WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:

 

  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).

 

A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.

 SAVE THE DAY, REDUCE THEIR PAY DAY!