CryptoWall Claims Computers of Local New Hampshire Government

In our continuing coverage of the “Locker”-style malware epidemic that has only recently started to make its way to the States, we’ve found all types of people and organizations that have fallen prey to the tactics malware distributors depend on to convince innocent officials to accidentally download the wrong files.

Now that most of the easy targets have started to dry up, hackers on the edge of the trend have started using an evolution of the original CryptoLocker, dubbed Cryptowall, to attack public officials from a small town in southeast New Hampshire.

In response to how their office could have been hit so easily, Durham Town Administrator Todd Selig chalked the mistaken download up to the transparent nature of the relationship between themselves and the rest of the public at large.

“We deal with all kinds of e-mail, much of it from our residents,” he said. “The residents all have different ‘handles’ (user names) and it could be anything to do with town business. The attachment could have been a picture of a pothole.”

Selig says an officer with the local police department opened the infected document from his work email around 10pm last Thursday, and that by the time Friday morning rolled around, half the connected computers in the station were locked up and demanding $500 a piece to regain access to vital folders and files containing the information of hundreds of citizens in town.

Since authorities from multiple countries around the world collaborated to bring down many of the C&C servers that were keeping CryptoLocker alive, hacking rings have been scrambling to update their operations with the newest and greatest variant of the virus which could still maintain the same level of functionality they’d come to expect, wrapped up in a slightly less obvious package. One that could easily slip by any systems put in place designed to detect its presence and ward it off, before it has a chance to set up shop and start demanding cash from its unsuspecting victims.

Cryptowall is the inevitable result of that initial scramble, equipped with even more stealth equipment that allows it to fool many of the most popular email services into displaying and downloading attachments that carry a problematic payload in tow.

An analyst from Cisco Systems summed up the situation succinctly in a blog post shortly following the announcement out of New Hampshire.

“Until May 22, RIG appears to have been making use of both newly registered domains and compromised legitimate sites to both host its landing pages and serve its exploits, all from paths ending in ‘proxy.php,'” the Cisco blog post stated.


Photo: Cisco

Despite the setback, Selig was optimistic his IT department would be able to handle and squash the threat within the next few days, tops.

“The functions affected are the police e-mail system and word processing, as well as spreadsheets, Excel, and other administrative tasks,” Selig said. “The crime records are not affected. We do back up all of our systems, so we will work to restore what may be lost.”