11-12-13 | Blog Post
Last week I wrote about CryptoLocker in Offsite Backup: Thwarting the Profitable Encryption Malware Cryptolocker, the well-known malware that is categorized as ‘ransomware’ – it encrypts files on your computer and refuses to decrypt until you pay the malware authors a fee. To help combat the malware spread, CIS (Center for Internet Security) released some pointers for organizations concerned about possible infection:
Block traffic to a number of IP addresses at your network perimeter devices to prevent the malware from getting the encryption key from the C2 server. These are just a few (see the rest of them here):
Here are some sample email subjects, attachment naming conventions, sender email addresses, sender IPs and hosts that might indicate presence of the malware:
Subject: “Annual Form – Authorization to Use Privately Owned Vehicle on State Business”
Attachment: Attachments follow the naming convention of “Form_[Varying Digits and Numbers].zip. For example: Form_nfcausa.org.zip, Form_20130810.exe, Form_f4f43454.com.zip.
Spoofed Sender: “[email protected]” “[email protected]”
Sender IP: 18.104.22.168
Sender Host: mail.netsential.com
CIS also lists a few registry and file system path indicators for Windows. Other recommendations include:
Find out more about offsite backup, as well as how to ensure you can recover a copy of your files if all else fails. Read our Disaster Recovery white paper for tips on creating a comprehensive business continuity and IT disaster recovery plan for your critical data and systems.
CIS Cyber Alert – Cryptolocker Indicators