Posted on 12/25/2013 6:51:56 PM PST by Nachum
A virulent form of ransomware has now infected about quarter of a million Windows computers, according to a report by security researchers. Cryptolocker scrambles users´ data and then demands a fee to unencrypt it alongside a countdown clock. Dell Secureworks said that the US and UK had been worst affected. It added that the cyber-criminals responsible were now targeting home internet users after initially focusing on professionals. The firm has provided a list of net domains that it suspects have been used to spread the code, but warned that more are being generated every day. Ransomware has existed since at least 1989,
(Excerpt) Read more at bbc.co.uk ...
A freeper on this thread explained how he got out of it in a comment, it had to do with restarting his computer in safe mode.
I had a problem on my last computer with the flash player plug in to IE browser.
It caused Norton to issue a ‘Norton intercepted and deleted a dangerous Trojan virus file’ alert popup every time I went to a new address with IE. Even my home page triggered it.
It was very frustrating and took a while for me to figure out what was causing it. I did the safe mode reboot for that.
One method of tackling the problem is to bott into Safe Mode, restore to an uncontaminated Safe Point, reboot, and then use Malwarebytes and/or other malware removal tools to cleanup the malware. Unfortunately, some variants of Ransomware hide on the computer’s hard drive and/or BIOS/EUFI and restores itself after the cleanup, so when you go to boot the computer the next time or some later time the ransomware disables the computer even more by disabling Safe Mode. The computer either goes into a full boot and presents the ransomware message, or the computer cannot be booted into the operating system.
The next step is to use the BIOS setup utilities or another computer that can deal with malware infections to reformat the hard drive and reinstall the operating system. This will often remove the malware for awhile. However, in some instances the ransomware even managed to restore itself immediately after the hard drive had been reformatted and the operating system was reinstalled. Presumably, it did so by hiding enough code on a hidden sector of the hard drive not affected by the reformatting or in the system BIOS/EUFI to bootstrap itself back into the reinstalled operating system. The next attempt to remove this ransomware on these systems resulted in the ransomware blocking any and all efforts to bott the computer at all, whether it was to a full boot, boot to Safe Mode, or a boot to the system BIOS/EUFI.
The next step which has not yet been attempted is to use another used hard drive I can afford to lose and install it as a new hard drive on one of the affected computers. If the ransomware was hidden on an inaccessable area of the original hard drive, replacing the hard drive should be effective in removing the ransomware. However, if the ransomware is hidden in a corrupted BIOS/EUFI, I can expect to see the ransomware infect the replacement hard drive as well and hijack the operating system again, if it will allow the boot process to get even that far.
Your computer is probably repairable by reformatting the hard drive or at least by replacing the hard drive. But don’t be too surprised if you should be unlucky enough to have encountered one of the more vicious and persistent of the ransomware variants. In the worst case scenario with an infection of the BIOS/EUFI, you’ll have to find a means of restoring an uninfected BIOS/EUFI or abandon the ssytem board.
I just had a converstaion last night with a manager of a college computer science laboratory. he reports that their Linux and Apple systems were successfully attacked by the Cryptolocker ransomware. They restored their systems with backup images of the operating systems and with backups of the data files.
This Linux and Apple vulnerability to Cryptolocker is confirmed by search engine results, which include reports from a number of other college or university computer labs.
Some of these reports appear to claim Cryptolocker requires the user to open an infected file attachment in order to activated Cryptolocker. Such claims appear to be erroneous, because Cryptolocker seems to be infecting computers without the user having anything to do with e-mail and e-mail file attachments.
Do they have file shares in common? I’ve read that it will seek out those from infected computers.
Nobody using Wine now, we all Virtual Boxing.
Just did such a search and did not find this to be true. Also CERT claims systems affected are "Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems."
You cannot install software on a Linux box without entering the root password.
How does it infect without the user giving it sudo access?
It hides in the boot sector which usually isn’t reformatted unless you do it using 3rd party tools. You’d probably have to run like a fdisk /mbr to clean it the old fashioned way.
Haven't had to do this for a while but I once had some rather nasty malware that even took over during attempts to run the safe mode. Searches led me to this,
* Bring up Task Manager as soon as the computer will let you during startup. To do this, hold down Ctrl-Alt- and only just tap on the Del key. Holding the Del key down will restart the computer. Next you have to be quick with this. Try to identify the bad process. Many malwares have a letter + number combo. Highlight the bad process and hit the End Process button at the bottom right of the task manger box. May take a few tries. This should allow one to run junk removal programs. If you don't, most likely the malware will show back up after restart.
The computers affected by Cryptolocker at this college computer laboratory were Linux systems. I asked whether or not they were running WINE or anything like it, and the answer was no.
I have read of an imitator that does run on Mac that looks like Cryptolocker but doesn't actually encrypt the files. This is written in Java so it could also infect Linux if you were to be su when it arrived. Shouldn't routinely be the superuser. Not prudent.
“According to the writeups at CERT and BleepingComputer this is a windows only infection. BleepingComputer goes into excruciating detail on this. This does not infect Linux Boxen, period, end of story.”
That is where you are wrong, because it is merely the beginning of a story which is still unfolding. Yes, it is true that CERT reported it was only a Windows vulnerability to the best of their knowledge at the time (at least the best of their disclosable knowledge).
US-CERT United States Computer Emergency Readiness Team
Alert (TA13-309A)
CryptoLocker Ransomware Infections
Original release date: November 05, 2013 | Last revised: November 18, 2013
http://www.us-cert.gov/ncas/alerts/TA13-309A
Nonetheless, as many of the news reports said Cryptolocker only affected MS Windows computers at the time of those news reports, they also frequently acknowledged it was only a matter of time before Cryptolocker was likely to also affect Apple and Linux systems. Many of these news reports making these claims date from September 2013 through early November 2013.
It is now the end of December 2013, and we now have an unconfirmed report from a Computer Science graduate, mature career IT professional, and current instructor at a college computer laboratory. If his report is accurate, Cryptolocker is now affecting Linux systems which are not running a vulnerable MS Windows VM (Virtual Machine). Like you, I commented upon the reports that claimed Cryptolocker currently affected only MS Windows system, and he replied by explaining how their Linux systems were affected and the US-CERT alert was now no longer accurate.
It doesn’t do any good to say Cryptolocker is incapable of breaching security to obtain privileges as a superuser with access to root. We have already seen how vulnerabilities in the past have given malware access to superuser privileges and root.
US-CERT United States Computer Emergency Readiness Team
Linux Root Access Vulnerabilities
Original release date: October 25, 2010 | Last revised: October 23, 2012
http://www.us-cert.gov/ncas/current-activity/2010/10/25/Linux-Root-Access-Vulnerabilities
Yes, I did that on one of the Dell Optiplex 755 computers which was compromised again after performing a typical high level format and reinstallation of MS Windows XP. This was the system where the FBI Ransomware disabled access to the AMI BIOS setup. Naturally, it is suspected the malware has hidden in an area of the hard drive which requires a low level format and other special nati-malware disinfection, or the malware has hidden itself in the BIOS firmware.
My or our current bet in this instance is an infection of the BIOS firmware. We’re going to attempt to remove the system board battery to power down the firmware to see if that clears any malware infection in that hiding place. That is a future to do project...not something I can afford to spend time on at present.
“How does it infect without the user giving it sudo access?”
This may give you an idea of how it has occurred in the past with other vulnerabiities:
US-CERT United States Computer Emergency Readiness Team
Linux Root Access Vulnerabilities
Original release date: October 25, 2010 | Last revised: October 23, 2012
http://www.us-cert.gov/ncas/current-activity/2010/10/25/Linux-Root-Access-Vulnerabilities
Have you attempted a reflash of the bios?
Thanks for the read!
“Yes, it is possible to write a virus that behaves as Cryptolocker does on Linux based machines, but very much harder.”
Yes, of course it is. You are being too literal by treating Cryptolocker just as a specific software code, when it is the features of ransomware and destructive data encryption which are the specific behaviors that are associated with the Cryptolocker name. Naturally, any software code which implements the behavior associated with the Cryptolocker name and threats will need radical changes in the actual software code in order to affect operating systems and operating environments that have significantly different architectures. In these circumstances a malware code is all the same grief to the user if it looks and behaves like Cryptolocker. In other words, the user doesn’t much care how it works, except to defeat it, so long as the malware looks and acts the same with the same destructive results.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.