Crypto Locker Holds SJU Files Hostage

As was mentioned in a recent IT Alert, numerous campus computers were infected with a very serious, destructive piece of malware called “Crypto Locker”.

Wikipedia defines malware as “software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.[1] It can appear in the form of code, scripts, active content, and other software.[2] ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.[3]

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.[4] In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states.[5][6] Malware is different from defective software, which is a legitimate software but contains harmful bugs that were not corrected before release. However, some malware is disguised as genuine software, and may come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it along with additional tracking software that gathers marketing statistics.”

What does it do?

Crypto Locker is a very specific type of malware known as RansomWare that does exactly what the name implies, it holds you ransom. Computers infected will immediately begin encrypting files on local disk drives as well as network drives, such as your J: and S: drives, with a private key that is only known by the malware. When any such file is accessed, a popup window is displayed (as shown) informing you that it was encrypted and that the only way to get them unencrypted is to pay the perpetrators $300.

What should you do if you find that you are infected?

If you receive the message above, you should immediately turn the computer off. Then, if you have a laptop, bring it to the Technology Service Center (TSC) in SC 129. If you have a desktop, contact the TSC at 610-660-2920 to arrange a pickup. IT specialists need to run various software utilities to remove the malware completely from the computer. Note: IT will have to hold your computer for several hours, if not days, due to the complexity of removing Crypto Locker as well as the volume of systems that are infected at this time. Plus, due to the limited supply of loaner systems, we cannot guarantee that one will be available to everyone who requests a loaner.

What is OIT currently doing about it?

At this time, OIT staff members are doing many things to limit the effects of the malware, fix the systems that are infected, and prevent any further spreading. This includes:

  • Cleaning all infected systems on a one-by-one basis as they are identified.
  • Disabling access to network shared drives, typically mounted as the S: drive, in order to prevent further damage to files residing on those drives.
  • Implementing stronger measures on the SPAM-filtering software to reduce the number of malicious ZIP files delivered to individual mailboxes. We are currently blocking over 98% of them.
  • Working with our Anti-Virus software vendor, Symantec, to determine a better means of cleaning up infected systems and preventing further infections.
  • Scanning the network for additional systems that may be infected.
  • Implementing additional Windows security policies to help prevent it from spreading further. Note: We recommend that all Windows users restart their computer as soon as possible to ensure that these new policies take full effect.

What are the plans for moving forward?

Once we are reasonably sure that the infection has been fully contained and no further spread is possible, we will start addressing means of restoring access to share drives and fix the files that have been affected. At this time, there is no known method of unencrypting files. The only method of restoring access to these files is to restore them from a backup. Unfortunately, if the backup is also compromised or the file is too new to be part of a backup, there is no way for it to be restored.

How did the computers get infected?

We believe that the primary way computers on campus got infected with Crypto Locker is by people opening an attached ZIP file within a fraudulent e-mail message. Over the past few days, several such messages have been sent to numerous SJU faculty and staff and we have linked the infections with a number of these messages. Below is one such example of a fraudulent message that has been linked to this malware outbreak.

It has been reported that other methods of infection include clicking on malicious links on websites and in social media tools, but we have not verified that at this time.

What can you do to avoid being infected?

First, you should NEVER, EVER open an attachment sent from someone you do not know, even if it appears to be someone from SJU. In the example above, the message appears to be coming from someone named “Deon Tillman” with e-mail address “deon@sju.edu”. But if you were to look this person up in a University Directory (which is available at http://www.sju.edu/directory), you would find that this person does not actually exist, at least at St. Joe’s. We highly recommend that everyone do this for any such messages.

Second, look at who the message is sent to in the To: field. Looking at the same example above, it shows as being sent to someone else. This is usually a tell-tale sign of a fraudulent message. If you receive a message that is not addressed to you or a well-known distribution list (such as a departmental list like oit@sju.edu) you should NOT open it.

Are we the only ones being affected?

No, this seems to be a well-established scam that has hit many other universities, corporations, and government agencies. The perpetrators are doing so well that they’ve upped their ransom from $100 to $300 since they first started and are rumored to be generating over $300,000 a month from the scam. Below are some news stories and web posts that we’ve found about Crypto Locker and various incidents of it:

If you have any questions or concerns, please contact the Technology Service Center at techhelp@sju.edu or x2920.