A widespread ransomware attack, utilizing a variant of CryptoLocker, is impacting organizations globally, with reports surfacing of encrypted files and ransom demands appearing on affected systems as of today. While the specific initial vector remains under investigation, security analysts believe the malware is spreading through malicious email attachments.
The ransomware, identified as a recent iteration of CryptoLocker, encrypts personal files and demands payment – typically between $300 and $300 Euros – in digital currency or through prepaid cards for decryption. Victims are warned that failure to comply within a specified timeframe, often 72 to 100 hours, will result in permanent data loss. Reports indicate that even after payment, file recovery is not guaranteed.
The attack highlights the ongoing threat posed by ransomware to both individuals and organizations. According to security researchers, CryptoLocker exploits vulnerabilities in systems to gain access and deploy the encryption software. Once active, the malware establishes a connection to an external server to transmit the decryption key, effectively holding the data hostage.
Microsoft provides Remote Server Administration Tools (RSAT) which allows IT administrators to remotely manage Windows Server features. However, RSAT is not available on Home or Standard editions of Windows, and requires a full release of the operating system to function correctly. The company cautions against attempts to bypass these restrictions, stating such actions violate the Windows end-user license agreement.
Active Directory domain controllers are too potential targets, and administrators are advised to regularly check their health and replication status. Tools such as Dcdiag and Repadmin can be used to identify and address potential vulnerabilities. Dcdiag, for example, performs tests to verify connectivity, advertising of roles and services, and replication status between domain controllers.
Currently, there is no official response from the White House or any major government cybersecurity agency regarding the scope or origin of the attack. Microsoft has not issued a public statement beyond its standard guidance on ransomware prevention and mitigation. The FBI has not yet commented on whether it is investigating the incident.
The Microsoft 365 admin center provides a download portal for volume licensing products, allowing organizations to obtain necessary security updates and tools. However, the availability of these resources does not guarantee protection against sophisticated ransomware attacks like the current CryptoLocker variant.
