[Plantsci] UPDATE: Cyber Threat alert: New Strain of Crypto Locker (cerber2)
Marquez, Mario A - (marquezm)
marquezm at email.arizona.edu
Tue Aug 23 10:32:34 MST 2016
FW: Cyber Threat alert: New Strain of Crypto Locker (cerber2)
Hello all, ( I didn't see my first email hit the list yet)
This is an alert email to be aware of a ransomware attached to email being sent to campus. If you have received this email with the word document, delete immediately without opening the word doc and empty your email trash. Antivirus appears to be detecting this threat so be sure your machines are updated. Attached are two screen shots from the infected email.
Gil Salazar
[wildcat]Interim Deputy Information Security Officer
University of Arizona
520-626-3651
Subject: Cyber Notification: New Strain of Crypto Locker (cerber2 )
For your awareness.
Here are some details for this attack:
Emails come in from odd email addresses, one from 67170 at gmail, another from a malgeneva at kln.gov.my<mailto:malgeneva at kln.gov.my>, and eidauer at uconn.edu<mailto:eidauer at uconn.edu>
When you open it, it looks like the attached file. When the user follows the instructions to enable content the virus runs. It doesn't appear to do anything, but I did notice it deletes all the embedded macros in the document and highlights everything in the document.
After the computer goes to sleep, it goes through an encrypts files in many folders on the computer. So far we have not seen any mapped drives get hit, just C: drive. It leaves 4 files in every folder it encrypts:
# DECRYPT MY FILES #.html
# DECRYPT MY FILES #.txt
# DECRYPT MY FILES #.url which takes you to a website # DECRYPT MY FILES #.vbs (which is a script that plays a woman's voice telling you that all your files have been encrypted)
Then the encrypted files get letters and characters as names with a .cerber2 extension
It changes your desktop to the ransom note with a grey speckled background and it plays the script file.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Screen shot of opened word doc. DO NOT ENABLE CONTENT if you have opened this document.
[cid:image005.png at 01D1FD28.EDDE19D0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 2290 bytes
Desc: image002.gif
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 170883 bytes
Desc: image005.png
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 1737 bytes
Desc: image001.jpg
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.png
Type: image/png
Size: 82268 bytes
Desc: Capture.png
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 8-23-16 ransomware.png
Type: image/png
Size: 13821 bytes
Desc: 8-23-16 ransomware.png
URL: <https://list.cals.arizona.edu/pipermail/plantsci/attachments/20160823/5f78d31a/attachment-0002.png>
More information about the Plantsci
mailing list