Virus Alert – Locky & TeslaCrypt

Certain types of viruses come and go in waves. There are some insidious viruses making a significant number of victims in the Toronto area that are of a similar family of the CryptoLocker. This type of malware is classified as a ransomware trojan.  The trojan part is akin to the classic Greek mythology in the Greek wars of ancient time, in which someone presents something to entice the recipient to accept it, but in fact it carries a destructive payload.  The term ransomware comes from the fact that this type of malware causes some damage to the user’s computer and then presents a message demanding payment in return for the recovery of the damages.

Both of these (Locky and TeslaCrypt) are being distributed through email.  The messages trick the user to open an attached zip file in order to determine some amount that he/she has won, or to view some invoice that is unpaid.  In some cases, the message contains bold warnings with threats of legal action if the attached invoice is not paid.  The zipped file then contains a Word document (in the case of the Locky).  The user has to open the document, which contains embedded macros.  Macros in MicroSoft Office documents make use of the Visual Basic programming language, which give the macro (attacker) the ability to do almost anything on the user’s computer and other machines connected in a network. By default, Macros are not enabled in Word and other office documents.

If Macros are not enabled, the user then gets a message to click the button to enable Macros.  If the user does so, then the damage begins.  The macro goes out to the internet to download another program (which if the actual virus), and runs that program in the background.  The virus then looks for user data files on the local computer in every folder, encrypts the file, and changes the file name to a series of random letters and digits with the extension of .locky (ie: 63CED2DDAA3BED16A99393A0B96E40F6.locky).  It also creates a file called _Locky_recover_instructions.txt in every folder it encrypts files.  If the infected computer is connected to another on a network, then the virus determines all shared folders on that other machine/server and goes through every file in every folder in every shared folder on that server and encrypts the files there in the same manner.

An example of the contents of the _Locky_recover_instructions.txt is as follows:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. http://i3ezlvkoi7fwyood.tor2web.org/63CED2DDAA3BED16
2. http://i3ezlvkoi7fwyood.onion.to/63CED2DDAA3BED16
3. http://i3ezlvkoi7fwyood.onion.cab/63CED2DDAA3BED16

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: i3ezlvkoi7fwyood.onion/63CED2DDAA3BED16
4. Follow the instructions on the site.

!!! Your personal identification ID: 63CED2DDAA3BED16 !!!

Ironically, some of the infected machines that have been seen has active anti-virus protection enabled.  In one case, almost 70,000 files were infected on a server, and all local user files were also encrypted, including the Outlook PST file containing all emails.  As you can see, this is evil.  There are only two ways of recovering from this: 1) pay the criminals and hope (criminals as they are) that they will actually send you a program to un-encrypt your valuable data, or 2) restore from a backup.  If you pay the criminals, you are feeding into their appetite to go out and get more victims.  The Locky was initially widely targeted at users in Germany earlier in the year, but both seem to be exploding in Canada now.

If you suspect that a machine has been infected with this malware, the first step is to immediately disconnect it from the network.  Next, use a program such as MalwareBytes to scan and verify complete removal of the virus, followed by data recovery.

The TeslaCrypt malware is very similar in what it does, but technically it is different.  The attached zip file contains a ‘JScript’ file instead of a Mircrosoft document with a macro. Windows computers can execute such JScripts using their scripting engine directly.  The JScript goes out and downloads the encrypting program, which it then runs in the background.  The user is not prompted to enable macros in this case.  The encrypted files retain their original name and extension, plus a new added on extension, such as .vvv, .aaa, etc.  There are at least 3 main versions of the TeslaCrypt now in the wild, with other variations as well.

The following are some samples of emails containing these viruses:

Subject: FW: Notification from CVC CREDIT PTNRS EUROPEAN OPPS LTD
Date: Fri, 18 Mar 2016 09:30:20 -0500
From: Hammond.Adele31@grandprixintlhk.com
Reply-To: Hammond.Adele31@grandprixintlhk.com
To: xxx@xxx.com
CVC CREDIT PTNRS EUROPEAN OPPS LTD
INVOICEEGINV51930 DUE DATE03/16/2016 BALANCE DUE$499.46
Dear Valued Client,
Please find your sales form below. If you need to remit payment, please do so at your earliest convenience.
Thank you for your business – we appreciate it very much.Sincerely,
CVC CREDIT PTNRS EUROPEAN OPPS LTD
© Intuit, Inc. All rights reserved. Privacy |  Terms of Service
 ________
Subject: Urgent: IMAGINiT invoice GNINV77677 is Past due
Date: Thu, 17 Mar 2016 16:51:14 +0300
From: Vinson.Faith0@ihatedrops.com
Reply-To: Vinson.Faith0@ihatedrops.com
To: xxx@xxx.com

imaginit-logo.gif

Dear Valued Customer-Please be aware that our invoice GNINV77677 (attached) is currently past due and payment is required at this time. Our remittance address is indicated on the attached invoice. Please note that credit card payments will not be accepted for invoices processed with credit terms. If you have any questions regarding your invoice, please contact us on 435-321-1713 using reference account number 81F26-174.Payments and/or credits of $0.00 have been applied to this invoice, the balance currently due is $823.47.Thank you for your business and we appreciate your prompt response in this matter.Sincerely,

IMAGINiT, a Division of Rand Worldwide

________
Subject: Traffic report ID: 67946838
Date: Mon, 14 Mar 2016 22:31:07 +0530
From: Jonah ewart <ewartJonah42521@lvea.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xx.com>

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 06075
Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.

________
Subject: Blocked Transaction. Case No 79181632
Date: Mon, 14 Mar 2016 09:34:18 +0500
From: Malinda fischer <fischerMalinda099@netricitydesign.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xxx.com>

The Automated Clearing House transaction (ID: 79181632), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 70941
Transaction Amount: 209,82 USD
Sender e-mail: fischerMalinda099@netricitydesign.com
Reason of Termination: See attached statement

________
Subject: GreenLand Consulting � Unpaid Issue No. 22107
Date: Fri, 11 Mar 2016 15:53:33 +0200
From: Beatrice gason <gasonBeatrice168@bidnix.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xxx.com>

Dear Client!
For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 22107. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Beatrice gason
Chief Accountant
309 Monroe St
FL 22107
670-465-2546

________
Remember the saying that an ounce of prevention is worth a pound of cure!  The entrance door is you, the user.  Education is key.  Ensure that you and your employees are familiar with identifying the legitimacy of emails.  In each of the examples shown are many clues that show that these messages are bogus.

  1. The first and most obvious is: do you or your company deal with this sender or company?  If not, why would you want to pay their invoice? The delete function is your best friend!  
  2. Second, an invoice is a relatively small file.  There is no need to send it in a compressed format, especially since Word and Excel documents are already compressed since Office 2007.
  3. In most cases, the company name in the email does not match the domain (ie: GreenLand Consulting, but the domain is bidnix.com)
  4. Never open any attachments from anyone that you do not know.  Even if you know the sender, only open carefully if you are expecting the email.  Otherwise, call the sender and confirm if he/she sent the file.
  5. Always have good anti-virus protection.
  6. REGARDLESS of how good the anti-virus protection is, it is NOT foolproof and will often let infections through.  Again, virus protection begins with the user through his/her actions.
  7. If there is no special need to run macros, go into each Office application and check the “Trust Centre” to ensure that the option is enabled to at the minimum prompt the user before executing any macro.

 

Spam – Capital movements , P.O box 340254, columbus, oh

There has been a tremendous amount of spam from the turds in the last few weeks from “Capital movements , P.O box 340254, columbus,oh,43234”.  A search through a favourite search engine reveals that many people are getting it, too.

They are pushing everything from Lasik Surgery, to MBA programs, to VoIP services and many others.  Some people get 40 or more messages from these scum daily, day after day.  They provide a link at the bottom of the email for the recipient to unsubscribe, but the domain that it points to keeps changing.  The one we have been receiving points now to riverlogo.eu.  Other domains used that may or may not be registered anymore include selectnation.com and magicultra.com.  The email contains an ad advertising the payload, which links back to the riverlogo.eu domain.  The image and link to the image are encoded, so that the mere fact of opening the email to read, if auto-download is enabled, sends a confirmation back to the scammers that they have sent an email to a valid recipient.  Below is a sample image embedded in the email, followed by the source of the email.  The link tracking codes has been changed slightly in the sample.

The best remedy is 1) resist ALL temptation to click on the unsubscribe link – it will only confirm yet again to them the validity of your email address to be used and re-sold numerous times, 2) turn off auto-display of linked email content – this will vary, depending of the email client and version that you use, 3) add @riverlogo.eu or whatever bogus domain you are receiving email from to your list of blocked addresses – this will only work temporarily until these criminals start using another bogus domain.

Return-Path: MBAOnlinePrograms@riverlogo.eu
Received: from ipo9czjx7.riverlogo.eu (productball.com [104.243.68.108]) by mail.virtualsilo.com
 with ESMTP ; Sun, 20 Mar 2016 15:58:16 -0400
Received: from 013b0ae7.ipo9czjx7.riverlogo.eu (amavisd, port 10267) by ipo9czjx7.riverlogo.eu
 with ESMTP id 01QQCMWUBNC3B0AMWKDQTALEE7; for <xxx@xxxxxx.com>;
 Sun, 20 Mar 2016 12:58:21 -0700
Date: Sun, 20 Mar 2016 12:58:21 -0700
Content-Type: text/html; charset="UTF-8"
To: <manuel@caraveladigital.com>
From: "MBA Online Programs" <MBAOnlinePrograms@riverlogo.eu>
Subject: Browse MBA Programs Available Online Today!
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <12673152064556412677373118273@ipo9czjzz.riverlogo.eu>
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by SURBL - (Score: 5)
X-hMailServer-Reason-Score: 5

<html>
 <head>
 <title>
Want to Further Your Business Degree? Explore MBA Programs Today!
 </title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
 </head>
 <body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">

 <table align="center" border="0" cellpadding="0" cellspacing="0" width="700">
 <tr>
 <td align="center" style="font-family: Arial, Helvetica, Sans-serif;">
 <a href="http://www.riverlogo.eu/l/lc1DF1267WH7XY/73DT118KA273O97UY20645364UL1760773252" style="font-size: 12pt; color: #629cce;">Want to Further Your Business Degree? Explore MBA Programs Today!</a><br>

 <a href="http://www.riverlogo.eu/l/lc2RW1267AP7XY/73DD118YP273B97JV20645364TD1760773252"><img src="http://www.riverlogo.eu/im/V1267F7XY/73B118N273JI97U20645364M1760773252/img07373315.jpg" alt="Search For Medical Billing Schools Near You!" width="432" height="440" border="0"></a>
</td>
 </tr>
 </table>
 <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<center>
This offer is brought to you by Capital Movements 
If you would no longer like to receive emails from riverlogo.eu 
To be removed from our list simply <a href="http://www.riverlogo.eu/unsEH1267M73XY/73OQ118PG273PP97XK20645364S1760773252">Unsubscribe.</a> or write to us at:
Capital movements , P.O box 340254, columbus,oh,43234
</center>
</body>
</html>

11 Ways How To Maximize Laptop Battery Life

Laptops battery technology has changed also over the years, going from Nickel Cadmium (NiCad), to Nickel Metal Hydride (NiMH), to Lithium Ion (Li-ion).  Each type of battery has different requirements in care, but there are things you can do to extend how long your battery lasts overall.  The length of useful life from laptop batteries depends on many factors.  Overall, the amount of time you are able to run the laptop on a full charge, assuming the exact same activity is performed each time, will reduce over time to the point that the machine will die as soon as it is unplugged from the mains.  The average life span seems to be about 3 years under normal use.  Some ways of extending battery life are:

Continue reading

13 Ways How To Maximize Laptop Battery Runtime

Laptops have become widely used due to their power and portability.  There is still a price premium when comparing feature for feature with an equivalent laptop, but it is offset by the convenience offered by laptops.  All laptops and portable systems offer the ability to run on battery power.  The run times vary widely from model to model.  The battery technology has changed also over the years, going from Nickel Cadmium to Nickel Metal Hydride, to Lithium Ion.  Each type of battery has different requirements in care, but there are things you can do to  extend the length of time you can run on a single charge.

Continue reading

12 Ways To Maximize The Life Of Your Laptop

Laptops are great.  They allow computing anywhere, so you can take those long days at the office with you and just keep plugging on right through the night, or into your vacation.  Well, wait a minute, you say. Ok. They are very convenient, you must admit.  However, because they do travel so much, care must be taken to maximize their life.  The following are some important guidelines:

Continue reading

Backup Software – Focus Your Needs

In our article about how to choose the best backup hardware for your business, we identified some of the viable options for business class backup hardware.  Because the hardware is just a container for your valuable data, you also need to examine your needs to select the proper software that you will need to put your data into your backup medium of choice and to manage and restore those backups.

Continue reading

Backups – How To Choose Your Data’s Safety Net

Most businesses cannot afford to lose their data, but often do not put adequate measures in place to protect this critical component of their business.  If the building where you operate your business was to sustain extensive damage from a fire, flood, or other damage that caused all of your data to be lost, how would your business recover?  If your server was to fail and all data become unreadable, how would you recover?  While insurance can help with some costs, it typically will not cover the cost of re-creating the data.  Data backups should be an integral part of your disaster recovery plan, along with other items such as recovery of critical documents, phone systems, and reduction of down time due to hardware failure.  Data backups consist of two critical components: the hardware where the backup data is stored, and the best backup software that places it there and manages the backup volumes and recovery.  In this article, we’ll examine the hardware aspects.

Continue reading

Protect Your Internet Domain

More than likely, your company now has an internet site.  If you don’t, you should.

In many cases, however, small business owners do get an internet domain and even have a website, but then use email addresses provided by their office or home internet connection provider.  For example, they may put bill-smith@bell.com, or may use a free online webmail address such as Hotmail or gMail.  This is a mistake.  It does not look professional.  If you already have an internet domain, then use it!  Email hosting is frequently included with website hosting, and is a minimal cost.

Another important aspect of the corporate internet domain is that of having control of your domain.  Often business owners rely on external consultants to help them with the task of registering their domain and set up their website and other IT services, but then do not ensure that the domain is properly registered and that they get the required credentials to these important services.  If handled internally, then it should be all properly documented.  This can put the entire corporate identity in jeopardy.  The following is a good article about how internet domain names work and what you should do to ensure you have control of your domain and website.

eMail Guidelines For Business Communication

Business communication has evolved to rely heavily on eMail.  It is a “killer application” of the internet.  As a tool, it is as effective as the person using it.  As a business owner or manager, you should establish guidelines that your company abides by to ensure proper use of this tool and that it does not potentially harm the corporate image.

If you have not done so yet, please see this article about establishing an appropriate use policy for your company in regards to technology use in the workplace.  Additionally, there are certain percautions and best practices for using eMail effectively.  The article in this link provides an excellent list of email tips for business communication.  Finally, be sure to read this article with a list of 10 golden rules of email etiquette.