URGENT:

A ransomware virus called “CyptoLocker” is currently in circulation.  A user who is infected with CryptoLocker can potentially encrypt, or “lockdown”, every file on your network.  Once encrypted, these files may remain inaccessible indefinitely.

The CryptoLocker virus is typically spread through emails sent by fraudulent customer support representatives of Fedex, UPS, DHL, etc.  These fraudulent emails will usually reference something about your tracking number or account, and will contain a zip attachment that carries the virus.  The zip attachment is often disguised as a harmless pdf file.

Emails containing this virus may be blocked by various threat mitigation tools already in place on your network, such as Firewall/Email Filtering and Desktop AntiVirus.  However, because of the potential severity of this virus, Tier1Net recommends using extra caution when opening email attachments.

Tier1Net urges you to remind employees to use diligence when opening email attachments or clicking on links within email. 

If someone at your company believes they have been infected with the CryptoLocker virus, please disconnect their machine from the network immediately and contact Tier1Net.

For more information, please read the release below, from the National Cybersecurity and Communications Integration Center:

TA13-309A: CryptoLocker Ransomware Infections

Original release date: November 05, 2013 | Last revised: November 06, 2013

Systems Affected

Microsoft Windows systems running Windows 7, Vista, and XP operating systems

Overview

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

Description

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

Impact

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Solution

Prevention

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Maintain up-to-date anti-virus software
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity
  • Secure open-share drives by only allowing connections from authorized users
  • Keep your operating system and software up-to-date with the latest patches
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

 

Why can email attachments be dangerous?

Some of the characteristics that make email attachments convenient and popular are also the ones that make them a common tool for attackers:

  • Email is easily circulated – Forwarding email is so simple that viruses can quickly infect many machines. Most viruses don’t even require users to forward the email—they scan a users’ computer for email addresses and automatically send the infected message to all of the addresses they find. Attackers take advantage of the reality that most users will automatically trust and open any message that comes from someone they know.
  • Email programs try to address all users’ needs – Almost any type of file can be attached to an email message, so attackers have more freedom with the types of viruses they can send.
  • Email programs offer many “user-friendly” features – Some email programs have the option to automatically download email attachments, which immediately exposes your computer to any viruses within the attachments.

What steps can you take to protect yourself and others in your address book?

  • Be wary of unsolicited attachments, even from people you know – Just because an email message looks like it came from your mom, grandma, or boss doesn’t mean that it did. Many viruses can “spoof” the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it’s legitimate before opening any attachments. This includes email messages that appear to be from your ISP or software vendor and claim to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.
  • Keep software up to date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
  • Trust your instincts – If an email or email attachment seems suspicious, don’t open it, even if your anti-virus software indicates that the message is clean. Attackers are constantly releasing new viruses, and the anti-virus software might not have the signature. At the very least, contact the person who supposedly sent the message to make sure it’s legitimate before you open the attachment. However, especially in the case of forwards, even messages sent by a legitimate sender might contain a virus. If something about the email or the attachment makes you uncomfortable, there may be a good reason. Don’t let your curiosity put your computer at risk.
  • Save and scan any attachments before opening them- If you have to open an attachment before you can verify the source, take the following steps:
    1. Be sure the signatures in your anti-virus software are up to date.
    2. Save the file to your computer or a disk.
    3. Manually scan the file using your anti-virus software.
    4. If the file is clean and doesn’t seem suspicious, go ahead and open it.
  • Turn off the option to automatically download attachments – To simplify the process of reading email, many email programs offer the feature to automatically download attachments. Check your settings to see if your software offers the option, and make sure to disable it.
  • Consider creating separate accounts on your computer – Most operating systems give you the option of creating multiple user accounts with different privileges. Consider reading your email on an account with restricted privileges. Some viruses need “administrator” privileges to infect a computer.
  • Apply additional security practices – You may be able to filter certain types of attachments through your email software or a firewall.

Both the National Cyber Security Alliance and US-CERT have identified this topic as one of the top tips for home users.

Authors

Mindi McDowell and Allen Householder

Tier1Net would like to congratulate its founder and CEO Marc Capobianco for participating in the Ironman World Championship last Saturday!  Marc finished the race in 9:42:24, ranking 398 in a field of over 2000 elite athletes.

A triathlete for six years, this was Marc’s first entrance to the prestigious and exclusive Ironman World Championship.

Held annually in Kona, Hawaii, the Ironman World Championship brings together the world’s best triathletes for a single day of three demanding endurance races:  the 2.4 mile Waikiki Roughwater Swim, 112 miles of the Around-O’ahu Bike Race, and the 26.2 mile Honolulu Marathon.

Congratulations again to Marc for this outstanding accomplishment!

Early this year, Microsoft discontinued Office 2010 and launched Office 2013.

As with most new Microsoft releases, we advise that clients refrain from deploying Office 2013 in their environments until its been fully tested for compatibility.

Since many new desktop/laptop purchases will only have software pre-installation options for Office 2013, we also recommend a review of Office 2013 compatibility as soon as possible. Tier1Net advises fully testing Office 2013 in your company’s environment, specifically with regards to your third party applications. This proactive testing will determine if Office 2013 is a fit for your company, and will help avoid unnecessary and costly Open Volume license downgrades on future purchases.

Please contact Tier1Net if you would like to discuss Office 2013 testing strategies for your company, or if you have any questions.

Responding swiftly to the critical Exchange bug in iOS 6.1, Apple has released iOS 6.1.2 which apparently resolves the excessive logging issue.

Both Apple and Microsoft advise of this fix.

We recommend that previously affected iPhone/iPad clients upgrade to iOS 6.1.2 and re-enable calendar synching on their mobile device.

If iOS 6.1.2 upgrade is not appearing on your mobile device, you may need to power off/on your device and try again.

Once upgraded to iOS 6.1.2, you may re-enable calendar synching with the following steps:

Go to: Settings > Mail, Contacts, Calendars > Selecting your Exchange account > slide the Calendar to the ON position.

Tier1Net will continue to monitor affected Exchange servers and will notify you of any continued excessive logging issues.

 

 

Dear Tier1Net Clients:

Please be advised that Tier1Net has activated our Emergency Action Procedures in preparation for the winter storm that will be affecting our area on Friday and continuing into the weekend. Tier1Net will be fully staffed and open for business on Friday and actively monitoring the storm. Additionally, we are performing complete checks of our emergency systems and verifying critical infrastructure operations and have reviewed our established emergency communication procedures to guard against potential impact from the storm.

Tier1Net will continue to monitor the progress of the storm and the status of our operations and facilities, and immediately communicate any critical updates or necessary emergency actions to our customers.

Should you have any questions, please feel free to contact us.

Thank you, and have a safe weekend!

Tier1Net is excited to announce its new website launch in October 2012.

Our new site will be a one stop resource for all our client needs, including the Online Customer Portal, the Help Desk Login (formerly at bostonithelp.com), and our new Blog.

Thanks for stopping by!

- Tier1Net