CryptoLocker Ransomware

[Corrine]

To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom. There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline. Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours.

 

Additional information an references are available in my blog post, CryptoLocker Ransomware.

[Guest LilBambi]

Yes, backups are the best defense against this type of crud!

 

Thanks Corrine!

[frapper]

Yes, backups are the best defense against this type of crud!

 

 

So restoring a disk image along with the MBR would make it completely disappear?

[Guest LilBambi]

So restoring a disk image along with the MBR would make it completely disappear?

 

As far as I know, yep.

[ross549]

This is true scumware.

 

Adam

Edited October 13, 2013 by ross549
Why is "scum bag" filtered?

[V.T. Eric Layton]

Gee, If I had the lack of morals and criminal tendencies to do this stuff, I wouldn't be having any financial issues. Unfortunately, mom didn't raise me to be a low-life, scum-sucking bottom feeder. My tough luck, huh? I'll just have to settle for making a miniscule fraction of the $$$ by removing this carp from folks' computers.

[raymac46]

Q. What is the difference between a virus hacker and a catfish?

A. One wallows in the mud and is a scum sucking bottom feeder. The other is a fish.

[Corrine]

Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date.

 

CryptoLocker Ransomware Information Guide and FAQ

[Guest LilBambi]

Thanks for posting this Corrine! Will come in very handy.

[Corrine]

Actually, I hope that it doesn't come in handy -- that you never need to refer to it for any of your customers!

[Corrine]

Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by Foolish IT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place.

[lewmur]

Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by Foolish IT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place.

It seems Crypto Prevent is well worth installing but can't the author of the ransomware merely change the blocked filenames to circumvent this protection?

 

I read on the link that the trojan could be removed and a System Restore Point used to recover the encrypted files. This would indicate to me that only some system files are being encrypted. Is this true? Or are user's personal files being encrypted too?

Edited October 22, 2013 by lewmur

[Corrine]

If you look at the "prevent" section of the tutorial (How to prevent your computer from becoming infected by CryptoLocker) note that it isn't filenames but rather .exe's located in %AppData%, %AppData% subfolders and archive attachments opened with WinRAR, 7Zip and WinZip located in %Temp%.

 

As indicated at the Foolish IT writeup at CryptoPrevent, bold added:

 

CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom.

 

 

[Corrine]

Another update today:

 

Updated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server.

[Corrine]

Update: CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses.

[Guest LilBambi]

That is an awesome prevention tool. Especially since it is not truly specific to this piece of crap but disallowing any executables in AppData, etc. There is no need for that (executables in AppData).

Edited October 24, 2013 by LilBambi

[Corrine]

Interesting development: DNS Sinkhole campaign underway for CryptoLocker - News

A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server.

 

There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files. Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole.

 

At this time, it is unknown who is responsible for setting up the sinkhole.

[Guest LilBambi]

Wow, what a mess all around for this cryptolocker crap.

 

Glad that grinler came up with the prevention method. Should help many in preventing this crapware getting on their systems.

 

Should help with others that also try to install executables in AppData areas.

[ross549]

 

8 minute video with Leo Laporte and Steve Gibson discussing the Crypto Locker virus in detail, but in a mom-freindly way. This is a good one to send to your non-techie friends so they can understand how it works and what to avoid.

 

Adam

[V.T. Eric Layton]

What a great scam. I really wish I'd have thought of it first.

[ross549]

Not really a scam... but full on criminal extortion. Steve mention during Security Now that he was surprised it has been this long before this type of crime popped up. Sadly, it is built so well, that well-meaning server seizures practically ensure the data will never be recovered.

 

 

Here's some in depth analysis of how CryptoLocker works.

 

Adam

[V.T. Eric Layton]

And they say crime doesn't pay. Pfffft! If that were really true, there'd be no politicians or lawyers in the world.

[Corrine]

It pays even more now, Eric.

 

An unfortunately development: CryptoLocker developers charge 10 bitcoins to use new Decryption Service

 

The price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.

 

Prevention along with backing up important data are definitely the only way solution.

[Guest LilBambi]

Yes! Definitely.

 

But we all need to rethink our backup solutions since all connected drive letters are accessible by this type of crap which could have you lose your backups too?

 

It's not convenient, but it seems to me it's time to do what I have been doing for a long time. Backup up your data and disconnect the external drive till next time.

[ross549]

Well, this will spawn a new term in the description of backups.

 

Hot Backup: Always available and accessible, and usually available via a drive letter.

Cold Backup: Somewhat less available backup, does not use a drive letter under any circumstances.

 

Versioning in the back up is now more crucial than ever. You will not see versioning of the files in a hot backup.

 

However, this is only once again playing Whack-a-mole here. It is only a matter of time before the ransomware artists come up with a way to infect a Cold Backup.

 

So what's the best backup strategy these days?

 

Well, the best strategy is a hot backup if you need it, and a cold backup with versioning. Also, having a local cold backup could be useful.

 

*sigh*

 

How long will it be before we see a ransomware virus play possum for a long time, infecting all your stuff, and then striking all of a sudden? It's only a matter tof time.

 

Adam

[Guest LilBambi]

This was such a great topic! Happy you spent time on it during the show.

[ross549]

Yes, I think it is very important. It's going to change how we handle security going forward.

 

Adam

[ross549]

http://www.reddit.com/r/talesfromtechsupport/comments/1ps0ae/tldr_accounting_firm_gets_cryptolocker_virus_tech/

 

A reddit tale of restoration from cryptolocker gone horribly wrong.... manage your passwords correctly!

 

https://www.grc.com/miscfiles/RobPickering_CryptoLocker.pdf

 

A tale of ransom payment going right......

 

Adam

[Corrine]

Via Bleeping Computer:

 

CryptoLocker emails now including password protected attachments to evade av software. Email pretends to be new outlook settings.

[Guest LilBambi]

Thanks to you and Lawrence on that info!