The ATG Information Technology Department received the following information from the United States Computer Emergency Readiness Team (US-CERT) regarding a particularly nasty malware virus. The fake emails appear to be from legitimate companies such as FedEx and UPS, but they are part of a dangerous scam. With the holidays approaching, we thought it would be a good idea to share this message as a reminder to you and your staff to use caution when reading email and using the Internet.

ATG and ATG Trust Members, after reading the details below, please contact us if you have any questions.

November 27, 2013, EDITOR'S NOTE: Please also read the new warning regarding Holiday Season Phishing Scams and Malware Campaigns.

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of "ransomware infections." Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid to decrypt and recover files. CryptoLocker is a new variant of ransomware, the primary means of infection appears to be phishing emails (phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an email) containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear after a previous infection from one of several botnets (a collection of computers that have been recruited by running malicious software) frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares, and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center.

Solution

Prevention | US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

• Do not follow unsolicited web links in email messages or submit any information to webpages in links.
• Use caution when opening email attachments. Refer to Using Caution with Email Attachments, for more information on safely handling email attachments.
• Maintain up-to-date anti-virus software.
• Perform regular backups of all systems to limit the impact of data and/or system loss.
• Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
• Secure open-share drives by only allowing connections from authorized users.
• Keep your operating system and software up-to-date with the latest patches.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Mitigation | US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

• Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network.
• Users who are infected should change all passwords AFTER removing the malware from their system.
• Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
  
  • Restore from backup;
  • Restore from a shadow copy; or
  • Perform a system restore.

We caution all ATG members to follow preventative measures and apply high standards of use and care regarding computer systems and the information they contain. We recently posted guidelines for establishing Secure Business Domain Email and message encryption in our ALTA Best Practices Information Center. 

ATG and ATG Trust Members, please contact us if you have any questions.