General Consultant Discussion

Hey everyone sometime around December 2013 I was the victim of an illegal spam attack. The emails are sent from a third party server and point to third party websites. They are not coming from my account. My response to anyone with questions about an email that they received unexpectedly with: a. File attachment b. Links to unrecognizable sites If they are unexpected, delete the emails without opening no matter who they are from or if the email looks as if it should be safe. In all likelihood this is malware designed to spread the cryptolocker (or variation) ransomware which has done exceptionally well and will in all likelihood continue for many more years. It's also important that these ransomware programs not be paid although since 99.5% of all businesses have inadequate backup it seems likely that this type of malware will only grow in the future. See image below to what the typical malware spreading email can look like.

x-post from LInkedIn: It seems likely that the Cryptolocker and other ransomware type malware are only going to grow. If you're not familiar here's how the operation works. a. Criminal enterprise hijacks multiple sites (often Wordpress blogs) to seed them as the distributor for the malware. b. Emails are sent out with not much more than a link to said malware. These are typically forged return addresses and are sent through yet more compromised computers which act as relays for the mail. c. Unsuspecting users click the links in the email and load Cryptolocker type malware. What this does is encrypt some of your data with industrial strength encryption. There is no undo. There is no unlocking this unless you have a special key (only provided once you pay the ransom). You are given the option (extorted) to pay some amount -- usually $300 - $500 via prepaid debit card. Sadly most business have terrible backups. They in turn weigh the options of a computer network being unusable for two weeks or paying a criminal enterprise to (hopefully) generate a code which un-encrypts their data. What happens? Businesses without backups pay up. This fuels copycats and the original criminal enterprises. Start all over again at (A) above.... Here's what you can do: 1. Have a backup that works and that has been tested recently. This is no longer a ""nice to have"". It's a requirement. Mark Chinsky's Eversafe backup and disaster recovery is a good place to start. Yup - expensive. So is being down for two weeks and having thirty people idle (happened to a customer last month). Yup, nobody buys this until they've been hit by disaster but that doesn't mean you can't suggest it -- you'll feel less guilty when you charge $25,000 to recover their ERP from total disk failure. 2. Never click a link or open a file attachment which you were not expecting no matter who the sender appears to be. 3. If you are running a Wordpress blog you should create an administrator account (FIRST) ---- > OTHER THAN admin. Then delete the default admin account (make sure you created a new Admin account and don't call it anything resembling ""administrator"", ""supervisor"" , etc). Install a plug-in such as Wordfence which will alert you to every bogus login attempt and automatically lock out any attempts to login as the ""admin"" account. This should significantly reduce the threat of your site being compromised. Companies are regularly paying this Cryptolocker ransomware which means that this threat will grow until such a time as effective anti-virus and anti-malware measures can reliably capture the threats (as of now there seems to be few effective anti-virus tools which can stop this).

@WayneSchulz - Deleted an e-mail from your live account yesterday......

I've deleted a few over the last several months.

Yes these are all forged return addresses. It's social engineering to make you think they're coming from me. If you look at the email headers they're all being sent from compromised computers with links to compromised websites that are distributing malware. Unfortunately there's not a thing I can do to prevent a third party criminal enterprise from sticking my email return address on malware that they send out their their servers. They seem to do this about every two months - so mark your calendars for the next round in August. Everyone can do their part to stop this type of problem by never paying Cryptolocker ransomware. However I sense that won't happen so these types of scams/frauds will likely continue for the foreseeable future.

Nope. It's a really big deal and the point is everyone needs to be careful. Even the best backups fail. All anti virus is incomplete protection. Even if it weren't you whose email got hit, if it were mine, they could still use your email address as the from address because they are spoofing email addresses. Bad stuff!

I was a panel member on a webinar for just this topic. https://www.youtube.com/watch?v=holz_-wVRSY The key to beating Cryptolocker (because you can always count on computer noobs in the organization to bring the infection in) is a backup system that takes complete 'snapshots' at frequent points in time and one that automatically tests. Just had another MAS disaster due to a server corrupting files and they had a crappy backup system in place which involves overwriting every nights backup the next night. I just can't believe how high a percentage of backups in businesses are done in a way that is so risky and likely to fail that it isn't even funny. It's only after hell days like the one my client had today that they get serious about solutions like www.eversafe-cloud.com Until they get whacked hard, they just assume all is fine and their cheap ass solution will do the trick.

I agree - Just amazing that IT professionals don't do a better job.....

Just saw our provider created this video about a company in Westchester NY and Cryptolocker: http://www.datto.com/resources/davids-soundview-catering-a-cryptolocker-success-story