Cryptowall malware in circulation – sophos definition mal/zbot-rk

 

A new variant of the cryptolocker/cryptowall malware has been identified.  When successful, the malware encrypts all data retained on the workstation before the process can be halted.  As of June 10, the malware has a current definition in Sophos (identified as mal/zbot-rk) but at least one user has suffered a data loss.

 

Some symptoms of an infection will likely include the following behavior:

  • The presence of files named DECRYPT_INSTRUCTIONS.TXT, DECRYPT_INSTRUCTIONS.PDF and DECRYPT_INSTRUCTIONS.HTM
  • Unusual slowness as files are being encrypted in the background
  • Unusual error messages, such as “failure to initialize” when running a program like stamps.com that normally works okay

To minimize the chance of risk, the following actions are suggested.

  • Make sure the following products are updated to the latest version: Java, Flash and Silverlight; with Silverlight being the most common vector.
  • Don’t open email attachments from individuals you do not know.
  • Don’t click on links in e-mail; and instead visit the site by typing in the site name in the address bar.

o   It appears that food.com was one of the sites being identified as a origin of the malware.

  • Don’t logon to the windows workstation with an administrator ID except when performing software updates or installs.
  • Save all workstations files to either the Enterprise file system (for those on the AgNet domain) or to local copies kept on removable media.

o   Backups should be made at least once per day and the removable media should not be left in the workstation at all times (the malware could encrypt the copy on the removable media also).

Additional details are available from the following sites.

https://isc.sans.edu/

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Zbot-RK.aspx

Tags:

Categories: Uncategorized