This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us. 1 CRYPTOLOCKER PROTECTION ON TERMINAL SERVERS Dangerous new virus This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts Terminal Server environments and thus the group policy helping to block the spread needs to be set up slightly differently. Figure 1 - Encryption warning on screen Actions to take on Terminal Servers Even on a Terminal server your clients are at risk from CryptoLocker or other encryption malware that attacks the user profile
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
1
CRYPTOLOCKER PROTECTION ON
TERMINAL SERVERS
Dangerous new virus
This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts
Terminal Server environments and thus the group policy helping to block the spread needs to be set up
slightly differently.
Figure 1 - Encryption warning on screen
Actions to take on Terminal Servers
Even on a Terminal server your clients are at risk from CryptoLocker or other encryption malware that attacks
There is currently an ongoing situation where users may encounter an error when trying to open Office documents. The error can happen opening any Office file type, not just Excel files. For Excel file types, the error says: "Excel cannot open the file [filename] because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file."
For Microsoft Word, the error may read differently: "The file cannot be opened because there are problems with the contents" or "The file [FileName] cannot be opened because there is a problem with the contents".
We have confirmed that this can also affect PowerPoint files, AutoCAD files and JPEG images.
This problem has been confirmed to be caused by malware on the affected machine. There are now two known variants of malware which causes this problem: Win32/Crilock.A and Win32/Buma!rts. They have both been identified as a new family of ransomware.
In order to clean your machine, run Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/en-us/default.aspx). If infected, Safety Scanner should clean the virus from the system, however it will not repair corrupted files. You will still need to restore those from a backup. A detailed analysis of affected files submitted to Microsoft for investigation has revealed the files are encrypted with a private and public key. The files cannot be recovered without the private key, which is more than likely held by the attacker. The premise of ransomware is such that if a person pays the ransom the key is provided to "unlock" the files.
Other resources:
Microsoft Word Support Blog: http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
Microsoft PowerPoint Support Blog: http://blogs.technet.com/b/bgp/archive/2013/09/09/3595491.aspx