The story of CryptoLocker... Just happened an hour ago... Thoughts?
-
Here's a quick back story: A user reported that McAfee endpoint alert of a Trojan detected. We inspect her machine and confirm it is CryptoLocker. We quickly unhook her machine from our network immediately. We were not sure why or how did CryptoLocker gain access to this user's machine. She has been a great user and very cautious one.
Later we booted her machine with Network cable unhooked to look at her emails and website history...nothing out of ordinary detected. The machine she used is a hand-me-down machine with at most 2 other users before her. Because it is an older machine, it does not have any backup solution implement...all her local files is lost.
Upon further inspection, we found that GPO for preventing CryptoLocker is Denied. We were confused, but quickly conclude it to GPO replication failure we experienced 2-3 days earlier. Among Denied GPOs, beside CryptoLocker, are known GPOs that failed to replicate.
Luckily for us we have backup solution on server side. We boot every active users out and shutdown Shared Path to prevent further contamination. All files were restored using its backup from noon. Overall, everything is resolved.
Lesson of the day: BACKUP BACKUP BACKUP!!!
Does anyone knows how does CryptoLocker works? How does it spread to network drives? Does it replicate its Trojan as it crypt files? Thoughts? -
It goes to network drives directly by attaching to them from an infected host.
-
@scottalanmiller
So by replacing the infected files on the network drive and nuked the local machine.. we should be in good shape right? -
@LAH3385 said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@scottalanmiller
So by replacing the infected files on the network drive and nuked the local machine.. we should be in good shape right?Hard to say. You got infected from somewhere. Whatever that was is easily still out there.
-
@scottalanmiller said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@LAH3385 said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@scottalanmiller
So by replacing the infected files on the network drive and nuked the local machine.. we should be in good shape right?Hard to say. You got infected from somewhere. Whatever that was is easily still out there.
Any thoughts on what should we be on the lookout for? My initial guess is whatever started it is on the local machine. The harddrive is nuked and rebuilt using a new hard drive.
-
@LAH3385 said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@scottalanmiller said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@LAH3385 said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
@scottalanmiller
So by replacing the infected files on the network drive and nuked the local machine.. we should be in good shape right?Hard to say. You got infected from somewhere. Whatever that was is easily still out there.
Any thoughts on what should we be on the lookout for? My initial guess is whatever started it is on the local machine. The harddrive is nuked and rebuilt using a new hard drive.
Might be, but it had to get there somehow and get triggered somehow.
-
Was flash up to date? What about 7zip? Any older software?
-
@aaronstuder said in The story of CryptoLocker... Just happened an hour ago... Thoughts?:
Was flash up to date? What about 7zip? Any older software?
I think Flash is the problem also.
-
All we know is that GPO for crytolocker was broken/denied thus any protection for CryptoLocker was disabled for at most 48 hours. It was a combination of incidents lead to CryptoLocker. Don't think flash is the cause here.
