of 100+ staff and need them to have access to the same files... all it takes is one user falling for it, you're still left moping up. We had two staff fall for it from different departments... fun times.

    3. Re:Company I work for got hit... by DigiShaman · · Score: 1

      SonicWALL baby! I block all P2P and TOR traffic at the WAN zone. Also use Content Filtering to block known sources of malware and shit. You can also block certain websites too. Effectively putting the kibosh on the most casual of end-users activity at getting infected. If they're actively trying to work around the protection in place, it's malicious activity that should render the employee frogmarched out of the office with security!. The 3rd line of defense (the 1st one being end user situationally are of such threats in the first place ( Art of Deception and all that) involves anti-malware software installed on all managed end-user machines.

      --
      Life is not for the lazy.
    4. Re:Company I work for got hit... by Anonymous Coward · · Score: 0

      cio policy along with tech support ignorance is on display every time a box gets infected. Typical tech support knows less than 10% of what is required to secure a box. The core blame is ignorance, laziness, with a good heaping of short cited corporate policy. As always, tech support installs the stock os, ms office, maps a few shares, and delivers an infection ready box. They rarely make security tweaks. Sidenotes, 1. We can also blame ms for its piss poor sid/acl implementation in ntfs and the outrageous lowest common denominator defaults. 2. It takes a minimum of 6 hours of tweaks to correctly secure a box (again, tk u MS for scattering everything all over the place). 3. Also, I rarely see McAfee correctly setup. Again, defaults, update, done; just like a monkey operating via wrote.

      http://www.cio.com/article/2439324/risk-management/your-guide-to-good-enough-compliance.html

    5. Re:Company I work for got hit... by david_thornley · · Score: 1

      I'm not sure that McAfee is that horribly bad (as opposed to being bad), but I suspect malware authors test against the latest versions of all the commercial anti-malware vendors to make sure they'll get through. The malware protection guys will catch up, so McCrappy can be useful against older malware, but no commercial product will stop the latest stuff.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  20. Interesting note about cryptoviruses by wbr1 · · Score: 4, Informative
    Most are rather dumb. They will encrypt standard file types such as jpg and doc, but leave really critical stuff (qbw, pst, etc) alone. I guess the writers, not knowing what files being encrypted in a user profile might brick a machine only go for easy targets. They will readily encrypt any attached drive as well, following the same ruleset. If your backup program stores in a standard .zip or in the clear, it will be encrypted too. The best safety net is an online backup that does versioning so you can roll back to pre-infection versions of files.

    One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.

    --
    Silence is a state of mime.
    1. Re:Interesting note about cryptoviruses by Anonymous Coward · · Score: 1

      I have noticed a lot of pretty effective looking fishing emails in my gmail spam filter lately which could be responsible for the recent uptake in trojans.

      Right now, I have a spam purporting to be from FedEx: "Dear Customer, Your parcel has arrived at December 12. Courier was unable to deliver the parcel to you. To receive your parcel, print this label and go to the nearest office. " with their logo and a "Get Shipment Label" button. I could see some people falling for it.

      I also have an email supposedly from facebook: "Hi, Your Facebook password was been reset on Saturday, December 13, 2014 at 07:07PM (UTC) due to suspicious activity of your account. Operating system: Windows Browser: Opera IP address: 191.51.56.141 Estimated location: Tellico Plains, TN, US To restore the password complete this form, please, your request will be considered within 24 hours. Thanks, The Facebook Security Team "

  21. Hosts can stop this threat... apk by Anonymous Coward · · Score: 0

    Per my subject-line above: Add these entries into hosts as blocked (C&C + payload & phish servers):

    0.0.0.0 www.ceskaposta.net
    0.0.0.0 ceskaposta.net

    FROM -> http://www.welivesecurity.com/...

    &

    0.0.0.0 royalmail-tracking.info
    0.0.0.0 royalmail-tracking.biz
    0.0.0.0 royalmail-tracking.org
    0.0.0.0 door2tor.org

    FROM -> http://www.welivesecurity.com/...

    * Enjoy - those will block out this threat...

    APK

    P.S.=> "You can't get burned, if you can't go into the furnace" so-to-speak - those blocking entries keep you OUT of said malware 'furnace', easily... apk

  22. FULL LIST TO BLOCK INSIDE... apk by Anonymous Coward · · Score: 0

    There's 272++ more to block found in the research .pdf file here from -> http://www.welivesecurity.com/...

    APK

    P.S.=> Enjoy, since once those are blocked? This thing can't TOUCH you, or you it... apk

  23. Wording by The+File · · Score: 1

    "earned"? Perhaps that would be better expressed as "extorted".

  24. Re:What malware? This malware by ihtoit · · Score: 1

    one would assume that had one taken the trouble to sandbox an operating environment to mitigate risk of data corruption by malware, one would also have made sure that no folder shares were available to that sandbox. Your argument is moot.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel