Archives

Site Status

This site is no longer actively maintained. Blog posts (2008-2017) are for historical search purposes. Thanks!

Archive for CryptoLocker

New Ransomware Will Overwrite Your Computer’s Boot Record

by KW · Comments (0)
Mar 28 2016

Petya ransomware corrupts master boot recordsRansomware keeps getting uglier by the day. Now comes a report from Germany of a new version of Ransomware that will overwrite the boot record of your computer. This version is called the Petya ransomware,

Up until now, most ransomware viruses were writing a highly secured password to files on the computer disk, blocking you from opening those files unless you pay the ransom.

But the Petya ransomware attacks the boot record. With a corrupt boot record, you will not be able to boot your computer at all!

According to anti-virus vendors, the Petya ransomware is being distributed through spam email that masquerades as job applications.

And if this is not enough to put you on your toes, consider that this Friday is April 1st!

BE CAREFUL OUT THERE!

Thanks to PCWord for their in depth article on the Petya ransomware!

Comments (0)
Categories : Malware, News
Tags : ,

Analysis of a Ransomware

by KW · Comments (0)
Mar 04 2016

Ransonware (often referred to as Cryptolocker) is a malicious virus threat in today’s environment.

If the virus gets onto your computer, it will begin locking down files on your computer by writing a hidden secured password to those files. It will then display a message that you have XX number of hours or days to pay the ransom to get the password to unlock your files.

Unless you have solid backup, your two options are: pay the ransom or lose all your files. The ransom could be in the hundreds of dollars. For a California hospital, that ransom was to the tune of $17,000 dollars!

MalwareBytes has a blog post on their site dated March 1, 2016 which gives an in-depth analysis of how such a ransomware virus works.

I found it an interesting read, and thought I would pass it along.

You can go directly to the blog post and read it, or I saved it as a PDF file that you might find easier to read.

Kudos to MalwareBytes!

Comments (0)
Categories : Malware, News, Security
Tags : , ,

Ransomware Still Causing Havoc

by KW · Comments (0)
Jul 27 2015

Nearly two years ago (October 2013) I wrote a blog post titled “Beware Cryptolocker Malware Madness”, a warning about a new strain of ransomware called “Cryptolocker”.  At that time, I immediately implemented new protection software and strengthened security policies on the servers and workstations that I manage.

The Detroit Free Press recently ran an updated article about ransomware attacks on computers:

image

During these past two year, there have been several new variations of this malware threat. It has found its way into home computers as well as multi-national companies. Unfortunately, it is not easily detected by security or anti-virus programs. I have had to cleanup a ransomware attack only three times. In all three cases, we had backups available to restore those files that had been encrypted.

When a computer has been attacked, the virus begins to put a highly secured password on all your files. Suddenly, you find that you cannot open up letters, pictures, spreadsheets, as well as data files (Quicken, QuickBooks, etc.). And, if your computer is on a home or business local network, this ransomware can quickly spread to other computers or servers.

The reason it is called “ransomware” is because you generally have 72 hours to pay their ransom, which can range from $200 to thousands of dollars, to unlock your files. Unless you have a backup of those files, you either pay the ransom or lose those files for good.

In the near future I will be communicating with my clients on additional security precautions I will be recommending to minimize the threat and damage caused by this malware.

Comments (0)
Categories : Malware, MVP, News, Security
Tags : ,

Bootstrapper error during Office 2013 installation

by KW · Comments (0)
Jan 24 2015

I was attempting to install Office 2013 Professional Plus on a new workstation that had already been joined to the SBS 2011 domain. It kept crashing just a few minutes into the intallation with the error message: “Microsoft Setup Bootstrapper has stopped working”.

image

If you search the Microsoft forums, you will see several recommendations, including:

  • Remove all prior installations of Microsoft Office
  • Make sure that the Task Scheduler is running
  • Try burning the Office .iso to a DVD to do the install

In my case, we were good in all those departments.

Then I came across a forum post that raised the question:

Have you implemented a Cryptolocker group policy at your site?

Oh, my, yes! I quickly logged onto the server, moved the new workstation out of its normal OU. Voila! Office 2013 installed immediately.

Comments (0)
Categories : Microsoft, Office, Office 2013, Office 365, SBS, Tools
Tags : ,

New Crypto-Locker with DropBox attachment

by KW · Comments (0)
Jun 06 2014

There has been a rush of reports on newer strains of the Crypto-Locker (Ransomware) type of virus. If it gets on your computer, it will begin encrypting your data files and make them unusable. More importantly, your screen will display a message saying that you must pay $1,000 if you want to restore access to your files.

Now comes word that some of these newer strains are being delivered by dropping files from a rogue DropBox account to your computer via a link in an email.

In fact, I just identified the first of these type of emails myself. On further investigation, I found that, indeed it was associated with DropBox. Fortunately, my spam filter blocked the email.

The email appeared to be a harmless email saying that I had received a fax from a company called J2.com. Here’s the email, as viewed from my spam filter:

image

The red arrows indicate the two links in the email. If I hover (but don’t click) over either link, this is the URL that it displayed:

image

Here is a blog from MXLab on the same exact issue.

So, please — be very careful with emails and attachments.

Comments (0)
Categories : Malware, Security
Tags : ,

CryptoLocker Round 3?

by KW · Comments (0)
Nov 08 2013

I first blogged about the Cryptolocker ransomware a little over a month ago. Since then workstations and servers worldwide have been attacked and compromised, even with the best levels of software and hardware protection in place. And this “cyber nemesis” is still on the move, per a new advisory from US-CERT.

In early October I began a review of the computer systems that I manage on a daily basis to ensure that all systems were clean. Later in the month, I began implementing new security policies on those systems to block the attack and spread of the ransomware. These policies were based on documentation provided by Third Tier, a group of my fellow MVP’ers.

But, the party is not over.

Most often, the CryptoLocker gets loaded via a fake email from companies, such as PayPal or FedEx. However, I was just alerted from an I.T. friend of a version of the CryptoLocker that showed up as a voice mail attachment!

If I do not manage your systems on a regular basis, and you would like me to review your computer, and implement security policies to minimize the Cryptolocker attackes, please contact me at kw@kwsupport.com.

Comments (0)
Categories : Group Policy, News, Security, Servers, Tools, Windows
Tags :

CryptoLocker Protection Utility for Home Users

by KW · Comments (0)
Nov 02 2013

Read detail instructions for installing the KW Support’s CryptoLocker Prevention Utility for home computers and for non-domain joined business computers.

Screenshot #1

image

Screenshot #2

image

Screenshot #3

image

Screenshot #4

image

Screenshot #5

image

Screenshot #6

image

Screenshot #7

image

Screenshot #8

image

Screenshot #9

image

Screenshot #10

image

Screenshot #11

image

Screenshot #11

Comments (0)
Categories : Malware, Security, Tools, Windows
Tags :

CryptoLocker Group Policy Exceptions

by KW · Comments (0)
Oct 24 2013

In recent posts (here) I’ve addressed the process of creating Group Policy rules for securing your workstations from attacks like the CryptoLocker ransomware. These rules will prevent random executable files located in your local Application Data folder (AppData) from running.

The vast majority of programs that you may use should not put .exe files in the AppData folder, but every so often we come across an exception. In my case, I tried running Join.Me this morning and was greeted with this pop up window:

image

The process of adding an exception to the Software Restriction Rules we previously created is very straightfoward:

  1. From the server, open up Group Policy Management console
  2. Drill down Your_domain.local –> MyBusiness –> Computers –> SBSComputers

    Modify the XP rule

  3. Right click on the Prevent CryptoLocker XP rule, and click Edit
  4. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  5. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  6. Click OK

    Modify the Vista and higher rule

  7. Right click on the Prevent CryptoLocker Vista and higher rule, and click Edit
  8. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  9. Right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
    In my case, my rule looks like this:
    image
  10. Click OK

You may now wait the appropriate time (somewhere around 90 minutes, I believe) for Group Policy changes to be broadcast to all workstations, or, if you are in a hurry:

  1. From the server, open up an elevated command prompt and run: gpupdate /force
  2. Then from your workstation, open up an elevated command prompt and run: gpupdate /force

You may now test out your application

Comments (0)
Categories : Malware, SBS, Security, SMB, Windows
Tags : ,

Testing your CryptoLocker Group Policy

by KW · Comments (0)
Oct 22 2013

I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.

Someone asked me: “How do I know if the group policy rules are working?”

Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.

Here are the steps if doing this from a Vista / Win7 / Win8 workstation:

  1. Open up an elevated command prompt window.
    By default, it should put you into the C:\Windows\System32 folder
  2. Enter the following commands, pressing Enter after each:
    copy notepad.exe %localappdata% 
    cd %localappdata%
    notepad.exe

  3. If you receive an error message: “This program is blocked by group policy.” – then your group policy rules are working.
    Congratulations!

image

Comments (0)
Categories : Malware, SBS, Servers, SMB, Windows
Tags : ,

Block Executables from AppData folder

by KW · Comments (0)
Oct 22 2013

The SMB Kitchen team from Third Tier has made available (for free) a CryptoLocker Prevention Kit that includes a 20 page document that includes step by step instructions on how to lock down your servers and workstation using Group Policy settings to minimize future attacks.

The purpose of this post is to summarize those steps down to a single page. These steps are specific to SBS 2008/2011, but should be applicable to Windows 2008/2012 servers.

GOAL: create Software Restriction Policies within Group Policies to block executables (.exe) from running when they are located in the AppData folder or subfolders therein.

CREATE POLICIES FOR XP

  1. Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
  2. Right click on SBSComputers and select ‘Create a GPO in this domain and link…
  3. Title this policy Prevent CryptoLocker XP and click OK
  4. Right click on this policy and select Edit
  5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Right click on Software Restriction Policies and click on ‘New Software Restriction Policies
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    Path = %AppData%\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    Path = %AppData%\*\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. From the Prevent CryptoLocker XP policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows XP

CREATE POLICIES FOR VISTA / WIN7 / WIN8

  1. Open up Group Policy and drill down to Domain –> Computers –> SBSComputers
  2. Right click on SBSComputers and select ‘Create a GPO in this domain and link…
  3. Title this policy Prevent CryptoLocker Vista and higher and click OK
  4. Right click on this policy and select Edit
  5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Right click on Software Restriction Policies and click on ‘New Software Restriction Policies
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    Path = %localAppData%\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    Path = %localAppData%\*\*.exe
    Security Level = Disallowed
    Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. From the Prevent CryptoLocker Vista and higher policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows Vista
Comments (0)
Categories : Essentials, News, SBS, Security, Servers, SMB, Tools, Windows
Tags : ,

Categories