A new cryptolocke attack has been spreading through plain text links that mimic a service that some people use and provides a link to a dropbox file. While we are sure that Dropbox is working on a fix, we suggest that you do not click on any email links to dropbox file in the near future.
Here is an example of one of the emails you might receive:
Example Email- Discard any email that looks like :
From: fax [mailto:fax@[your domain] ] Sent: Thursday, June 05
To: [Your Email] Subject: You’ve received a new fax
New fax at SCAN4226279 from EPSON by https://[your domain] Scan date: Thu, 5 Jun 2014 13:33:35 -0600 Number of pages: 2
Resolution: 400×400 DPI
You can download your fax message at:
https://www.dropbox.com/meta_dl/(random alphanumeric code)
A great resource to help find, fight and prevent the virus can be found here by the good people at bleeping computers:
They even provide a link to a prevention tool. Here is an except from the guide:
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:
The file paths that have been used by this infection and its droppers are:
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
In order to block the CryptoLocker and Zbot infections you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually. Both methods are described below.
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place.
A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
You can download CryptoPrevent from the following page:
For more information on how to use the tool, please see this page:
Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.
Internet Explorer is being attacked again! A new “Zero-Day” vulnerability has been found and affects all versions of Internet Explorer. Microsoft is looking into it and a fix is likely coming soon. In the meantime, here is what they are saying…
According to the Microsoft website:
The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Basically if you click on a malicious link the attacker can run any program they want! So if you are like over half the internet users out there and you haven’t already done so…
There are several other options out there to replace your default browser. All will import your current Explorer Bookmarks/Favorites and saved passwords.
We like this browser for it’s simplicity, speed and integration with the google ecosystemDOWNLOAD
Similar look and feel to internet explorer. Great plugins, and a large community.DOWNLOAD
Consistently one of the fastest browsers. It’s a strong alternative to Internet ExplorerDOWNLOAD
Over the past few weeks we have seen an increase in the number of infections of this virus. It Encrypts your files using an RSA-4096 Encryption and demands payment in order for them to send you the decryption key which is virtually impossible to crack or remove. In most cases it is not possible to recover the files. The sooner you notice the virus and bring it in the more likely we can save some of your data before it is fully encrypted.
Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks. Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.
Currently, infected users are instructed to pay up to $1000 USD to receive this private key.
Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files.
Do not open unsolicited email attachments or links! We can’t stress this enough!
At the moment the only protection for this infection is a full backup of your data. With the low cost of external drives and Network Attached Storage these days, it is a must for any household. This outbreak only serves as another reminder that you should be doing your backups. How much are your photos and information worth to you if you were to loose them?
If you need any further help, please do not hesitate to call us for help
Your friends at Gpro PC