Hey folks, Brandon here! Something we’ve talked about to for the past year or so is Ransomware, a type of malware designed to encrypt your files causing you to not be able to access them, then demand a monetary ransom to get access to your files again. Every couple of months there seems to be a new wave of these coming out and one seems to have started going out this week……So of course Steve and I decided to download the latest and greatest in Cryptowall and try it out!

So let’s talk about how this new wave of Cryptowall is being distributed and how it works.

Note that this version is using Java to run. When we didn’t have Java installed, the virus couldn’t do anything. Unfortunately, removing Java from all your machines isn’t really a good way to prevent this sort of thing, as it’ll cause new issues. The best thing to do is to keep everything up to date, as companies are constantly releasing security updates.

How it’s being sent

This is being sent to people in an email about new Outlook settings (Subject typically: Important – New Outlook Settings) coming from Administrator@outlook-us.com

Attachment/Link

The email comes with a URL (different URL each time) that appears to change what it’s doing each time you click it. Sometimes it downloads ‘message.zip’ which contains ‘outlook_settings_pdf.exe’ (the virus). Now this is tricky because unless your computer shows file extensions, it just shows as outlook_settings_pdf with a sneaky little Adobe Acrobat icon. Sometimes the site it takes you to loads a blank page. Sometimes it loads what appears to be a…poem? Yeah, a poem. Alaa has actually been reloading the page over and over to make a poem book. We’ll probably put that on Amazon for your Kindle soon.

Bottom line

If you see an out-of-place looking email from anybody @outlook-us.com, you should probably err on the side of caution. As always, clicking on links if you don’t know where they’re from is typically a bad idea. If there’s anything you’re unsure about, ask your IT support! We in IT would rather you be cautious and secure than click-happy and vulnerable :)

That’s really it. If you want the details of what the virus is doing, keep on reading!

What’s the file doing?

If the outlook_settings_pdf.exe gets run, it will show itself as a process as well as 2 process that *appear* to have randomly generated names. They’re definitely noticeable. Here is resource monitor with the processes (click image to see full-size):

Then it gets to work! It’s using the system Cryptographic Services to start encrypting your precious files to hold for ransom:

 

 

 

 

 

 

(I just realized the bottom task got cut off. But it’s the cryptographic service…)