OT: CryptoWall Alert

[Chris Sellitto]

All,

filePro(r) 5.07.03
Windows environment

Our company on Monday was hit with this ransomeware early in the AM.  Normally viruses, and malware are pretty harmless to the filePro(r) environment, however, this one did do some damage.  The reason being is that this one targets a laundry list of file types.  A few of them being ".C", ".H", and ".M" file types which are generally associated with the 'C' programming language.  Well as all filePro(r) experts are aware, if you have index C, H, or M, then ALL of these files would be affected.  Another file that was affected in our facility was one of our screens.  It was called "MOV", hence screen.mov.  We are all aware of what .MOV files are associated with (QuickTime as well as others).  I also noticed that it hit MS-Word, Excel, PowerPoint documents as well as .MDB database files, .TXT files, .PDF files, .RTF files.  It attacks a computers drive letters, local (c:) and mapped network drive letters.  It can come in the form of an e-mail containing a ZIP file disguised as a PDF that may be related to an invoice, customer complaint or other real looking e-mail.  It can also be obtained by visiting a site that may be infected with a bogus advertisement.  

All of our computers were protected with Symantec Endpoint, with up to date definition files as of Sunday, however this attack was launched late Sunday night, and the kicker is that these files were digitally signed.  It evaded 55 of the top security packages out there.  Basically, it would have been very difficult to prevent this from occurring.  Once infected, this ransomeware dropped 3 individual files into each directory it infected files in (these contained instructions on how to retrieve the key to get your data back).  The files infected were encrypted with a code, and rendered useless.

Bottom line is good backups, as we all know, are key to recovering from inconveniences such as these.

We did a lot of re-indexing of our C, H, and M indexes on all of our files, and restored all other files that were affected.  It appears at this point that it is a manually triggered event.  So you need to click on it for it to do its damage, and that's it.  I don't believe it will continue to do anymore damage unless it is clicked on again.

I am sending this out to you all in hopes of keeping you all aware of this potential threat, and to save you all from wasting time having to restore you data like we did (cost us 2 full days of work).  Make sure your customers are aware of this and that their backups are up to date and accurate.  Even at your own personal homes, keep your families in the know, and educate them.

I was told by our network admin that he has been in touch with Symantec, and that because of our cooperation, they now have an update to handle this new version of the CryptoWall ransomeware.

I hope this helps someone.

The article below is more detailed about the threat.

http://www.pcworld.com/article/2688992/malvertising-campaign-delivers-digitally-signed-cryptowall-ransomware.html	

Regards
Chris