Virus Alert – Locky & TeslaCrypt

Certain types of viruses come and go in waves. There are some insidious viruses making a significant number of victims in the Toronto area that are of a similar family of the CryptoLocker. This type of malware is classified as a ransomware trojan.  The trojan part is akin to the classic Greek mythology in the Greek wars of ancient time, in which someone presents something to entice the recipient to accept it, but in fact it carries a destructive payload.  The term ransomware comes from the fact that this type of malware causes some damage to the user’s computer and then presents a message demanding payment in return for the recovery of the damages.

Both of these (Locky and TeslaCrypt) are being distributed through email.  The messages trick the user to open an attached zip file in order to determine some amount that he/she has won, or to view some invoice that is unpaid.  In some cases, the message contains bold warnings with threats of legal action if the attached invoice is not paid.  The zipped file then contains a Word document (in the case of the Locky).  The user has to open the document, which contains embedded macros.  Macros in MicroSoft Office documents make use of the Visual Basic programming language, which give the macro (attacker) the ability to do almost anything on the user’s computer and other machines connected in a network. By default, Macros are not enabled in Word and other office documents.

If Macros are not enabled, the user then gets a message to click the button to enable Macros.  If the user does so, then the damage begins.  The macro goes out to the internet to download another program (which if the actual virus), and runs that program in the background.  The virus then looks for user data files on the local computer in every folder, encrypts the file, and changes the file name to a series of random letters and digits with the extension of .locky (ie: 63CED2DDAA3BED16A99393A0B96E40F6.locky).  It also creates a file called _Locky_recover_instructions.txt in every folder it encrypts files.  If the infected computer is connected to another on a network, then the virus determines all shared folders on that other machine/server and goes through every file in every folder in every shared folder on that server and encrypts the files there in the same manner.

An example of the contents of the _Locky_recover_instructions.txt is as follows:

!!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. http://i3ezlvkoi7fwyood.tor2web.org/63CED2DDAA3BED16
2. http://i3ezlvkoi7fwyood.onion.to/63CED2DDAA3BED16
3. http://i3ezlvkoi7fwyood.onion.cab/63CED2DDAA3BED16

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: i3ezlvkoi7fwyood.onion/63CED2DDAA3BED16
4. Follow the instructions on the site.

!!! Your personal identification ID: 63CED2DDAA3BED16 !!!

Ironically, some of the infected machines that have been seen has active anti-virus protection enabled.  In one case, almost 70,000 files were infected on a server, and all local user files were also encrypted, including the Outlook PST file containing all emails.  As you can see, this is evil.  There are only two ways of recovering from this: 1) pay the criminals and hope (criminals as they are) that they will actually send you a program to un-encrypt your valuable data, or 2) restore from a backup.  If you pay the criminals, you are feeding into their appetite to go out and get more victims.  The Locky was initially widely targeted at users in Germany earlier in the year, but both seem to be exploding in Canada now.

If you suspect that a machine has been infected with this malware, the first step is to immediately disconnect it from the network.  Next, use a program such as MalwareBytes to scan and verify complete removal of the virus, followed by data recovery.

The TeslaCrypt malware is very similar in what it does, but technically it is different.  The attached zip file contains a ‘JScript’ file instead of a Mircrosoft document with a macro. Windows computers can execute such JScripts using their scripting engine directly.  The JScript goes out and downloads the encrypting program, which it then runs in the background.  The user is not prompted to enable macros in this case.  The encrypted files retain their original name and extension, plus a new added on extension, such as .vvv, .aaa, etc.  There are at least 3 main versions of the TeslaCrypt now in the wild, with other variations as well.

The following are some samples of emails containing these viruses:

Subject: FW: Notification from CVC CREDIT PTNRS EUROPEAN OPPS LTD
Date: Fri, 18 Mar 2016 09:30:20 -0500
From: Hammond.Adele31@grandprixintlhk.com
Reply-To: Hammond.Adele31@grandprixintlhk.com
To: xxx@xxx.com
CVC CREDIT PTNRS EUROPEAN OPPS LTD
INVOICEEGINV51930 DUE DATE03/16/2016 BALANCE DUE$499.46
Dear Valued Client,
Please find your sales form below. If you need to remit payment, please do so at your earliest convenience.
Thank you for your business – we appreciate it very much.Sincerely,
CVC CREDIT PTNRS EUROPEAN OPPS LTD
© Intuit, Inc. All rights reserved. Privacy |  Terms of Service
 ________
Subject: Urgent: IMAGINiT invoice GNINV77677 is Past due
Date: Thu, 17 Mar 2016 16:51:14 +0300
From: Vinson.Faith0@ihatedrops.com
Reply-To: Vinson.Faith0@ihatedrops.com
To: xxx@xxx.com

imaginit-logo.gif

Dear Valued Customer-Please be aware that our invoice GNINV77677 (attached) is currently past due and payment is required at this time. Our remittance address is indicated on the attached invoice. Please note that credit card payments will not be accepted for invoices processed with credit terms. If you have any questions regarding your invoice, please contact us on 435-321-1713 using reference account number 81F26-174.Payments and/or credits of $0.00 have been applied to this invoice, the balance currently due is $823.47.Thank you for your business and we appreciate your prompt response in this matter.Sincerely,

IMAGINiT, a Division of Rand Worldwide

________
Subject: Traffic report ID: 67946838
Date: Mon, 14 Mar 2016 22:31:07 +0530
From: Jonah ewart <ewartJonah42521@lvea.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xx.com>

Dear Citizen,

We are contacting you on behalf of a local Traffic Violation Bureau.

Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 06075
Unfortunately, we will have no other option rather than passing this case to the local police authorities.

Please, see the report with the documents proofs attached for more information on this case.

________
Subject: Blocked Transaction. Case No 79181632
Date: Mon, 14 Mar 2016 09:34:18 +0500
From: Malinda fischer <fischerMalinda099@netricitydesign.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xxx.com>

The Automated Clearing House transaction (ID: 79181632), recently initiated from your online banking account, was rejected by the other financial institution.

Canceled ACH transaction
ACH file Case ID: 70941
Transaction Amount: 209,82 USD
Sender e-mail: fischerMalinda099@netricitydesign.com
Reason of Termination: See attached statement

________
Subject: GreenLand Consulting � Unpaid Issue No. 22107
Date: Fri, 11 Mar 2016 15:53:33 +0200
From: Beatrice gason <gasonBeatrice168@bidnix.com>
Reply-To: xxx <xxx@xxx.com>
To: xxx <xxx@xxx.com>

Dear Client!
For the third time we are reminding you about your unpaid debt.

You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 22107. But it has never been paid off.

We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.

Otherwise we will have to start a legal action against you.

Respectfully,
Beatrice gason
Chief Accountant
309 Monroe St
FL 22107
670-465-2546

________
Remember the saying that an ounce of prevention is worth a pound of cure!  The entrance door is you, the user.  Education is key.  Ensure that you and your employees are familiar with identifying the legitimacy of emails.  In each of the examples shown are many clues that show that these messages are bogus.

  1. The first and most obvious is: do you or your company deal with this sender or company?  If not, why would you want to pay their invoice? The delete function is your best friend!  
  2. Second, an invoice is a relatively small file.  There is no need to send it in a compressed format, especially since Word and Excel documents are already compressed since Office 2007.
  3. In most cases, the company name in the email does not match the domain (ie: GreenLand Consulting, but the domain is bidnix.com)
  4. Never open any attachments from anyone that you do not know.  Even if you know the sender, only open carefully if you are expecting the email.  Otherwise, call the sender and confirm if he/she sent the file.
  5. Always have good anti-virus protection.
  6. REGARDLESS of how good the anti-virus protection is, it is NOT foolproof and will often let infections through.  Again, virus protection begins with the user through his/her actions.
  7. If there is no special need to run macros, go into each Office application and check the “Trust Centre” to ensure that the option is enabled to at the minimum prompt the user before executing any macro.

 

Leave a Reply