Corrine Posted October 13, 2013 Share Posted October 13, 2013 To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom. There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline. Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours. Additional information an references are available in my blog post, CryptoLocker Ransomware. 2 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 13, 2013 Share Posted October 13, 2013 Yes, backups are the best defense against this type of crud! Thanks Corrine! Quote Link to comment Share on other sites More sharing options...
frapper Posted October 13, 2013 Share Posted October 13, 2013 Yes, backups are the best defense against this type of crud! So restoring a disk image along with the MBR would make it completely disappear? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 13, 2013 Share Posted October 13, 2013 So restoring a disk image along with the MBR would make it completely disappear? As far as I know, yep. Quote Link to comment Share on other sites More sharing options...
ross549 Posted October 13, 2013 Share Posted October 13, 2013 (edited) This is true scumware. Adam Edited October 13, 2013 by ross549 Why is "scum bag" filtered? Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 13, 2013 Share Posted October 13, 2013 Gee, If I had the lack of morals and criminal tendencies to do this stuff, I wouldn't be having any financial issues. Unfortunately, mom didn't raise me to be a low-life, scum-sucking bottom feeder. My tough luck, huh? I'll just have to settle for making a miniscule fraction of the $$$ by removing this carp from folks' computers. Quote Link to comment Share on other sites More sharing options...
raymac46 Posted October 13, 2013 Share Posted October 13, 2013 Q. What is the difference between a virus hacker and a catfish? A. One wallows in the mud and is a scum sucking bottom feeder. The other is a fish. 1 Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 15, 2013 Author Share Posted October 15, 2013 Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date. CryptoLocker Ransomware Information Guide and FAQ Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 16, 2013 Share Posted October 16, 2013 Thanks for posting this Corrine! Will come in very handy. Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 16, 2013 Author Share Posted October 16, 2013 Actually, I hope that it doesn't come in handy -- that you never need to refer to it for any of your customers! 1 Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 21, 2013 Author Share Posted October 21, 2013 Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by Foolish IT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place. 2 Quote Link to comment Share on other sites More sharing options...
lewmur Posted October 22, 2013 Share Posted October 22, 2013 (edited) Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by Foolish IT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place. It seems Crypto Prevent is well worth installing but can't the author of the ransomware merely change the blocked filenames to circumvent this protection? I read on the link that the trojan could be removed and a System Restore Point used to recover the encrypted files. This would indicate to me that only some system files are being encrypted. Is this true? Or are user's personal files being encrypted too? Edited October 22, 2013 by lewmur 1 Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 22, 2013 Author Share Posted October 22, 2013 If you look at the "prevent" section of the tutorial (How to prevent your computer from becoming infected by CryptoLocker) note that it isn't filenames but rather .exe's located in %AppData%, %AppData% subfolders and archive attachments opened with WinRAR, 7Zip and WinZip located in %Temp%. As indicated at the Foolish IT writeup at CryptoPrevent, bold added: CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or ‘ransomware’, which encrypts personal files and then offers decryption for a paid ransom. Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 23, 2013 Author Share Posted October 23, 2013 Another update today: Updated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server. Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 23, 2013 Author Share Posted October 23, 2013 Update: CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 24, 2013 Share Posted October 24, 2013 (edited) That is an awesome prevention tool. Especially since it is not truly specific to this piece of crap but disallowing any executables in AppData, etc. There is no need for that (executables in AppData). Edited October 24, 2013 by LilBambi Quote Link to comment Share on other sites More sharing options...
Corrine Posted October 24, 2013 Author Share Posted October 24, 2013 Interesting development: DNS Sinkhole campaign underway for CryptoLocker - News A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server. There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files. Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole. At this time, it is unknown who is responsible for setting up the sinkhole. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 27, 2013 Share Posted October 27, 2013 Wow, what a mess all around for this cryptolocker crap. Glad that grinler came up with the prevention method. Should help many in preventing this crapware getting on their systems. Should help with others that also try to install executables in AppData areas. Quote Link to comment Share on other sites More sharing options...
ross549 Posted October 28, 2013 Share Posted October 28, 2013 8 minute video with Leo Laporte and Steve Gibson discussing the Crypto Locker virus in detail, but in a mom-freindly way. This is a good one to send to your non-techie friends so they can understand how it works and what to avoid. Adam 1 Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 28, 2013 Share Posted October 28, 2013 What a great scam. I really wish I'd have thought of it first. Quote Link to comment Share on other sites More sharing options...
ross549 Posted October 28, 2013 Share Posted October 28, 2013 Not really a scam... but full on criminal extortion. Steve mention during Security Now that he was surprised it has been this long before this type of crime popped up. Sadly, it is built so well, that well-meaning server seizures practically ensure the data will never be recovered. Here's some in depth analysis of how CryptoLocker works. Adam Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted October 28, 2013 Share Posted October 28, 2013 And they say crime doesn't pay. Pfffft! If that were really true, there'd be no politicians or lawyers in the world. Quote Link to comment Share on other sites More sharing options...
Corrine Posted November 2, 2013 Author Share Posted November 2, 2013 It pays even more now, Eric. An unfortunately development: CryptoLocker developers charge 10 bitcoins to use new Decryption Service The price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD. Prevention along with backing up important data are definitely the only way solution. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 2, 2013 Share Posted November 2, 2013 Yes! Definitely. But we all need to rethink our backup solutions since all connected drive letters are accessible by this type of crap which could have you lose your backups too? It's not convenient, but it seems to me it's time to do what I have been doing for a long time. Backup up your data and disconnect the external drive till next time. Quote Link to comment Share on other sites More sharing options...
ross549 Posted November 2, 2013 Share Posted November 2, 2013 Well, this will spawn a new term in the description of backups. Hot Backup: Always available and accessible, and usually available via a drive letter. Cold Backup: Somewhat less available backup, does not use a drive letter under any circumstances. Versioning in the back up is now more crucial than ever. You will not see versioning of the files in a hot backup. However, this is only once again playing Whack-a-mole here. It is only a matter of time before the ransomware artists come up with a way to infect a Cold Backup. So what's the best backup strategy these days? Well, the best strategy is a hot backup if you need it, and a cold backup with versioning. Also, having a local cold backup could be useful. *sigh* How long will it be before we see a ransomware virus play possum for a long time, infecting all your stuff, and then striking all of a sudden? It's only a matter tof time. Adam Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 3, 2013 Share Posted November 3, 2013 This was such a great topic! Happy you spent time on it during the show. Quote Link to comment Share on other sites More sharing options...
ross549 Posted November 3, 2013 Share Posted November 3, 2013 Yes, I think it is very important. It's going to change how we handle security going forward. Adam Quote Link to comment Share on other sites More sharing options...
ross549 Posted November 4, 2013 Share Posted November 4, 2013 http://www.reddit.com/r/talesfromtechsupport/comments/1ps0ae/tldr_accounting_firm_gets_cryptolocker_virus_tech/ A reddit tale of restoration from cryptolocker gone horribly wrong.... manage your passwords correctly! https://www.grc.com/miscfiles/RobPickering_CryptoLocker.pdf A tale of ransom payment going right...... Adam Quote Link to comment Share on other sites More sharing options...
Corrine Posted November 13, 2013 Author Share Posted November 13, 2013 Via Bleeping Computer: CryptoLocker emails now including password protected attachments to evade av software. Email pretends to be new outlook settings. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 13, 2013 Share Posted November 13, 2013 Thanks to you and Lawrence on that info! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.