drewbranson10 Posted February 15, 2016 Share Posted February 15, 2016 Hello, I am not sure if this is the right forum to put this in so if not please move it to where it needs to be. I just wanted to share a quick warning to anyone who may manage a network of CAD files. Last week our network was hit with a virus that encrypted all of our files to have an extension "LOL!" on the end of it. There was a text file in every folder that basically was asking us to pay money to the hackers to fix our files or they would all be deleted in a month. It made all of our files corrupt and it took a few days to clear up the computers and to get our backups in order. Just a warning to those who have not encountered this and I was curious as to if anyone has had this happen to them? Link to comment Share on other sites More sharing options...
nukecad Posted February 16, 2016 Share Posted February 16, 2016 'Ransomware' is a well known problem these days. (Try Googling it or start here https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx). I haven't heard of it specifically targeting CAD files before but I suppose it makes sense from the hackers point of view, attack and encrypt the targets most valuable files. Of course you regularly backup your CAD files to removable media so could easily get them back once you had cleared out the ransomware infection. As well as your Firewalls and Anti-Virus it is also a good idea to have an Anti-Exploit on your PCs these days. Most AV's protect you from malware and viruses that are already known, they typically compare what is being downloaded on your PC to their latest database. They can't stop what are known as Zero-Day attacks, that is new malware that is not yet on the database. Anti-Exploit works differently; it checks if anything is trying to write to areas of memory or to files where it shouldn't be and stops it. Read more about anti-exploit here: http://www.howtogeek.com/223228/use-an-anti-exploit-program-to-help-protect-your-pc-from-zero-day-attacks/ If you do get infected with ransomware then there are various removal tools, note that these will porbably not get your encrypted files back. http://www.techworld.com/security/7-best-ransomware-removal-tools-how-clean-up-cryptolocker-cryptowall-extortion-malware-3626974/ Link to comment Share on other sites More sharing options...
RobDraw Posted February 16, 2016 Share Posted February 16, 2016 Most AV's protect you from malware and viruses that are already known, they typically compare what is being downloaded on your PC to their latest database. That is mostly true. There is at least one that uses a whitelist and blocks everything that is not on that list. Link to comment Share on other sites More sharing options...
drewbranson10 Posted February 18, 2016 Author Share Posted February 18, 2016 Thanks for the responses! We had back-ups it just took a while to get it all back online. I was not aware of this type of virus before we got it but it took us out of business for a couple of days and wanted to spread the word to watch out for it. We are still not sure where we got it, all of the PC's were checked and did not show that they were infected. Link to comment Share on other sites More sharing options...
RobDraw Posted February 19, 2016 Share Posted February 19, 2016 Thanks for the responses! We had back-ups it just took a while to get it all back online. I was not aware of this type of virus before we got it but it took us out of business for a couple of days and wanted to spread the word to watch out for it. We are still not sure where we got it, all of the PC's were checked and did not show that they were infected. For some reason this has brought out my inner cyber detective. I've only heard of one virus that attacked .dwg files. It was totally malicious and didn't change the file extension. The choice of letters that this one uses makes it sound like it was personal. It's very possible that this virus was executed by someone with secure access to those files and not an outside source. Link to comment Share on other sites More sharing options...
nukecad Posted February 19, 2016 Share Posted February 19, 2016 The choice of letters that this one uses makes it sound like it was personal. It's very possible that this virus was executed by someone with secure access to those files and not an outside source. We are still not sure where we got it, all of the PC's were checked and did not show that they were infected. It's unlikely to be an insider with a grudge. "LOL! extension" ransomware (also known as "GPCode" ransomware) is well known and usually comes as an email attachment purporting to be an invoice or similar. Someone clicks on the attachment to see just what is being invoiced and inadvertently launches the ransomware, which goes off and encrypts your files. http://easyviruskilling.com/remove-lol-extension-ransomware-encryption-completely/ Ask in the accounts department if somebody has had an strange invoice by email recently, probably from a false company who is not one of your suppliers. Because it comes in as an email attachment most anti-virus suites won't see it at all. It is only when it is launched and starts altering things that an anti-exploit will spot it, stop it, and alert you. You may have seen the reports that a hospital in Los Angles paid out a ransomware attack this week, (40 bitcoins, about $17,000). http://www.bbc.co.uk/news/technology-35602527 Makes you wonder just how many others are paying but not getting reported. Link to comment Share on other sites More sharing options...
RobDraw Posted February 19, 2016 Share Posted February 19, 2016 I misread the OP and thought that just the .dwgs were affected not every file as the OP stated. Link to comment Share on other sites More sharing options...
halam Posted February 19, 2016 Share Posted February 19, 2016 We had it just yesterday !! Link to comment Share on other sites More sharing options...
drewbranson10 Posted February 19, 2016 Author Share Posted February 19, 2016 Yes I saw where that hospital was hit by a similar attack and paid out. Our IT guy said that our attack probably came through an email but we can't seem to find anyone who opened anything suspicious. We actually share a network with an architecture firm that we share office space with. It had hit all of our files and was working it's way through the architects files when we noticed anything was up. Luckily we do daily back-ups so we didn't lose too much work. The virus generated a text file with instructions on how to pay them. Since I started this post I have installed the Anti-exploitation software that Nukecad referenced to and have notified the people in the office about it. None of our anti-virus programs picked up on anything. Link to comment Share on other sites More sharing options...
nukecad Posted February 21, 2016 Share Posted February 21, 2016 Coincidences happen? I have had Windows 10 since it was first released to market and have never had a malware notification until today. I was visiting a website (an old, no longer updated blog) and as soon as I landed on the page Windows Defender picked up malware and quarantined it. (This is known as a 'drive-by' attack. You don't do anything other than visit an infected webpage). Exploit:JS/Axpergle Nasty little Exploit Kit, also known as Angler Kit, can give hackers remote access to your PC and is used by many of the ransomware viruses. Nice to see that Defender got it straight away, but it might have been interesting to see how the Anti-Exploit fared if it had got through and went to work. (No; I'm not going to turn Defender off and try it). This is why it's good to have layered protection (Firewall, AV, AE, manual scans), they may never be needed, but you will be sorry if you need them and don't have them running. Of course I immediately disconnected from the web and ran all my anti-malware tool scans, everything is clear. Ok, it's taken a couple of hours to run complete scans, but it would have taken days if not weeks to sort out if it had gotten through and encrypted my files. Time to do a full data backup. Link to comment Share on other sites More sharing options...
SLW210 Posted February 22, 2016 Share Posted February 22, 2016 Our IT department just sent out this warning. There is a new virus called “Locky” that has already infected over 400,000 workstations. There are 4000 new infections per hour. Antivirus manufacturers are scrambling to catch up but it may take days for them to create a way to detect and block it. The virus is spread by Word files in emails. They use social engineering (commonly pretending to be an invoice) to get you to open them and to run macros. Do not open a Word file form anyone than you do not know, or Word files that you were not expecting. Under no circumstances run macros in any Word files. Luckily there is a signature to these particular malicious emails: The subject is “ATTN: Invoice_J- The attachment is called “invoice_J-.doc” Example: Subject: ATTN: Invoice J-11256978 Example: Attachment: invoice_J-11256978.doc This is how it works: You receive an email containing an attached Word document. • The document looks like garbage. • The document advises you to enable macros “if the data encoding is incorrect.” • If you enable macros, you don’t actually correct the text encoding (that’s a trick); instead, you run code inside the document that saves a file to disk and runs it. • The saved file serves as a downloader, which fetches the Locky ransomware program from the Internet. • This then encrypts all of the data that you have access to, including shared folders and renames them with an extension of “.locky” • The program then changes your wallpaper to be the ransom message shown below, demanding payment to get your files unlocked. Link to comment Share on other sites More sharing options...
nukecad Posted February 23, 2016 Share Posted February 23, 2016 (edited) As I said above, Anti-Virus can't stop these because as far as the AV is concerned its just a word file attached to an email. They could conceivably scan inside the file contents, but to do this with every file would slow your PC down to the point of unuseability. Luckilly, as quoted above by SLW210, it does take some user actions to launch them, so there is a chance of spotting them before they can get to work. However you are always going to get someone who blithely clicks away following the on screen instructions. (and no doubt ransomware will soon evolve so that it can launch itself without any enabling of macros). Anti-Exploit doesn't even look at files, it monitors what is being written to memory and/or storage and flags/stops any suspicious activity. Your best defences against this type of attack are: Install an Anti-Exploit as well as your Anti-Virus; there are free or paid versions for home use, and paid for versions that will protect your business network. Back up your data to removable media everyday, twice a day for perference. And remove the media after backing up. If its not in the drive it can't get infected/encrypted. These ransomware attacks are an epidemic at the moment; take extra precautions. EDIT Not so much for ransomware but a piece of general advice; Shut Down your PC when you are not using it. Leaving it in Sleep mode is akin leaving your keys in your car, it could be woken up and 'driven' without your knowledge. (For example Microsoft do it all the time with Automatic Updates, if MS can do it so can a hacker). Edited February 23, 2016 by nukecad Link to comment Share on other sites More sharing options...
Ogo Posted March 5, 2016 Share Posted March 5, 2016 Locky help - http://nabzsoftware.com/types-of-threats/locky-file Forum - http://www.bleepingcomputer.com/forums/t/605607/locky-ransomware-support-and-help-topic/ Link to comment Share on other sites More sharing options...
samifox Posted June 12, 2016 Share Posted June 12, 2016 Its basically an email with attached invoice word documet . One u open that documet, a visual basic macro is invoked and download that randsomeware Sent from my Lenovo PB1-770M using Tapatalk Link to comment Share on other sites More sharing options...
Recommended Posts