The government states that it is the Dorifel-virus outbreak under control. Since this morning there are no new notifications received. At this time, in some organizations, the restoration work is still underway.
Are now 30 organisations affected by the virus, but the virus outbreak is under control, according to the National Cyber Security Centre. What organisations are currently doing with the ‘cleaning’ of systems and files, is unclear. A spokeswoman for the NCSC does not indicate which organizations are infected. According to the NCSC monitors isps active infections. Also have isps with the ip addresses that were used to get the malware blocked, claiming the NCSC. However, it is not clear which providers the ip addresses to block: multiple providers are yet to approach.
Now it is clear, however, that a large number of Dutch organizations with an infection suffers or suffered. In addition to the Ministry of Education, Culture and Science, and a number of municipalities such as Tilburg, Den Bosch and Venlo have two provinces, two universities, a elektriciteitsnetbeheerder and the RIVM had the virus. XDocCrypt/Dorifel seems especially in the Netherlands damage to target especially in the public sector. It is unclear whether it is a targeted attack.
The virus encrypts Word and Excel documents on network shares and changes the file extension of the documents ‘.scr’, the Windows file extension for screen savers. The damage caused by XDocCrypt/Dorifel – there is still no uniform naming for the virus is relatively simple to recover, because the key was used in all cases is the same. Surfright has a tool released which damage to the documents is restored. Initially it was thought that the virus Sasfis went.
According to an employee of Fox-IT, the administrator has the trojan Thursday a new command to the botnet sent, which is a well-known banking trojan was downloaded. It pertained to an executable which according to VirusTotal by forty well-known anti-virus products was not recognized.
An analysis by Kaspersky shows that ninety percent of the infections in the Netherlands. According to Kaspersky the virus is spread via e-mail. Previously claimed the Dutch ict security company Fox-IT that the virus is via an existing botnet was distributed, which would mean that the affected organizations already in the power of a botnet. A botnet consists of a large collection of hosts that are infected with malware and that the administrator of the botnet commands can send. It is notable that Kaspersky states that the virus itself is still spreading, while the NCSC, no new infections has been observed. Possible the to infections outside the Netherlands.