We are posting this notice because of a new variant of encrypting malware that we became aware of today. It has many similarities to Cryptolocker and Cryptowall (although is not seemingly from the same source) and overall the response plan stays very similar, however there are some notable differences that I wanted to make everyone aware of.
- All traffic from the infected machine is re-routed out through the TOR network. This is ostensibly for payment purposes but it does potentially expose all traffic from the PC to whoever deploys this.
- It randomly renames file extensions multiple times making granular file restores extremely difficult and cost prohibitive in most cases
- Its available for sale through black market sources for $3000 and is in many ways less sophisticated and easier to manage, meaning it could potentially be seen more frequently than previous crypto infection.
All of this adds up to yet another annoying but ultimately recoverable infection. The strategy for cleaning does stay the same, two key points to remember with this variant:
- Cleaning the PC should not be considered an option, rebuild should always be our response to an infected workstation. Additionally the infected workstation should be immediately isolated from the network (power off, network cable unplugged).
- Restoration of entire drives is by far the best plan, and so users need to stop saving to network shares as soon as we identify this and until we restore the drive or drives in question.
For your info, this is what an infected machine (as of the writing of this email) looks like when infected: