Cryptowall virus?

[keegen01]

Has anyone picked up the Cryptowall Ransom Hijack? I got it last week, I think from here or a link from here. I was in the Jeana Tomasino thread when it happened. It encrypts all your picture files and holds them for ransom.

[keegen01]

Quote:

Originally Posted by NIN

Before you start blaming the forum or links posted here, you really should have thanked a few of those posters
That way you might have stood a chance on backtracking & finding the culprit or perhaps they may think you've got your just desserts

Wasn't trying to blame anyone. Just seeing if anyone else got it.

[buttsie]

Most likely it came via the ads on the 3rd party host site

Bleeping computer initially said it was spread by pdf zipfile in emails

Towards the end of April the developers of CryptoDefense released a new Ransomware variant titled CryptoWall. This variant is for the most part the same as CryptoDefense other than the name change and different filenames for the ransom instructions. It is speculated that the developers either released a new version because CryptoDefense was too well known by AV vendors or that they sold the code base to another malware developer. Unfortunately, just like the latest versions of CryptoDefense it is impossible to decrypt files that are encrypted by CryptoWall.

http://www.bleepingcomputer.com/viru...re-information

http://www.bleepingcomputer.com/foru...cryptodefense/

but

Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!, Match.com, and AOL domains, among others.

source 23 Oct 2014
http://www.theregister.co.uk/2014/10...sing_outbreak/


Blocking ads & scripts the least you should be doing to avoid it

http://www.techsupportalert.com/cont...y-concerns.htm

[keegen01]

Quote:

Originally Posted by buttsie

Most likely it came via the ads on the 3rd party host site

Bleeping computer initially said it was spread by pdf zipfile in emails

Towards the end of April the developers of CryptoDefense released a new Ransomware variant titled CryptoWall. This variant is for the most part the same as CryptoDefense other than the name change and different filenames for the ransom instructions. It is speculated that the developers either released a new version because CryptoDefense was too well known by AV vendors or that they sold the code base to another malware developer. Unfortunately, just like the latest versions of CryptoDefense it is impossible to decrypt files that are encrypted by CryptoWall.

http://www.bleepingcomputer.com/viru...re-information

http://www.bleepingcomputer.com/foru...cryptodefense/

but

Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!, Match.com, and AOL domains, among others.

source 23 Oct 2014
http://www.theregister.co.uk/2014/10...sing_outbreak/


Blocking ads & scripts the least you should be doing to avoid it

http://www.techsupportalert.com/cont...y-concerns.htm

Thanks for the info, that's more than I found. I just wanted to spread the word so no one else got it, if it was here.

[keegen01]

Quote:

Originally Posted by flywax

I have gotten pages that lock my browser and say the same thing but i can access my files after! can you access your files keegan01? or is it just saying that to scare you into paying!?

if this virus does work and fubars our files i think my days surfing porn here may be done!

No, can't get to them with anything. I had everything on a external hard drive and they encrypted it all. The C Drive doesn't seem to be effected at all, which seems strange?

[buttsie]

No it mostly goes after where ever it can find the heaviest traffic

Social media pages are its latest target...mobile phones are in the mix as well
High profile celebrities recently in the news
FREE - take your pick - pirate sites offering - TV , movies , gaming , cracked software etc

If your getting the .1% of malicious ransomware (as we speak the latest now has 80+ different versions) then you have a vulnerable security hole
and thats not going away because you dont click on porn.

I've surfed through 100,000+ porn pages,probably more
and never got hit with the serious end of ransomware ever
though i have had other infections that exploited vulnerable programs like
java (jre).

Some It pros reckon you can use programs like TrueCrypt etc and store content on hard drives safe from ransomware.

Some have questions over their own security

A bit like the questions which surround the security of USB sticks

http://www.techsupportalert.com/best...on-utility.htm



The bottom line in all this is if you value it you back it up and store it offline
so you can remove the ransomware and then restore your files.

Other solutions have too many risks

[buttsie]

Quote:

Originally Posted by buttsie

Most likely it came via the ads on the 3rd party host site

Bleeping computer initially said it was spread by pdf zipfile in emails

Towards the end of April the developers of CryptoDefense released a new Ransomware variant titled CryptoWall. This variant is for the most part the same as CryptoDefense other than the name change and different filenames for the ransom instructions. It is speculated that the developers either released a new version because CryptoDefense was too well known by AV vendors or that they sold the code base to another malware developer. Unfortunately, just like the latest versions of CryptoDefense it is impossible to decrypt files that are encrypted by CryptoWall.

http://www.bleepingcomputer.com/viru...re-information

http://www.bleepingcomputer.com/foru...cryptodefense/

but

Security researchers at Proofpoint warn that a new variant of CryptoWall recently spread through malicious banner ads. Surfers ran a risk of being faced with ransomware purely by visiting one of the impacted sites, which included various properties in the Yahoo!, Match.com, and AOL domains, among others.

source 23 Oct 2014
http://www.theregister.co.uk/2014/10...sing_outbreak/


Blocking ads & scripts the least you should be doing to avoid it

http://www.techsupportalert.com/cont...y-concerns.htm

Seems this Ad attack vector has been going since late September 2014
but only became significant recently


"Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit."

If your purely browsing and not going to be watching streaming videos
disable the adobe plugin which is usually under something like shockwave flash
Found in most browsers under tools / add-ons / plug-ins

Save you getting a drive by shooting by something your not even using.

Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.

source

http://www.securityweek.com/malverti...tes-ransomware


List of websites affected



Which websites were impacted?

Proofpoint detected that the following large websites were serving malvertisements which delivered the FlashPack exploit kit to visitors. The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware – which in turn, was not due to an explicit compromise of the networks; rather, it was due to the networks accepting ads from a malicious source without screening detection. The sites' domain and Alexa rankings are displayed in parenthesis after each in order to provide context of potential end-user impact. All told, more than 3 million visitors per day were potentially exposed to this malvertising campaign.

Yahoo! Finance, Fantasy and Sports (yahoo.com, Global 4, US 4),
AOL (realestate.aol.com, US 37, Global 119),
The Atlantic ( theatlantic.com, US 386, Global 1,206),
9GAG (9gag.com, US 528, Global 201,),
match.com (US 203, Global 631),
The Sydney Morning Herald ( .smh.com.au Australia 13, Global 780),
realestate.com.au (Australia 17, Global 1,656),
The Age (theage.com.au, Australia 34),
stuff.co.nz (New Zealand 9),
societe.com (France 54, Global 1,649),
Dumpert (dumpert.nl, Netherlands 24),
Flirchi (flirchi.com, India 106, Global 1,129),
Weatherzone Australia (weatherzone.com.au, Australia 111),
Brisbane Times (brisbanebrisbanetimes.com.au, Australia 183),
RSVP (rsvp.com.au, Australia 351),
The Canberra Times (canberratimes.com.au, Australia 403),
Time Out (US 1,145, Global 1,816),
The Beacon-News (beaconnews.suntimes.com, US 1,178),
Merca2.0 (merca20.com, Mexico 229),
clicccar.com (Japan 1,124),
iPhone for Hong Kong (iphone4hongkong.com, HK 112),
Noticias Argentinas (noticiasargentinas.com, Argentina 784)

source

http://www.proofpoint.com/threatinsi...zes-brands.php

When did this take place?

Proofpoint systems first detected isolated instances of this malvertising activity in late September; however the instances did not reach a significant level of activity until very recently. After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites.

Proofpoint subsequently worked quickly to inform the affected parties, including an industry working group focused on anti-Malvertising, and at this point we believe the issue to be resolved. Proofpoint’s last detection of issues related to this campaign was October 18, 2014.

[Moon Raker]

So the weak point is in an Adobe product - now why am I not surprised by that?