Browsing Posts in Troubleshooting

Hey folks, Brandon here! Something we’ve talked about to for the past year or so is Ransomware, a type of malware designed to encrypt your files causing you to not be able to access them, then demand a monetary ransom to get access to your files again. Every couple of months there seems to be a new wave of these coming out and one seems to have started going out this week……So of course Steve and I decided to download the latest and greatest in Cryptowall and try it out!

So let’s talk about how this new wave of Cryptowall is being distributed and how it works.

Note that this version is using Java to run. When we didn’t have Java installed, the virus couldn’t do anything. Unfortunately, removing Java from all your machines isn’t really a good way to prevent this sort of thing, as it’ll cause new issues. The best thing to do is to keep everything up to date, as companies are constantly releasing security updates.

How it’s being sent

This is being sent to people in an email about new Outlook settings (Subject typically: Important – New Outlook Settings) coming from Administrator@outlook-us.com

Attachment/Link

The email comes with a URL (different URL each time) that appears to change what it’s doing each time you click it. Sometimes it downloads ‘message.zip’ which contains ‘outlook_settings_pdf.exe’ (the virus). Now this is tricky because unless your computer shows file extensions, it just shows as outlook_settings_pdf with a sneaky little Adobe Acrobat icon. Sometimes the site it takes you to loads a blank page. Sometimes it loads what appears to be a…poem? Yeah, a poem. Alaa has actually been reloading the page over and over to make a poem book. We’ll probably put that on Amazon for your Kindle soon.

Bottom line

If you see an out-of-place looking email from anybody @outlook-us.com, you should probably err on the side of caution. As always, clicking on links if you don’t know where they’re from is typically a bad idea. If there’s anything you’re unsure about, ask your IT support! We in IT would rather you be cautious and secure than click-happy and vulnerable :)

That’s really it. If you want the details of what the virus is doing, keep on reading!

What’s the file doing?

If the outlook_settings_pdf.exe gets run, it will show itself as a process as well as 2 process that *appear* to have randomly generated names. They’re definitely noticeable. Here is resource monitor with the processes (click image to see full-size):

Then it gets to work! It’s using the system Cryptographic Services to start encrypting your precious files to hold for ransom:

 

 

 

 

 

 

(I just realized the bottom task got cut off. But it’s the cryptographic service…)

 

Alaa here. Recently, Simplex-IT techs received calls about slow Internet connections and slow Outlook mail flow. After some troubleshooting and different attempts to resolve this issue, we stumbled upon Internet Protocol version 6 (IPv6) and as part of the troubleshooting process, we decided to disable this item. Interestingly enough, by disabling IPv6 everything just worked, Internet connections were faster and mail flow was normal again.

So, what is IPv6? It’s a way to allow a lot more devices to be on the internet.  Learn more by going here.

Now, we’re not saying IPv6 is broken.  But a lot of ISP’s (the folks who give us internet access) haven’t completely implemented their support for IPv6.  And we think that’s what is behind the issue.

In order to disable IPv6, go to Start menu and open Control Panel. In Control Panel, select Network and Sharing Center. On the left hand side select Change adapter settings. Then right-click on the Local Area Connection adapter (This might also be named Ethernet) and select Properties. Finally, uncheck the Internet Protocol Version 6 (TCP/IPv6) item and click OK.

However, we would like to point out that this is not a fix for everything, we have only had a couple of incidents where that was the solution, so we recommend trying this as a last resort for any connection issues with Microsoft Outlook or slow Internet connections.

Even though most Internet Service Providers are not yet ready to deploy IPv6 to residential customers, if you would like to find out whether your ISP supports IPv6 and if your computer systems are IPv6 ready, I have just the right tool for you.  Check out http://test-ipv6.com/