WARNING: Cryptowall 3.0

Neilc28

Neilc28

Suspended / Banned
Messages
1,531
Name
Neil
Edit My Images
Yes
Hi all,

Just thought I would inform everyone to be cautious as the variant of Cryptolocker is still circulating and appearing to be activated via Javascript in a zipfile attachment. A client had this problem today as the email got through the Exchange Online Protection system which utilised multi-engine and signature scanning, and wasn't detected by the customers Anti-Virus or any of the additional scanners run afterwards (inc. Symantec and Avast). Full manual removal required and identified only by checking processes based on the time, date and hash of the process. Restore of 65Gb from their 15min snapshot backup system required so aside from under-productivity there was no major impact, but it COULD have been catastrophic.

From the moment of exposure to the customer reporting it (45mins) the encryption had encompassed 275,000 files.

Moral of the story..... Always ensure your backups are functioning and rotated, and I'm sure nobody else needs educating but RAID isn't backup!
 
  • Like
Reactions: RIR
Last edited:
Malwarebytes is usually exceptionally good but that picked up nothing but cookies today, strange!
 
I ran it with the PC in Safe Mode (with networking). Cleared any remnants up with the AV, and binned the "Help" files.


Ian.
 
This is why I now run both my PCs in "Total Paranoia" mode with almost everything now running in temporary VMs which are loaded from external SSDs which are then turned off in case of infection.

Once I have used them I simply delete the VMs before turning off the PC.

Next time I want to surf the net or do my banking (or come here) I simply reload the VMs.

This is similar to re-installing Windows but much easier.

And if I ever do have to re-install Win7 it only takes an hour or so to get back to full working.

Obviously not as convenient as having everything on the PC but much safer.
.
 
If you keep your AV up to date, practice safe computer & browsing habits then things like this should not bother you.

Most, if not all, virus/malware infections are caused by a failure in the human interface side of things
 
AV was pretty irrelevant in this scenario, however I couldn't agree more about human interface
 
AV did nothing for my client either.

Ian.
 
Keith W said:
I would suggest one, probably more, of the things I suggested in post 6 were not followed
Click to expand...

And you would be quite right. The payload came in an email zip attachment, disguised as a money off coupon :) Which was, of course, clcked on.


Ian.
 
Human interface error

Either that and/or they were not running a decent and up to date AV

Any AV worth its salt would have picked that up and dealt with it
 
Keith W said:
Any AV worth its salt would have picked that up and dealt with it
Click to expand...

I would normally agree, but multiple scanners were used and nothing detected the process. The list of AV used is as follows:-

ESET
Avast
Kaspersky
Symantec

This is on top of the 3 AV engines used by EOP which is where the email was relayed from.

Its resolved now and currently looking at implementing Watchguard APT as an additional layer.

Malwarebytes (confirmed as being able to recognise Cryptowall) was unable to detect anything either.
 
Not always the case, I'm afraid. This quote applies to CryptoLocker, but the principle is similar. "While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed."

Cryptowall 3 has also taken to digitally signing its payload, in an attempt to bypass AV software.


Ian.
 
Guarantee there was a human interface failing at some point

The thing is with an AV it should be about prevention not cure

Once a nasty bug has been given access to a system it can be a b****r to find and eradicate
 
There was as I previously stated, the user clicked the attachment, however the point I was making is that the multilevel protection in place would normally remove that risk but didn't in this case.

Too many people make the assumption that with AV in place you are safe, however without proper education on internet safety there is still a massive risk regardless of what precautions are in place
 
RIR said:
Not always the case, I'm afraid. This quote applies to CryptoLocker, but the principle is similar. "While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed."

Cryptowall 3 has also taken to digitally signing its payload, in an attempt to bypass AV software.


Ian.
Click to expand...

As I said a decent AV, that auto updates its definitions constantly, would deal with this.

Of course there will also be the very slim chance that a bug may not be known to your AV at the time it hits your system but that is where having good, safe computing and browsing habits comes in.

I stand by what I said; If you keep your AV up to date, practice safe computer & browsing habits then things like this should not bother you.
 
So theoretically, just hitting shift/delete for the email, rather than getting excited about money off coupons coming from an unexpected source would have completely solved this.

I've just had another malware email in the last 30min, this time purporting to be from Gateway.gov.uk with the link leading to a dropbox account. :rolleyes:
 
Keith W said:
As I said a decent AV, that auto updates its definitions constantly, would deal with this.
Click to expand...

I'm sorry, but you're wrong. It wouldn't. My client had a fully up to date AV installed and running. It prompted a warning, but by then it was too late; the payload had executed.

A "layered" security system is the the only option: AV, then anti-malware such as Malwarebytes Premium, Spybot Search and Destroy, and the clinical removal of stupidity.

I do this for a living.

We'll agree to disagree :)


Ian.
 
Last edited:
RIR said:
Eh?
Click to expand...

Size, share yours..

Basic Willy Waving rules..


Back on point(ish) though..
I pay for a 1TB dropbox account, If my PC was infected with anything like this, would my DropBox account just sync anyway and ruin all of my online storage..?
 
BennyBoo said:
I pay for a 1TB dropbox account, If my PC was infected with anything like this, would my DropBox account just sync anyway and ruin all of my online storage..?
Click to expand...

In short, yes. But, you could recover it. DropBox is pretty neat.
 
RIR said:
I'm sorry, but you're wrong. It wouldn't. My client had a fully up to date AV installed and running. It prompted a warning, but by then it was too late; the payload had executed.

A "layered" security system is the the only option: AV, then anti-malware such as Malwarebytes Premium, Spybot Search and Destroy, and the clinical removal of stupidity.
:)
Ian.
Click to expand...

Not quite sure what you mean by a "layered approach" but running more than one AV on a PC is usually considered a "no-no" since the detection algorithms of one AV may trigger a false positive from another AV which may see it as a virus or some other form of Malware.
And since every AV has to break your SSL encryption to try to spot infections having 2 or more different AV makers all breaking the SSL encryption on your PC at the same time could give rise to all sorts of undesirable effects.
.
 
Ian wasn't referring to multiple AV, it looks like he was suggesting AV + Antimalware + Antispyware + educating of the users. Which although may be seen as overkill it is actually an approach commonly used over the 'all-in-one' especially by MSP/RMM.
 
You must log in or register to reply here.
Back
Top