I recently came across a document, dated June 2014, with the reverse DNS names of CryptoLocker infected computers. I’ve detailed the most interesting ones below.
It is important to note it may not be company or establishment owned computers that were infected. A visitor or worker may have brought their own computer in and connected to the internet.
- A computer on the internet connection of the UK The International Transport Workers Federation
- A computer possibly in the legal department of Computer and Electronic Systems at a University in Scotland
- A computer likely at the offices of The East of England Broadband Network (E2BN) educational network supplier.
- A retirement home management company, a housing association in Birmingham and a housing association in Wales.
- A computer in the offices of a company who sells novelty fake newspapers.
- A computer on the network of a petrol / fuel card management company.
- A computer on the network of a major franking machine provider.
- A computer on the network of a large betting shop company based in the UK that manages shops based in europe
- A computer at the offices of a solicitors in Belfast
- A computer on a connection owned by Cleveland Fire Brigade
- A computer at a ford car dealership
- A computer on the connection of an oilfield servicing company with 18,000 employees.
- A computer on the network of Oxfam, the charity.
- A computer on the VPN of a company who deals with energy projects such as Teesside Power Station and gas processing plants.
- Computers on the connections of two very large and up-market hotels.. although these could easily be visitors on their wifi.
- A computer on the connection of a district council in Norfolk
- A computer on a connection belonging to a major law firm associated with the Insolvency Service
- Computers at connections belonging to various insurance companies, solicitors, estate agents, accountants and IT support companies
- A computer on the broadband connection of a UK Rail infrastructure outsourced provider.
- A computer on the network of a financial advisor company who provide services to companies
- A computer at the Independent newspaper (Associated Press / dmg media)
- A computer on the network of Game, a UK computer games retailer
- A computer at Unilever (Products and foods manufacturer)
- A computer on a connection belonging to a Healthcare provider who “[holds] contracts with the leading NHS trusts and private hospitals”
- A computer on the VPN connection of GeoPost (brands= DPD and Interlink Express)
- Computers on several connections with nhs.uk hostnames
- Several computers in the admin ip range at Queen Mary University of London
I wonder how many of these companies had their data encrypted and how many either lost data or had to pay the ransom due to poor backup procedures.
If these kinds of companies and establishments can become infected by ransomware / encryption software… they could easily become infected with other stuff that ex-filtrates the information rather than just encrypting it.