I was actually going to start a thread about this late last night but I was too tired by the time I finished restoring from backups tens of thousands
of encrypted documents. It is exactly as bad as it sounds. I got an email about a corrupted spreadsheet around 5pm Friday, didn't give it another
thought for the next 48 hours. Then yesterday I decided to take a look and to my surprise, multiple files in the same directory are similarly FUBAR. I
ended up RDP'ing into the workstation of the user who was now owner of all these files that I knew she wouldn't normally access only to be greeted
with a ransom demand, complete with nerve wrecking countdown timer.
We do nightly backups from inside the VMs to a NAS and everything is copied to a USB drive and taken off site daily, so I was able to recover
everything from the Thursday backup and only lost a day's worth of files and revisions.
I read that the most common way people are becoming infected is from spoofed emails appearing to come from UPS, FedEx, and others with an attached
executable masquerading as a .PDF file. If that's how my user picked it up, it made it through our 3rd party spam/virus filtering service before not
being picked up by NAV (though the definitions were out of date).
There's a lot of good information on the link to bleeping computer from the OP but here's my own short list of what I thought were the most relevant
- Affects Windows XP - Windows 8, local documents and anything accesible on a mapped drive
- Files are encrypted with RSA 2048, the private key used is stored on a server or servers
- Encrypts all MS Office documents, PDFs, and basically all common image formats including those used by Adobe applications like Photoshop's PSD.
- Victims are given 100 hours from when the encryption process ends (and the ransom demand pops up) to submit payment. After that, it uninstalls
itself and you're left uninfected (allegedly) but with your data irrecoverably encrypted.
- Payment can be made with Green Dot MoneyPak and Bitcoin.
- People are apparently paying (estimates I saw are 3%) and the keys are sent though in some cases it was well over a week before receipt. Once the
software receives the key, it decrypts everything and removes itself (allegedly).
I formatted and reinstalled the workstation but apparently MalwareBytes will remove it. We of course did not pay--if we didn't have backups, we would
have been forced to but that's what backups are for, keeping you out of situations like that