CryptoLocker time to take notice!

Posted 2 years ago by Daniel Weis

You may be aware of Ransomware it has been around for a very long time and is nothing
new. In essence Ransomware, is a type of Malware which restricts access to the system it
infects and demands that a ransom is paid to regain access to the system or data (effectively
holding a computer to ransom).
Ransomware can come from a massive amount of sources, from automated worms and
trojans, through to botnet infections, email delivery/spam, USB drives, websites, the list goes
on
Some variants simply lock a computer until payment is made, others like CryptoLocker
actually encrypt the files until payment has been made.
Popular Ransomware of the past includes Winlock, Reveton, AIDS, and recently PRISM
variants. A list of the most common types can be found here: http://www.exterminateit.com/malpedia/ransomware-category/1
Below are some screenshots of commonly seen Ransomware:

Over the last month, a new player hit the Ransomware/Malware field, and to date it is one of
the most dangerous versions of Malware that has been encountered. All organisations now
need to take action to protect their systems.
It calls itself CryptoLocker and the current infection rate is skyrocketing.
In the last 30 days some vendors spam filters quarantined 56.6 million emails that contained a
virus as an attachment, and authorities have been powerless to prevent its spread and
infection rates.
Heres what you need to know

If you run CryptoLocker, it infects your computer like normal Malware, placing its files in
Windows directories, and creating registry entries that allow it to restart when you reboot. It
also tries to contact its command and control (C&C) server. The Malware uses a random
domain name generation algorithm to try and find a current C&C server.
Some sample Crytpolocker domains might look like this:
- jkamevbxhupg.co.uk
- uvpevldfpfhoipn.info
Once CryptoLocker contacts its C&C server, it generates a public/private cryptographic key
for your specific computer, using very strong and standard RSA and AES 2048-bit
encryption. The private key is only stored on the attackers C&C servers, but the public key is
saved in a registry entry on your computer.
CryptoLocker then uses that key pair to encrypt many different types of files on your
computer. Heres a list of files CryptoLocker looks for:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm,
*.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf,
*.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng,
*.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw,
*.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem,
*.pfx, *.p12, *.p7b, *.p7c.
After encrypting your files, CryptoLocker shows a screen warning you that you have 72
hours to pay either $660 USD (2 bitcoins) in order to get your files back (through bitcoins or
Moneypak) and, if you dont pay the amount by this time, the decryption service increases
significantly from 2 bitcoins to 10 bitcoins. Utilising current exchange rates and a bitcoin
coverter (http://preev.com/), you can expect to fork out ~$3,290 USD, which is around
$3500.00 AUD
How do I get infected by CryptoLocker?
There are a number of ways computers are getting infected, however CryptoLocker is
primarily delivered via e-mail as a malicious attachment or link from a legitimate looking
business email. Previously this was received in the form of fake FedEx, UPS, or delivery
company emails, but the latest variants are using specialised tactics and are successful in
bypassing a lot of spam filters, so dont assume just because you have spam/email filtering
that you will be safe.
An example Zbot/CryptoLocker email message is:

Within this email is a zip file attachment, contained within that, is a double encoded file
pretending to be a PDF, however has an .exe extension, and once executed infects the
system. There have also been reports of infections through websites/drive-by-downloads and
through some scam sites as well.
Once infected the following is displayed:

What makes this so dangerous is that not only will it infect your computer files, it will search
out any drive letters it finds, such as corporate network drives, USB drives and similar and
encrypt those as well, therefore devastating company networks.
The other thing to note from Infotech, is that there is absolutely no guarantee youll be
getting anything back from your $300 $660 USD payment. Infotech Solutions has seen it
not work at all, or only work after multiple payment attempts (at $660 a pop). In a few cases
they worked on, two users had both opened CryptoLocker attachments and the files were
effectively double encrypted. In other cases, the computer that caught the infection had
been cleaned before I.T. had a chance to quarantine it. The cleaning process removed the
virus, but also the pair of decryption keys required to unlock the files that was stored on the
computer.
In this instance, or if the antivirus intervenes, you may need to reinfect your machine with
CryptoLocker to get a new key for decryption.
For the successful people that paid, and it works you will get a screen like the below:

Sometimes even that fails

What operating systems does this apply to?

Currently this Ransomware is targeting Windows platforms, infections have been reported on
Windows XP, Vista, 7 and we anticipate this to shortly move to Windows 8 and Mac OS
platforms.
Can I bypass the system?
Generally speaking no, once infection has occurred there is no way to recover those files
unless you pay or have backups that predates the infection. Some people have success using
shadow copies to restore, others revert to tape or similar.

We backup our data every day, so no dramasright?

Backup is the only way to recover, however dont assume because you have backups that you
can recover.
If you arent keeping 5 days worth of backup at a bare minimum, your chance of recovery is
slim. CryptoLocker is very sneaky it will usually start silently encrypting files late in the
afternoon around 4 or 5 PM and can run for several days before you either notice some of
your files cant be opened or the CryptoLocker payment screen finally pops up. That means
your backups during that time period are toast.
How does Antivirus play a part?
Trend, Symantec, Mcaffee, Kaspersky, although they all have signatures to catch
CryptoLocker, every vendor has failed to detect the infection at one point, this is because
CryptoLocker is changing constantly. It would seem that any time the detection rate climbs
above 10%, a new variant is released and you are back to a very small chance of detecting it.
Antivirus is still a key component to protecting your systems, but it certainly shouldnt be the
only one. Additional systems to help prevent/reduce CryptoLocker infections would be an
Intrusion Prevention System.
Another thing to note is that if you run heavily locked down workstation SOEs (standard
operating environments) this will also not prevent you from becoming infected as
CryptoLocker doesnt actually install anything, or need admin privileges, and any files that
your users have access to modify is susceptible.
How can I prevent becoming a victim?

Foremost, educate your users! If they dont visit the malicious site or open the
attachment in the first place, this will solve all your issues

Ensure you have the latest antivirus and that it is up to date

Utilise additional filtering mechanisms such as Intrusion Prevention Systems or Host

Based Intrusion Detection Systems to prevent communication and alert upon
infection/changes to systems integrity

Update all software on your computer, especially Microsoft Office, Adobe products,
and Java

Do not download and install unfamiliar software, even if its maker claims it will
prevent Ransomware

Ensure you have valid, TESTED backups in place

Deploy CryptoPrevent to the workstations to prevent initial infections, available from

here http://www.foolishit.com/vb6-projects/cryptoprevent/

Deploy the CryptoLocker Prevention Kit Group Policies from here, to prevent
spreading of the infection in your
environment: http://www.thirdtier.net/downloads (select
CryptoLockerPreventionKit.zip)

Secure your network shares and permissions

If you are infected already

As soon as you identify you have been infected, unplug the computer from the
network immediately, it may prevent some files from being encrypted

You need to figure out what damage has been done. Which files have you lost? Do
you have backups of these files? If you dont have backups, have you checked
Windows System Restore files, which sometimes automatically back up the computer
for you?

Restore your data

If you have valid backups, wiping your computer is the best way to remove the
infection, however a lot of antivirus vendors have clean-up tools you can utilise, or
follow the guides such as this one: http://www.bleepingcomputer.com/virusremoval/CryptoLocker-ransomware-information

If you do not have backups, it is recommended you dont pay, as this only reinforces
that the system works and more and more of these types of Malware will get created.
But, where you have no choice you can attempt to pay. if your antivirus intervenes
(which it will most of the time) you can contact the Malwares fake customer support
site via connection directly to the C&C servers IP address or through Tor via the
f2d2v7soksbskekh.onion/ address

You will be presented with a screen like the below:

Once a payment is made it must have 10-15 bitcoin confirmations before your private key
and a decrypter will be made available for download. Once these confirmations have
occurred a download link will be displayed that will allow you to download a standalone
decrypter. This decrypter will already have your private decryption key stored in the program
and can be used to scan for and decrypt encrypted files.

More information can be found here:

http://www.bleepingcomputer.com/forums/t/512668/CryptoLocker-developers-charge-10bitcoins-to-use-new-decryption-service/
If you wish to find out what files have been encrypted, you can use this free tool:
http://download.bleepingcomputer.com/grinler/ListCrilock.exe
For existing Kiandra clients who have Managed Services Agreements, the appropriate steps
will be taken automatically to protect your network, for other clients requiring assistance,
please contact the Kiandra Service Desk.
Reference resources for content:
http://www.infotech.us/company-blog/189-CryptoLocker
http://www.sci-tech-today.com/news/CryptoLocker-Ransomware-Spreading/story.xhtml?
story_id=01000147AOOK
http://www.foolishit.com/vb6-projects/cryptoprevent/
http://community.spiceworks.com/topic/396103-CryptoLocker-prevention-kit-updated
http://www.thirdtier.net/downloads/CryptoLockerPreventionKit.zip
http://www.us-cert.gov/ncas/alerts/TA13-309A

http://readwrite.com/2013/11/08/CryptoLocker-prevent-removeeradicate#awesm=~omPSat85nPO1n2
http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information
http://watchguardsecuritycenter.com/2013/11/04/everything-you-wanted-to-know-aboutCryptoLocker/
http://www.bleepingcomputer.com/forums/t/512668/CryptoLocker-developers-charge-10bitcoins-to-use-new-decryption-service/
http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx
http://www.networkworld.com/community/blog/CryptoLocker-crooks-charge-10-bitcoinssecond-chance-decryption-service
http://www.udel.edu/udaily/2014/nov/ransomware-threat-110713.html