191 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
New Year, New Directions
Sun, Jan 8th 2017 63
Microsoft - Clear Leaders in the Race for Digital Identity
Thu, Nov 17th 2016 7
Fixing Word 2016 Crashes when Opening Older Documents with Macros on Windows 7
Tue, Nov 15th 2016 4
Embracing Microsoft while keeping Domino
Tue, Nov 15th 2016 4
How to Use Microsoft Outlook with Your IBM Verse (in the cloud) Mail
Sun, Oct 9th 2016 6
The Difference Between IBM and Microsoft's Social Systems - An Analogy
Mon, Sep 19th 2016 6
Making IBM Verse Easier to get to...
Thu, Sep 8th 2016 4
Top 10
New Year, New Directions
Sun, Jan 8th 2017 63
How to Create an Auto-Response Mail Message in Lotus Notes 8.5.3+
Wed, Feb 22nd 2012 23
Getting your Head around the IBM Connections ID
Tue, Feb 23rd 2016 13
Restarting Agent Manager on Domino 9.0.1 may crash your server....
Wed, Feb 18th 2015 11
How to set IBM Verse as your Default Email Client
Thu, Jun 9th 2016 8
How to do Bullets and Numbering in IBM Notes
Tue, Feb 4th 2014 7
Microsoft - Clear Leaders in the Race for Digital Identity
Thu, Nov 17th 2016 7
The Difference Between IBM and Microsoft's Social Systems - An Analogy
Mon, Sep 19th 2016 6
How to Use Microsoft Outlook with Your IBM Verse (in the cloud) Mail
Sun, Oct 9th 2016 6
Book Review: Instant IBM Lotus Notes 8.5.3: How-to by Barry Max Rosen
Tue, Apr 16th 2013 5


A Run-in with Cryptolocker
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

A Little History
Over the years, we've had a fairly good run when it comes to viruses and malware. Much of that I can put down to the fact that we've always used IBM Notes as our mail system and it's less susceptible to hijacking. Of course, notes only slows down the distribution (and reduces the likelihood of specific mail calls being used).  It's not an effective anti-virus solution.

Years ago, I used to run my anti-spam services on the mail server. There were two problems with this approach;


  1. The mail had already reached our systems before the first scan occurred - even if it was just spam, you're now using your bandwidth and your storage.
  2. You're running secondary processes on (or between) your mail server. It needs updates, maintenance etc. 


Anti-Spam was the first service we moved offsite.

For the past few years, we've been using the Symantec.Cloud anti-spam service. This was a very good service when it was a recent acquisition (MessageLabs).  Back in those days, the spam used to pass through the filters of many of the major anti-spam vendors. These days, I think that it only runs through the Symatnec solution; making it far less valuable. We're finding that more and more spam is slipping through.

Our desktop scanners are Kaspersky. We've spent years on Symantec/Norton (slowed all of our PCs down) and McAfee (never actually caught anything) and Kaspersky has been pretty good overall but it didn't catch this one.


So How did it Start?
In this case, the email that made it into our systems was a variant of the Australia Post cryptolocker email that hit Australia from August last year onwards. This particular email looks very similar to real emails that Australia Post sends out. Our users had been warned about this particular problem three or four months ago but the fact is that if you keep throwing links at an organisation, eventually you're going to get lucky.

Detection
The first sign of trouble was when some of our users called the helpdesk saying that their files were encrypted. I was just standing up to go off to lunch but luckily I decided to investigate. This is why you need a responsive helpdesk - The reaction (and recognition of the problem) was time-critical. I immediately ascertained that the files were not .zip they were simply normal files renamed with .encrypted -- and there was a whole folder full of them.

I'd been following trends and reading bulletins from AusCERT, so although I didn't know the exact effects of cryptolocker, I immediately suspected it was the problem.

I quickly googled signs of it and discovered that the ransom message was the clue.  I looked for one on the person's computer but couldn't find one. I couldn't see one on the network either. I was just about to start disconnecting all devices from the network (all our PCs go to the servers via a single, easily isolated switch) when a user reported an unusual message.  We'd found the PC with the issue ... and it was a different PC to the one which reported the problem.  We immediately disconnected it from the network and started a local scan on it.

If possible, have a single point somewhere on your network that allows you to easily isolate systems in case there is a problem (this could be an attack, malware or even just a network traffic incident).



Confirming the Problem
I was pretty sure that Cryptolocker was malware, not a virus (meaning that it could wreck files but it couldn't infect) but I needed to be sure. I called one of our suppliers who had knowledge of cryptolocker and he advised me to look for the ransom notes in all the folders. There was a html and a txt version called "HELP_TO_DECRYPT_YOUR_FILES.txt" -- though some variants of cryptolocker use different names. They hadn't been there prior to the message but now they were everywhere. If you want to read them, open the text file.... there was too much HTML in the the other file, and it's too risky.

Looking at the properties of these ransom notes, we were able to confirm that all of them were created by the same user. There was only one problematic PC and it was now disconnected.


Cleaning Up
I already knew that the cryptolocker malware uses irreversible encryption, so the choices were either "pay up" or restore.

If you're interested, paying up was about $400 AUD with a timer set to go off in a few hours that would increase the price to $1,400.  They wanted their money in bitcoin.

I know people and companies who have paid up and they have had their files decrypted, so at least these people seem to have some honour.  Of course, if you have a decent backup, then it's safer not to draw attention to yourself.

In our case, we have drive shadowing turned on for our main drives which results in them being copied every two hours. It also makes restoration fairly simple.

The process of recovery was still long, but mainly because I wanted to be careful.


Tips and Problems in Restoration
I'm always telling people never to restore things to the same folders.  There's lots of good reasons for this which I won't go into right now.  We didn't have enough space to restore all of our data at once, so we did it in chunks.  Then we copied each chunk over the top of the good data (without overwriting). This meant that if a file was missing (because it had been renamed to .encrypted), it got restored but if a file was new/unaffected, it wasn't overwritten with an older version.

Part way though the restore process, we discovered that the malware had been triggered about three hours prior and that some files being restored had already been affected. Once we'd finished restoring the 10am files, we repeated the process with a 7am copy (which was definitely prior to the email).  That way we made sure that all of the right files were restored.

Getting rid of the Rubbish
The last things we did were;

Del *.encrypted /s 

On each affected drive letter. This removed the encrypted files.  We also did a

Del HELP_TO_DECRYPT_YOUR_FILES.* /s 

It certainly helps to know DOS.


As to the infected PC..., 

  • A complete scan using a current version of Kaspersky took nearly 24 hours and discovered nothing. 
  • The PC has now been wiped. 


---------------------
http://dominogavin.blogspot.com/2016/02/a-run-in-with-cryptolocker.html
Feb 06, 2016
3 hits



Recent Blog Posts
63
New Year, New Directions
Sun, Jan 8th 2017 10:11p   Gavin Bollard
2017 marks the beginning of a massive shift in technology at work. We’re re-branding, we’re moving office and we're changing our technology from IBM to Microsoft. It's going to be a wild ride and I hope that you’ll stay with the blog as I delve into the new world and try to figure out what works and what doesn't. I've been on Notes/Domino since version 3.0 and I haven't used outlook at all, apart from a week in 1995 when I decided that I hated it (plus of course, the regular int
7
Microsoft - Clear Leaders in the Race for Digital Identity
Thu, Nov 17th 2016 11:59p   Gavin Bollard
One of the less obvious trends of the last five years has been the race to own people's "digital identities". It started in earnest with Facebook and Gmail and it soon spread to Apple and LinkedIn. More recently, we've seen Microsoft and IBM jumping on the bandwagon and I think that's when I started to realise that there was much more to this than simply "targeted advertising". Quiet Beginnings At this point, I'm not sure that all of the founding companies in this revolution fully unde
4
Fixing Word 2016 Crashes when Opening Older Documents with Macros on Windows 7
Tue, Nov 15th 2016 9:01p   Gavin Bollard
We have a lot of documents and they go back several decades. Many of them are still relevant today, even if they're only background to current projects. The problem is that Word doesn't like its own file formats. It won't open documents created with versions of Word earlier than 1997 and it crashes with anything saved as .DOC which contains macros. There's some solutions to these problems though; Opening Older DocumentsIt's possible to change Word 2016's settings to allow you to open
4
Embracing Microsoft while keeping Domino
Tue, Nov 15th 2016 8:20p   Gavin Bollard
When I first started this blog, my aim was to stay with mainly IBM (Lotus) Notes and Domino, hence the URL of DominoGavin. Things changed over the years and I've found myself wanting to talk about all manner of technology brands from Symantec to Blackberry, Google, Windows and Linux. (Hence the renaming of the blog to "Real World Computing'. Many of my most recent posts were on IBM connections. I've also tried to cover a few business IT concepts. Things are changing again and we've rea
6
How to Use Microsoft Outlook with Your IBM Verse (in the cloud) Mail
Sun, Oct 9th 2016 3:08p   Gavin Bollard
So, all the newcomers in your company want to use outlook? IBM have put a lot of work into making the Notes client look and feel like outlook and they've given us Verse which is an acquired taste but if you like Google's inbox, it's good. Unfortunately, there's just just no pleasing some people. If you don't have Notes and Domino apps, then there's nothing at all holding you back. Nobody without Notes/Domino applications (or perhaps a huge investment in IBM Connections) should be using
6
The Difference Between IBM and Microsoft's Social Systems - An Analogy
Mon, Sep 19th 2016 10:16p   Gavin Bollard
We're currently in the process of trying to set up a Microsoft cloud environment. No, we're not giving up on Connections. We're straddling a couple of environments. The Microsoft experience hasn't been overwhelming so far but that's for another post. Right now, I want to talk about some of the fundamental differences between IBM and Microsoft’s attempts to conquer the social business market. ...and what better way to tell it than an allegorical tale? Two housesSo let's assume that ins
4
Making IBM Verse Easier to get to...
Thu, Sep 8th 2016 8:38p   Gavin Bollard
One of the most frustrating things about the whole IBM Verse experience is the difficulty in getting to the application. If you go through connections, you have to go through normal mail first. This ruins the experience because it isn't “seamless” to the users. The obvious answer is to bookmark the verse site but there's a few other things that we can do to really smarten the experience up. Making Verse the DefaultThe first thing to do is to make Verse the default mail view. To do this;
4
Looking at Cloud Licensing - Microsoft, IBM and Google
Mon, Aug 29th 2016 4:23a   Gavin Bollard
We live in interesting times and while I haven't changed jobs in years, I now do IT for several companies. What makes this even more interesting is that some are on the IBM infrastructure, some are on Google and some are on Microsoft... ...and of course, there's a bit of change from one to the other. I tend to get a lot of licensing-based invoices across my desk nowadays. Recently, we shifted our IBM licensing to the new IBM Mail Dual Entitlement plan. It's basically a combined Notes a
1
IBM's Cloud takes the Pain out of Updates
Tue, Aug 23rd 2016 11:16p   Gavin Bollard
I’ll admit that I'm generally not very kind to IBM on this blog. It's not that they're doing a worse job than their competitors, I'm still very impressed with some of the things they're doing. It's just that after using Notes/Domino for over 20 years, I hold them, sometimes impossibly, to very high standards…. and, of course, any goofs on their part affect my systems a little too directly. The Quiet Migration to 24x7One of our biggest frustrations in recent years has been the unders
3
What's Wrong with the IBM Connections.Cloud Welcome Message (and what IBM Needs to do to fix it)
Mon, Aug 8th 2016 4:59a   Gavin Bollard
One of the interesting things about being in IT is that you're responsible for hundreds of "automated" messages each day but... as an IT person, who was already set up on the system from day one, you never actually get to see them - at least, not until someone complains. One of the things we do at work is provide an area on IBM Connections.Cloud for parties external to our own organisation to collaborate. The collaboration in this space is with some pretty important people. Recently we had




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition