Batten down the hatches for CryptoLocker

On November 13, 2013, in Security, by

Passing this along from Derek Knight:

“It is going to get worse. We saw a massive increase in the last 2 days of new ransom ware droppers in attacks that are very likely to succeed with typical social engineering tricks

Yesterday for example we saw thousands of emails sent by botnets with plausible tricks to get them to open the attachments.

 They ranged from Amazon delivery notices ( how many users will order from Amazon each day, if 5% fall for it, that is hundreds of thousands of potential victims ) to the perennial tax notice and the latest one is

 All ones that unwary users in a corporate environment will fall for easily as well as home users

 The other big run yesterday was the old “here is the photo I promised you “ and if your system is set to hide file  extensions as most are all you see once you unzip is photoname.jpg ( the .exe suffix goes missing)

The email appears to come from someone you know with a single name like Fred or Janet or other common name

 All of these should be so well known by now that we hope that users don’t fall for them but we know that a high proportion of users will blindly open any file sent to them if it gets past either the corporate firewall/application control or the home users AV “


One Response to Batten down the hatches for CryptoLocker

  1. Indy says:

    Just an FYI. about 3 weeks now blocking *.exe in all %userprofile% and subdirectories. Most cryptolocker guides have you only block %appdata% and other temp working directories. I don’t find that sufficient.

    For those users with Chrome and Spotify and other programs that put executables within that directory we reinstalled in default program directories without issue.

    This is standard from here on out. Even pushed up to administrator computers. Been working great.