Used to be that ransomware only looked at hard drive C:, and then any other mapped drives like D:, E:, F: etc., but now a whole new malicious strain that has stolen the same look & feel of TorrentLocker called CryptoFortress was discovered yesterday by security researcher Kafeine. It would be a bit much to call this a new generation, but it certainly is a powerful new feature.
CryptoFortress is distributed by the Nuclear Pack exploit kit and includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter. Normally when ransomware encrypts your data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them. There is a great post over at We Live Security that explains the differences between TorrentLocker and CryptoFortress.
Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found.
As you can see from the image below, CryptoFortress is successfully able to encrypt the file in an open share over SMB on a test network. This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions.
At the moment, it looks like the infection vector is Exploit Kits sitting on compromised websites, so that means patch workstations religiously, tighten up proxy and/or firewall rules, and possibly tell people to be careful out there (Maybe only Facebook?) if they surf the web on company workstations. TrendMicro has a good analysis of this new strain and also appears to have instructions for how to restore your files.
The full post with more detail is over at the BleepingComputer forum. More news to follow about this later I'm sure.
The best way to protect yourself is through high quality end user security awareness training.
For more information click below to download our Security Awareness Training Effectiveness Report.