BleepingComputeralso learnedthat the attackers encrypted the computers of remote workers who were logged into the company's VPN during the incident. "We have notified the FBI of this incident and are actively cooperating with them as they conduct their investigation of the incident. In this menu, you can choose to backup the Desktop and all of the files on it, and Documents and Pictures folders, again, with all of the files in them. For more information on safely handling email attachments read, Follow safe practices when browsing the web. Figure 12 graphs the total number of ransoms paid per day (in gray) along with the total value of those payments in U.S. dollars on the day they were received (in blue). Open File Explorer and navigate to the location of the folder/file you want to backup. pe.imphash() == "5d2ddf9bb9051294e17ea7cb876c77e2" and, // Must have the below Rich sig hash
Directions Advertisement. import "hash", rule Mal_Ransom_Phoenix_Cryptolocker
}. Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files. Figure 11. The Phoenix CryptoLocker ransomware family hit the threat landscape in Q1 2021. To use full-featured product, you have to purchase a license for Combo Cleaner. Free Akira ransomware decryptor helps recover your files, YouTube tests restricting ad blocker users to 3 video views, TSMC denies LockBit hack as ransomware gang demands $70 million, Microsoft fixes bug that breaks Windows Start Menu, UWP apps, The Week in Ransomware - June 30th 2023 - Mistaken Identity, Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs, Twitter now forces you to sign in to view tweets, New proxyjacking attacks monetize hacked SSH servers bandwidth, Remove the Theonlinesearch.com Search Redirect, Remove the Smartwebfinder.com Search Redirect, How to remove the PBlock+ adware browser extension, Remove the Toksearches.xyz Search Redirect, Remove Security Tool and SecurityTool (Uninstall Guide), How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo, How to remove Antivirus 2009 (Uninstall Instructions), How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller, Locky Ransomware Information, Help Guide, and FAQ, CryptoLocker Ransomware Information Guide and FAQ, CryptorBit and HowDecrypt Information Guide and FAQ, CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ, How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11, How to backup and restore the Windows Registry, How to open a Windows 11 Command Prompt as Administrator, How to remove a Trojan, Virus, Worm, or other Malware. "We are pleased that ina short time sincethe ransomware event, we are now operating in a fully restored state.". Thus, paying usually gives no positive result and victims are scammed. The threat actors have also used static C2 servers embedded inside the malware. Figure 1. Guest Blog Posts - CTU researchers suspect that a significant portion of Bitcoin payments are being made by individuals outside of the U.S., where MoneyPak is not available and Bitcoin is the only option. "The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said inbreach notification lettersmailed to affected customers today. North America has become the world's biggest ransomware target as DeFi and crypto use expands, study shows Isabelle Lee 2021-10-14T12:56:44Z Files/links that are irrelevant and those received from suspicious/unrecognizable email addresses should never opened. Note that some free space on your storage drive is necessary to restore data: Proper file management and creating backups is essential for data security. Now, when you add a file or folder in the Desktop and Documents and Pictures folders, they will be automatically backed up on OneDrive. Payment activation screen. Work with an IT company that deploys a thoroughly-vetted multi-layered security approach. Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). Written by Tomas Meskauskas on October 23, 2022 (updated). Over 75,000 individuals affected "The investigation revealed that the threat actor accessed certain CNA systems at various times from March 5, 2021 to March 21, 2021," CNA said inbreach notification . Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware. The insurance provider added that it did not find any evidence while investigating the incident of stolen policyholder info surfacing, being exchanged or being put up for sale on the dark web or hacking forums. Partition management:We recommend that you store your data in multiple partitions and avoid storing important files within the partition that contains the entire operating system. Useful Links - It is designed to encrypt data and demand ransoms for decryption tools. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. Update: Added info provided by CNA spokesperson on additional data exposed in the incident. Follow me on Twitterand LinkedInto stay informed about the latest online security threats. The threat actors could be strategically using this pattern to remain a moving target, or some ISPs could be terminating their service. In addition, the recovery feature is completely free. This file also correlates to the same SHA256 as the initial binary. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because CryptoLocker encrypts these files in the same manner as those found on the system drive. During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. Table 5. CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. As of this publication, this IP address is no longer active, and CryptoLocker samples released since mid-September no longer reference it. (databases,backups, large excel sheets, etc. To use full-featured product, you have to purchase a license for Combo Cleaner. Evidence collected by CTU researchers confirms the threat actors have previous experience in malware development and distribution, especially of ransomware. CNA confirmed that the sophisticated cyberattack had caused a network disruption and impacted certain systems, including corporate email, last weekend. After connecting to an attacker-controlled C2 server, CryptoLocker sends a phone-home message encrypted with an RSA public key embedded within the malware (see Figure 2). The cashier will collect your cash and load it onto the MoneyPak. By providing information to law enforcement agencies you will help track cybercrime and potentially assist in the prosecution of the attackers. You pull up a seat to access one of them only to find that after turning on your computer, all of . Therefore, the only solution is to restore everything from a backup. If you're reading this and have not yet experienced a CryptoLocker event, start here. Then, navigate to OneDrive, right-click anywhere in the window and click Paste. CryptoLocker cycles indefinitely until it connects to a C2 server via HTTP. AGAIN!!!! Evil Corp impersonates Payload Bin hacking group After breaching the Metropolitan Police Department in Washington, DC, and. The easiest way to disconnect a computer from the internet is to unplug the Ethernet cable from the motherboard, however, some devices are connected via a wireless network and for some users (especially those who are not particularly tech-savvy), disconnecting cables may seem troublesome. 7 days free trial available. Insurance giant CNA reports data breach after ransomware attack. As a form of bookkeeping, the malware stores the location of every encrypted file in the Files subkey of the HKCU\SOFTWARE\CryptoLocker (or CryptoLocker_0388) registry key (see Figure 3). In most cases, cybercriminals store keys on a remote server, rather than using the infected machine as a host. Alternatively, you can just drag and drop a file into OneDrive. $f1 = {BA 03 00 00 00 B9 01 00 00 00 E8 1A 00 00 00 48 8B 0D 83 2D 1D 00 E8 C6 00 00 00}
CTU researchers have attempted to remove IP addresses and domain names operated by security vendors and private researchers, but some non-malicious infrastructure may be included. I have been working as an author and editor for pcrisk.com since 2010. Backups should be stored on a remote server (e.g., Cloud) or unplugged storage device. See a problem? Sources familiar with the attack told BleepingComputer that thePhoenix CryptoLockerencrypted more than 15,000 systems after deploying ransomware payloads on CNA's networkon March 21. CryptoLocker ransomware is a type of malware that encrypts files on Windows computers, then demands a ransom payment in exchange for the decryption key. Victims who submit payments are presented with the payment activation screen shown in Figure 9 until the threat actors validate the payment. [ Phoenix is a new malware that. Ransomware infections are often named by the extensions they append (see files encrypted by Qewe ransomware below). During the encryption process, files are appended with the " .ecc " extension. Adding Top Fan to my Thermaltake V200 TG RGB Case, Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure, Copyright @ 2003 - 2023 Bleeping Computer LLC - All Rights Reserved, Ransomware gang breached CNAs network via fake browser update, Insurance giant CNA reports data breach after ransomware attack, Insurance giant CNA fully restores systems after ransomware attack, The Week in Ransomware - March 26th 2021 - Attacks increase, Insurance giant CNA hit by new Phoenix CryptoLocker ransomware, Virus, Trojan, Spyware, and Malware Removal Help. As of this publication, there is no evidence the actors are targeting specific industries. If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication based on the current weighted price of $804/BTC. Siemens Energy confirms data breach after MOVEit data-theft attack, MOVEIt breach impacts Genworth, CalPERS as data for 3.2 million exposed, Millions of Oregon, Louisiana state IDs stolen in MOVEit breach, Swiss government warns of ongoing DDoS attacks, data leak, BlackCat ransomware fails to extort Australian commercial law giant, Microsoft Teams outage blocks access to web and desktop clients, Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure, Copyright @ 2003 - 2023 Bleeping Computer LLC - All Rights Reserved. $f2 = "SATURDAY CITY LIMITED1" ascii
CTU researchers began actively monitoring the CryptoLocker botnet on September 18, 2013 and analyzed various data sources, including DNS requests, sinkhole data, and client telemetry, to build the approximate daily infection rates shown in Figure 13. To put it into simpler terms, picture this: You have hundreds of family photos and important financial documents stored on your computer. The malware apparently encrypted data on over 15,000 machines on CNA's company network, E Hacking News reported. Indicators for the CryptoLocker malware. Copyright 2007-2023 PCrisk.com. About Us - CTU researchers are unsure whether this change is an anomaly or represents a change in the threat actors' strategy. CryptoLocker changes this dynamic by aggressively encrypting files on the victim's system and returning control of the files to the victim only after the ransom is paid. Spam email containing the Upatre downloader. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Encryption algorithms used by most ransomware-type infections are extremely sophisticated and, if the encryption is performed properly, only the developer is capable of restoring data. CryptoLocker was the first ransomware to encrypt data with a different symmetric key for each file. description = "Phoenix Cryptolocker Ransomware"
Several days later, another sample was hard-coded to connect to ovenbdjnihhdlb . In mid-September 2013, the SecureWorks CTU security intelligence research team, a thought leader in IT Security services, observed a new ransomware malware family called CryptoLocker. Splashscreen presented to victims. Consider aggressively blocking known indicators (see Table 6) from communicating with your network to temporarily neuter the malware until it can be discovered and removed. CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March. "On March 21, 2021, as previously shared, we detected the ransomware and took immediate action by proactively disconnecting our systems from our network to contain the threat and prevent additional systems from being affected," CNA said in an update published on Wednesday. A new version of the Phoenix CryptoLocker malware was used by the CNA attackers, who are believed to be tied to the Russian-backed Evil Corp cyber syndicate. This tool supports over a thousand data types (graphics, video, audio, documents, etc.) Infected email attachments (macros), torrent websites, malicious ads. ".phoenix" (also adds victim's unique ID and contact email). Where should I look for free decryption tools for Phoenix-Phobos ransomware? A screenshot of the Paysafecard dialog was not immediately available for this publication, but the description states: Paysafecard is an electronic payment method for predominantly online shopping and is based on a pre-pay system. Free Akira ransomware decryptor helps recover your files, YouTube tests restricting ad blocker users to 3 video views, TSMC denies LockBit hack as ransomware gang demands $70 million, Microsoft fixes bug that breaks Windows Start Menu, UWP apps, The Week in Ransomware - June 30th 2023 - Mistaken Identity, Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs, Twitter now forces you to sign in to view tweets, New proxyjacking attacks monetize hacked SSH servers bandwidth, Remove the Theonlinesearch.com Search Redirect, Remove the Smartwebfinder.com Search Redirect, How to remove the PBlock+ adware browser extension, Remove the Toksearches.xyz Search Redirect, Remove Security Tool and SecurityTool (Uninstall Guide), How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo, How to remove Antivirus 2009 (Uninstall Instructions), How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller, Locky Ransomware Information, Help Guide, and FAQ, CryptoLocker Ransomware Information Guide and FAQ, CryptorBit and HowDecrypt Information Guide and FAQ, CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ, How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11, How to backup and restore the Windows Registry, How to open a Windows 11 Command Prompt as Administrator, How to remove a Trojan, Virus, Worm, or other Malware. ), illegal software activation ("cracking") tools, and fake updates. 2023 BlackBerry Limited. The threat actors used Phoenix in an attack on insurance firm CNA. Claim this business (847) 394-3271. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications. Third party downloaders/installers often include rogue apps, and thus these tools should never be used. Be very careful when opening email attachments. This site uses Akismet to reduce spam. The ransom amount varied in very early samples (see Table 3), but settled at $300 USD or 2 BTC (Bitcoins) within the few weeks after CryptoLocker's introduction. These emails contain malicious attachments that encrypt local system files as well as . The website BleepingComputer has learned that it also encrypted the computers of employees working remotely who were logged into the company's VPN at the time of the attack. This communication provides the malware with the threat actors' RSA public key, which is used throughout the encryption process. Linux version of Akira ransomware targets VMware ESXi servers, 8Base ransomware gang escalates double extortion attacks in June, Microsoft Teams outage blocks access to web and desktop clients, Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure, Copyright @ 2003 - 2023 Bleeping Computer LLC - All Rights Reserved. Any redistribution or reproduction of part or all of the contents in any form is prohibited. However, breaching an insurance provider's network and stealing customers' policy info could be an even more lucrative way to increase their attacks' effectiveness. com before cycling through the domains created by the DGA. Ransomware prevents victims from using their computer normally (e.g., by locking the screen) and uses social engineering to convince victims that failing to follow the malware authors' instructions will lead to real-world consequences. Only those two types of drives are selected for file encryption in early samples. Insurance giant CNA fully restores systems after ransomware attack. In addition to the disruption operation against Gameover Zeus, the Justice Department led a separate multi-national action to disrupt the malware known as Cryptolocker (sometimes written as "CryptoLocker"), which began appearing about September 2013 and is also a highly sophisticated malware that uses cryptographic key pairs to encrypt the . The description of Bitcoin shown in Figure 7 is copied almost verbatim from several online resources: Bitcoin is a cryptocurrency where the creation and transfer of bitcoins is based on an open-source cryptographic protocol that is independent of any central authority. The following describes the level of impact along with the likelihood of risk this threat currently presents: Phoenix Cryptolocker comes with several built-in mechanisms designed to help it appear to be a legitimate utility and trick an unwitting user into executing it. Criminals are notorious for ignoring victims after payments are submitted. Alpha Crypt ransomware: Alpha Crypt is another copycat of the original Cryptolocker ransomware. Using paysafecard is comparable to paying with cash in a shop and it is currently available in over 30 countries. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. These apps stealthily infiltrate computers and install additional malware. 7 days free trial available. Once encryption is completed, the malware proceeds to delete all traces of itself such as the binaries and created folder, leaving the user with just their encrypted files and instructions on how to pay to have them decrypted should they wish. Wait for Recuva to complete the scan. In addition, Phoenix-Phobos places the "info.hta" (which is also opened) and "info.txt" files on the desktop. "Importantly, CNA has been conducting dark web scans and searches for CNA-related information and at this time, we do not have any evidence that data related to this attack is being shared or misused.". CryptoLocker fooled targets into downloading malicious attachments sent via emails. CryptoLocker does not encrypt files until it has successfully contacted an active C2 server. Another way to identify a ransomware infection is to check the file extension, which is appended to each encrypted file. Therefore, users end up infecting their computers rather than gaining access to paid features. Malware (ransomware included) is primarily distributed through spam emails and messages, drive-by downloads, online scams, untrustworthy download channels (e.g., freeware and third-party websites, Peer-to-Peer sharing networks, etc. Details about this initial distribution phase are unclear, but it appears the samples were downloaded from a compromised website located in the United States, either by a version of CryptoLocker that has not been analyzed as of this publication, or by a custom downloader created by the same authors. Table 4. Since that time, new samples frequently contain static addresses taken from the pool of domain names created by the DGA. He discusses identifying Bitcoin addresses controlled by the CryptoLocker threat actors and tracing potential ransom payments made to those addresses. Share sensitive information only on official, secure websites. Encrypted files can only be recovered by obtaining the RSA private key held exclusively by the threat actors. This method is, however, quite inefficient, since data backups and updates need to be made regularly. The malware begins the encryption process by using the GetLogicalDrives() API call to enumerate the disks on the system that have been assigned a drive letter (e.g., C:). The variety of payment options and currency choices in early CryptoLocker versions suggests the threat actors originally anticipated a global infection pattern. OneDrive makes sure that the files stay in sync, so the version of the file on the computer is the same version on the cloud. all of ($f*)
Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems. Screenshot of Phoenix-Phobos ransomware's pop-up window ("info.hta"): All your files have been encrypted due to a security problem with your PC. Therefore, always check for available decryption tools for any ransomware that infiltrates your computer. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. The attack utilized a trojan that targeted computers running Microsoft Windows, [1] and was believed to have first been posted to the Internet on 5 September 2013. Read our posting guidelinese to learn what content is prohibited. Restoring data without the key is impossible. ), restoring data with certain third-party tools might be possible. XDR vs. SIEM: A Cybersecurity Leaders Guide, Modernize Your Security Operation Center with XDR, EDR, XDR, MDR: Filtering Out the Alphabet Soup of Cybersecurity, a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72, 0be1f445537f124b5175e1f2d1da87e2e57aa4ba09ea5fe72b7bafaf0b8f9ad2, 136e8991816b958bb76aaf22fefd18194cf78a80e95d572754f95e1f86149a65, 724799e37d6b47dc099caea7aabb0c1246a5041537d425601639d551e42bd425, 39fd73f1d19201497233bbb320c1d7a63e33748c94d94653c3b5e64c0ef6b8b0, 9ec4697891cc6c9add803044a29bdd9d05701509b9eddc370d4caf00c15ef734, 0dd7f3dffe8c6e69df6137cb413ad25c474d73a86f1d46d52846990aa66e6f43, c5fdc30a67fbba53b710e6ff8d8e38ed4fb5e44eeced2efc370f906710602840, d4adf29d2b50945896734bafb66ada120b53f5dd98f1a8ad3d30dcf69a98325e, 3df9806a5cc986619f96755151cdbc23e1943280c1874c58b2758da2d7be6e64, d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9, 31327f225492ee58d7b47889e619d36cd380a908c1761fe376a185877f813894, b264f35ff932fc5a100f7c2b4bd4888fe61db9878ef149279c3ad4bef2bdd8ed, d73d6964d2b1e3e466436fb981b6658d8e1fb5d0ddc43e7f24365cad2339842d, e0702fdeef58461133ef70efa25d258b1eaa089b26d57485106d0fea671e3afb, bb12757c6a14207d8a9cd4d42ff93747795f8a09186752b1c94b5b373abbaf11, e38edbea38a47560bff7f48e23ba9eb7c872e180f16abb3482c021cac3cbfaed, 8bfe5d3d7e089cecb0238da7ae7d456702508003a91a417e5069b86592bc03e8, f2181881d6ab133323dba5fecbf0cc4236f794ed1261406712b13307e98b90a1, cb7ce90b9de59004b2177e7a912c324ef4cec0262e181c83fff866113356e607, 4f3220da017e7be3e0b168a958134aae6dc96458cb12118e849465e2af752629, cc4350d0919d192bdad9ae262fc524d9d230b11dfc8d3c5886147caa0fdda465, 2163570f047cefc466c0ca370e56b6fbb770c4f71603b2353c1b6fd8e482ced8, 651f451aaf9a9694884322d91a225294af145006219c346d1a9b50a2d92db6d9, 826fb87209f4538ff9a0d11c8a21d6df738956ab7ba8d6965cb8f46021013ae4, 876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b, 58def7649806f63ce1dbd9d886ce200716209240b90b57dccf3941012c438784, 76487462acfa06bc90bda7d72bee7f88ea2e70d838a50d9012362958ad93f02a, 931708bffa6eed76585c166a080ea6b544f32951cb5dbc2d2065088ee9ebad95, b3530b7519660996d28eb31a8d5b585ec60601843c77dd9f2b712812c99843e4, 21c7a8f2ffdd80834fb9b82df5c02748ca08c48583b903d584c124b916d17a37, ed95b1a888710f3ca4acacb49250fb6c21722e2882e31784bd2049d15f97d4de, 2f89ebdcc33bc0ec253e9d1bb9a5b252cc8dc0e90b78d7c464a487dab3b387a6, 7925550392f06655abbc9ed66fa37e1754bf6612439cc7a6332db28fd8878b42, f26bc4c0e23430c444214bd32e5ae0dacee93c4409fa574e91f4204e691c5799, 6af16a07d19bcb99eed8b440d7a110ee1bad1dd95eaeda2302c423ab9a5a146c, 433717fd1916ba3ae569d9334c400ac8740fe7870e05bf57d2b05fd4023b2451, 003c64fa11ea18a00c3e0bf2adf1a2b80287fb072d1f8108d1d55cbda17e60cb, b2e6ba8776232da078e4d7648525b5dc97e70744ffbcae871048306f7fe9aba1, c37dd01eaac834a0f2618e54e3f67b03484b3e36d491011334f3646b66fe0e56, 36ec7a5bcdd2685af78cdef08687584192545348355a6510132644541f4c4749, 2ff9b57a16c7da6699be588b6239296576b6b5805db7a27e5f2dec243e0da75b, 684051fd30d38f3d03c65e80087183ea1cbe1fc8f5dc03ebf7269498e9bffb98, 44f62555fdfd1067de4ef55a8deb916e24832a80a28b91ba59b0aad527b565a4, 9f6443788563472c0280ad5b16ae7c1a918f1f2ce6e44d4d1a09a87a1f3412a8, 248e0103a5027800d92d517d4d6721c4b6dc0b533ee22f8452c79d5f48128fdc, 1dec40385522800dfed483b645da71c1ee3afbbdec27e567662972d59c5cbf25, 201131fb20d85b71765e5634821a2b35303643212c36023843485c56f47ac400, cc4c212dcfe4bf82e60eaa0d220444f0f6dbf22c5f7a79be83fe28f2f00b89b5, 2bff9d483420df2f41c7eba232c6d90853df6acfe9f9b163af5d3495ea082229, d4062e34b2ebd654b3dca215ec740c6f1a305ea567f6d65ddee58f540ec5beea, 530fe2e0f839c4b601627a1100e38708ff95a69d8382b11cefce45149c30ddef, 59f0e747d6241c1013526c7e76ecd95ab2a22aaced595cd65c5ef3955a63bf92, 3e42ded1cd2447b921b41afa53f36bf645a21193ed24e3adeaef1a7217210545, ab097e8b19ec166a2ff65d10ab06a8d572216cee2b0c44ebe183a8cb60b2bae7, b1ea7524a80b9740df7e51c1010ba1a04f11c15d6392f5054dc40c8952290474, 602da3639eeb39cdbc657aa5e75eba74735314e8a54727697abcd3884c8b6d8c, c820fc37abaf946804b09033f51216a28cdefe17020722d2fc2f1f74b4963ef5, 683b7b2abf9dc1e9fdf04e33570f5d8bfbb465dac613570200c2ec92201cc85d, 04d2326212724fdfa41c8e7ee64e32b60ba5e058e54d3fa0cf756b1378e948b9, 9f8db7e1320389297c451ca762edc8b8c990cab86f1c976b63e8312408e2a554, 821bb1dcc6c7c529f3865f7c3e3b45ef058e32723d8300adea743d39864b3d9c, c7dc529d8aae76b4e797e4e9e3ea7cd69669e6c3bb3f94d80f1974d1b9f69378, b24ea7ef47994c2ee340e1bc971eaa9e1992f0d2aaece99f3a9381655509047b, 23c41bbb1055ba7b15dcb1d1ba9bf426ef73f57641b47865c656b9338181e67b, 4287592dc66083613b642bd04b1c8c49df56edc7691d79de0bca645d3af0d5c3, 7ff292c689c421394483c7bc4c0b6620b8cedd4fd70f8f8ef1f4fa334d418be8, b4c05e0e065058ae79d3ce9d51a470946aae036d2b163f85adcef10a6343246a, e4febefe210e39c3570ac71e41b66557c257713d386acd7898af195a1bacf83d, 77ea107525233afa3f43b8695b39bfc41919f026ab3526bb3b9841737bbb20c7, 038d31670f03d386e6f3affe331bf76cb894d695b0f9012d828db9413c223a07, 4da7781d443ffde85e0aaf3d6e8effb6fc8cdffeead56b5ba3183472c40bf6ff. Sources familiar with the ransomware attack told BleepingComputerthat the attackers encrypted more than 15,000 devices after deploying ransomware payloads on CNA's network on March 21. CryptoLocker encrypts various files types (.doc .xls .ppt .eps .ai .jpg .srw .cer) found on the compromised machine. The price depends on how fast you write to us. Insurance giant CNA has suffered a ransomware attack using a new variant called Phoenix CryptoLocker that is possibly linked to the Evil Corp hacking group.