[Plantsci] FW: Cyber Notification: New Strain of Crypto Locker (cerber2)
Marquez, Mario A - (marquezm)
marquezm at email.arizona.edu
Tue Aug 23 09:57:57 MST 2016
FW: Cyber Notification: New Strain of Crypto Locker (cerber2)
Hello all,
This is an alert email to be aware of a ransomware attached to email being sent to campus. Tell your users to delete immediately without opening the word doc and if they have done so already they will have initiated the encryption sequence. Antivirus appears to be detecting this threat so be sure your machines are updated.
Gil Salazar
[wildcat]Interim Deputy Information Security Officer
University of Arizona
520-626-3651
Subject: Cyber Notification: New Strain of Crypto Locker (cerber2 )
For your awareness.
Here are some details for this attack:
Emails come in from odd email addresses, one from 67170 at gmail, another from a malgeneva at kln.gov.my<mailto:malgeneva at kln.gov.my>, and eidauer at uconn.edu<mailto:eidauer at uconn.edu>
Blank subject
They have a single file in them 3 letters(they change) and the users email.zip IE abcjohn.doe.zip
In the zip file is a Word document called 1.doc
When you open it, it looks like the attached file. When the user follows the instructions to enable content the virus runs. It doesn't appear to do anything, but I did notice it deletes all the embedded macros in the document and highlights everything in the document.
After the computer goes to sleep, it goes through an encrypts files in many folders on the computer. So far we have not seen any mapped drives get hit, just C: drive. It leaves 4 files in every folder it encrypts:
# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.url which takes you to a website # DECRYPT MY FILES #.vbs (which is a script that plays a woman's voice telling you that all your files have been encrypted)
Then the encrypted files get letters and characters as names with a .cerber2 extension
It changes your desktop to the ransom note with a grey speckled background and it plays the script file.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/8f572804/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 2290 bytes
Desc: image002.gif
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/8f572804/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 1737 bytes
Desc: image003.jpg
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/8f572804/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.png
Type: image/png
Size: 82268 bytes
Desc: Capture.png
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/8f572804/attachment.png>
More information about the Plantsci
mailing list