MALWARE WARNING – Cryptolocker Ransomware

Many of you may have heard of a recent threat, referred to as "Cryptolocker Ransomware". This is an extremely dangerous type of malware that has impacted several thousand systems around the world. We have had one reported incident on campus this week, so it is important that all users are aware of the threat.

The malware encrypts files on an infected system, then demands payment from the victim in order to decrypt and recover the files.

The primary means of infection is via phishing emails with malicious attachments. The emails may claim to be from your bank, or claim to be a tracking message from a delivery company, such as FedEx or UPS.

PREVENTION

We are currently seeing several blocked messages related to this attack on our Ironport (Exchange) and Spamhaus (CC Mail) filters. But tactics to bypass filters can change without notice. Be cautious with email on any account (Gmail, Hotmail, Yahoo, QQ, Facebook, etc…)

DO NOT follow unsolicited web links in messages and be cautious with all email attachments.

When in doubt contact the Help Desk for assistance.

LOWER YOUR RISK!

Perform regular backups of important files and store this data in a secure offline location.
Keep your operating system and application software up to date with the latest patches.
Maintain up-to-date anti-virus software.

The University provides secure file storage for faculty, staff and students. Consult your local IT support staff or the Help Desk for details.

University of Manitoba Help Desk - 204-474-8600 or support@umanitoba.ca

MORE TECHNICAL DETAILS

Once a system is infected, the malware restricts access to files by encrypting Microsoft Documents (Word, Excel, Powerpoint) and PDF's found on all attached storage. This may include local and external drives, USB drives, network drives and cloud storage.

Some current indicators of the malicious emails (which may change at any time) are:

Attachments follow the naming convention of "Form_[random letters or numbers].zip

(example: Form_nfcausa.org.zip, Form_20130810.exe, Form_f4f43454.zip)

Spoofed Sender: "fraud@aexp[.]com" "Dewayne@nfcausa[.]org"

Sample Subject: "Annual Form - Authorization to Use Privately Owned Vehicle on State Business"

For more information Google the following: "recognizing and avoiding email scams" or "cryptolocker"

Regards,

+++++++++++++++++++++++++++++++

David Treble IT Security Coordinator

E3-640 EITC University of Manitoba

David_Treble@umanitoba.ca - 204.474.8340

Follow @uminfosec on Twitter

Ask me about the Infosec Mailing List!

http://blogs.cc.umanitoba.ca/ist-alerts/

+++++++++++++++++++++++++++++++