Crypto Locker Holds SJU Files Hostage

As was mentioned in a recent IT Alert, numerous campus computers were infected with a very serious, destructive piece of malware called “Crypto Locker”.

Wikipedia defines malware as “software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.[1] It can appear in the form of code, scripts, active content, and other software.[2] ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.[3]

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.[4] In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states.[5][6] Malware is different from defective software, which is a legitimate software but contains harmful bugs that were not corrected before release. However, some malware is disguised as genuine software, and may come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it along with additional tracking software that gathers marketing statistics.”

What does it do?

Crypto Locker is a very specific type of malware known as RansomWare that does exactly what the name implies, it holds you ransom. Computers infected will immediately begin encrypting files on local disk drives as well as network drives, such as your J: and S: drives, with a private key that is only known by the malware. When any such file is accessed, a popup window is displayed (as shown) informing you that it was encrypted and that the only way to get them unencrypted is to pay the perpetrators $300.

What should you do if you find that you are infected?

If you receive the message above, you should immediately turn the computer off. Then, if you have a laptop, bring it to the Technology Service Center (TSC) in SC 129. If you have a desktop, contact the TSC at 610-660-2920 to arrange a pickup. IT specialists need to run various software utilities to remove the malware completely from the computer. Note: IT will have to hold your computer for several hours, if not days, due to the complexity of removing Crypto Locker as well as the volume of systems that are infected at this time. Plus, due to the limited supply of loaner systems, we cannot guarantee that one will be available to everyone who requests a loaner.

What is OIT currently doing about it?

At this time, OIT staff members are doing many things to limit the effects of the malware, fix the systems that are infected, and prevent any further spreading. This includes:

  • Cleaning all infected systems on a one-by-one basis as they are identified.
  • Disabling access to network shared drives, typically mounted as the S: drive, in order to prevent further damage to files residing on those drives.
  • Implementing stronger measures on the SPAM-filtering software to reduce the number of malicious ZIP files delivered to individual mailboxes. We are currently blocking over 98% of them.
  • Working with our Anti-Virus software vendor, Symantec, to determine a better means of cleaning up infected systems and preventing further infections.
  • Scanning the network for additional systems that may be infected.
  • Implementing additional Windows security policies to help prevent it from spreading further. Note: We recommend that all Windows users restart their computer as soon as possible to ensure that these new policies take full effect.

What are the plans for moving forward?

Once we are reasonably sure that the infection has been fully contained and no further spread is possible, we will start addressing means of restoring access to share drives and fix the files that have been affected. At this time, there is no known method of unencrypting files. The only method of restoring access to these files is to restore them from a backup. Unfortunately, if the backup is also compromised or the file is too new to be part of a backup, there is no way for it to be restored.

How did the computers get infected?

We believe that the primary way computers on campus got infected with Crypto Locker is by people opening an attached ZIP file within a fraudulent e-mail message. Over the past few days, several such messages have been sent to numerous SJU faculty and staff and we have linked the infections with a number of these messages. Below is one such example of a fraudulent message that has been linked to this malware outbreak.

It has been reported that other methods of infection include clicking on malicious links on websites and in social media tools, but we have not verified that at this time.

What can you do to avoid being infected?

First, you should NEVER, EVER open an attachment sent from someone you do not know, even if it appears to be someone from SJU. In the example above, the message appears to be coming from someone named “Deon Tillman” with e-mail address “deon@sju.edu”. But if you were to look this person up in a University Directory (which is available at http://www.sju.edu/directory), you would find that this person does not actually exist, at least at St. Joe’s. We highly recommend that everyone do this for any such messages.

Second, look at who the message is sent to in the To: field. Looking at the same example above, it shows as being sent to someone else. This is usually a tell-tale sign of a fraudulent message. If you receive a message that is not addressed to you or a well-known distribution list (such as a departmental list like oit@sju.edu) you should NOT open it.

Are we the only ones being affected?

No, this seems to be a well-established scam that has hit many other universities, corporations, and government agencies. The perpetrators are doing so well that they’ve upped their ransom from $100 to $300 since they first started and are rumored to be generating over $300,000 a month from the scam. Below are some news stories and web posts that we’ve found about Crypto Locker and various incidents of it:

If you have any questions or concerns, please contact the Technology Service Center at techhelp@sju.edu or x2920.

 

Mobilizing Cyber Security.

As our lives become more dependent upon instant communication, a growing number of people are purchasing some type of mobile device allowing on the spot Internet access. In “The mobile web in numbers,”  Royal Pingdom offered the following statistics regarding mobile devices and the massive amount of data trafficked and consumed by their users:

  • 5.9 billion – The estimated number of mobile subscriptions worldwide in 2011.
  • 13% – The smartphone share of all mobile handsets in use worldwide.
  • 78% – The percentage of worldwide mobile data traffic that is consumed by smartphones.
  • 1.6 billion – Number of mobile devices sold to end users in 2010, an increase of almost 32% compared to the year before.
  • 19% – The percentage of worldwide mobile devices sold that were smartphones.
  • 472 million – Number of smartphones estimated to be sold worldwide in 2011.
  • 982 million – Estimated number of smartphones to be sold in 2015.
  • 80% – The share of devices accessing mobile websites that have a touchscreen.
  • 50 million – The number of people worldwide who have a mobile phone but that do not have electricity at home. In other words, mobile access has further reach than electricity.

In addition, they went on to cite the following statistics for mobile web browsing:

With numbers like this, it’s easy to see how important it is for consumers  to protect themselves when accessing the Internet from some form of mobile device.   In a report entitled “Today’s Mobile Cybersecurity Protected, Secured and Unified,”  CTIA, The Wireless Association suggests adhering to the following practices :

  • Configure Devices to Be more Secure – Smartphones and other  mobile devices have password features that lock the devices on a scheduled basis. After a predetermined period of time of inactivity (e.g., one minute, two minutes, etc.) the device requires the correct PIN or password to be entered. Encryption, remote-wipecapabilities and – depending on the operating system – anti-virus software may also serve to improve security.
  • “Caveat Link” – Beware of suspicious links. Do not click on links in suspicious emails or text messages as they may lead to malicious websites.
  • Exercise Caution Downloading apps – Avoid applications from unauthorized application stores. Some application stores vet apps so they do not contain malware. Online research on an app before downloading is often a sound first step.
  • Check Permissions – Check the access (i.e., access to which segments of your mobile device) that an application requires, including Web-based applications, browsers and native applications.
  • Know your Network – Avoid using unknown Wi-Fi networks and use public Wi-Fi hot spots sparingly. Hackers can create “honeypot” Wi-Fi hot spots intended to attract, and subsequentlycompromise, mobile devices. Similarly, they troll public Wi-Fi spots looking for unsecured devices. If you have Wifi at home, enable encryption.
  • Don’t Publish your mobile Phone Number – Posting your mobile phone number on a public website can make it a target for software programs that crawl the Web collecting phone numbers that may later receive spam, if not outright phishing attacks.
  • Use your Mobile Device as it Was Setup – Some people use third-party firmware to override settings on their mobile devices (e.g., enabling them to switch service providers). Such “jailbreaking” or “rooting” can result in malware or malicious code infecting the mobile devices.

Remember that while mobile devices such as smartphones provide convenience and ease of access to the Internet and the vast warehouse of data it contains, they also provide yet another opportunity for Cybercriminals to strike.

NCSAM: Celebrating 10 Years of Cybersecurity Awareness

This October marks the 10th anniversary of National Cybersecurity Awareness Month (NCSAM).  Sponsored by the Department of Homeland Security and the National Cyber Security Alliance, NCSAM has helped educate online consumers and businesses about cybersecurity issues and the best practices for avoiding them.

As a growing number of consumers turn to online shopping as their primary means of doing business, the number of cybercrimes – and the financial impact of those crimes – continues to rise; and the numbers are staggering.

According to the October 2011 issue of Practical Commerce, in the second quarter of 2011, an estimated 170 million US consumers purchased something online, resulting in approximately 539 million transactions.

Another article published in Internet Retailer on May 10, 2013 states that consumers spent 50.2 billion dollars online in the first quarter of this year alone.

The US Government, in its 2012 IC3 Report, cites 289,874 complaints of cybercrime, with over 114,000 of those reporting a financial loss averaging $4573.00. Projected worldwide, as Norton did in its 2012 Cybercrime Report, it’s estimated that 556 million people per year (1.5 million per day) experience some form of cybercrime.  And while the total loss per person averages out to $197.00, the total global loss is reported in the neighborhood of 110 billion dollars. Clearly, the Internet commerce financial pie is a large one; and everyone seems to be looking for a piece of it.

As technology continues to advance, so do the tactics of those seeking to gain your personal information.   The National Cyber Security Alliance, on its StaySafeOnline.org website, suggests observing the following practices  in order to ensure your personal – and financial – safety while online:

  • Keep a Clean Machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
  • When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
  • Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them.

 Those wishing to know more about NCSAM and suggested best practices can check out StaySafeOnline.org for further details.