Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 13: Destructive Viruses and Trojans

Cryptolocker Trojan (Win32/Crilock.A)

Version 2.1 (Oct 28, 2013; with minor correction May 24, 2017)

News

Recommended Links Malware Defense History
(ebook)
Introduction Targeted files Encryption process Ability to hide command and control center Prevention
Strategies of Defending Microsoft Windows against Malware Softpanorama Malware Defense Strategy Fighting Spyware Wanna Cry -- a combination of ransomware and network worm Viewing Hidden files in windows History Humor Etc

 


Introduction

This is a game changing Trojan, which belong to the class of malware known as Ransomware .  It was one of the first examples of Randsomware to reach the level of global epidemics.  It has later "derivatives" which also achieved the lavel of global epidemics such as Wanna Cry (May 12-14, 2017).

It seriously changes views on malware, antivirus programs and on backup routines. One of few Trojan/viruses which managed to get into front pages of major newspapers like Guardian.

Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets backups of your data on USB and mapped network drives. If you offload your backups to cloud storage without versioning and this backup has an extension present in the list of extensions used by this Trojan, it will destroy (aka encrypt) your "cloud" backups too.

It really encrypts the data in a way that excludes possibility of decryption without paying ransom. So it is very effective in  extorting money for decryption key. Which you may or may not get as servers that can transmit it from the Command and Control center might be already blocked; still chances are reasonably high -- server names to which Trojan connect to get public key changes (daily ?), so far at least one server the Trojan "pings" is usually operational.  So even on Oct 28 decryption was possible). At the same time the three days timer is real and if it is expire possibility of decrypting files is gone. Essentially you have only two options:

Beware snake oil salesmen, who try to sell you the "disinfection" solution. First of all disinfecting from Trojan is trivial, as it is launched by standard CurrentVersion\Run registry entry. The problem is that such a solution  does not and can't include restoration of your files.

It was discovered in early September 2013 (around September 3 when domains to reach C&C center were registered, with the first description on September 10, see Trojan:Win32/Crilock.A.). Major AV programs did not detect it until September 17, which resulted in significant damage inflicted by Trojan. 

Here is the screen displayed when the Trojan finished encrypting the files (it operates silently before that, load on computer is considerable -- encryption is a heavy computational task):

Beware of snake oil salesmen promising to recover your files

File encrypted by CryptoLocker can't be decrypted without paying ransom. They can only be restored from backup if backup is available and were not encrypted in the process as well (that stresses the value of offline backups, aka "cold backups").

Please be aware about snake oil salesman, or may be some other, older virus which was also called Cryptolocker. Especially beware those that mention SpyHunter by Enigma Software.  As of the second half of October such links are now top all search engines.

Google is leading the pack with three top misleading advertisements. For example:

Here is some relevant information from comments to article Cryptolocker Hijack program:

USASAgencyman

Criminally Misleading From PC Tuneup???

hxxp://pctuneup.org/cryptolocker-virus-removal/

Quote

CryptoLocker virus: is a series of ransomeware infections that we have recently classified as extremely dangerous and recommend removing immediately. This page will show you precise instruction on how to remove the CryptoLocker virus.
The CryptoLocker virus hijacks the computer and limits is functionality in an attempt to hold your PC ransom. It will make claims that your access to your computer is limited and other similar warnings and to unlock the encryption the infected user will need to pay a "fine." It is important to note that all of the warnings and messages that come from the CryptoLocker Hijack virus are fake and should be disregarded. However, the CryptoLocker Hijack virus will not allow the computer to work normally until it is completely removed. The CryptoLocker Hijack virus will not go away on its own, action must be taken to remove it. Please see below where we show our easy step-by-step removal instructions for the CryptoLocker Hijack virus.

quietman7
From the PC Tuneup instructions

Quote

b. By clicking run you will have begun downloading a program called SpyHunter4 made by Enigma Software. Spyhunter4 features the latest in virus removal technology and has one of the largest Malware and Virus databases in the world. Spyhunter4 is one of the only programs that offers Point & Click virus removal. This program will guide you the entire installation process.

c. Once you have run the Full Scan using Spyhunter4, and followed the prompts to register your software, your virus should have been removed. Take a moment to reboot your computer and make sure it is running properly. If not, you may have a more serious issue. If this does happen, do not hesitate to call our hassle free virus removal help line.

SpyHunter by Enigma Software is a program that was previously listed as a rogue product on the Rogue/Suspect Anti-Spyware Products List because of the company's history of employing aggressive and deceptive advertising. It has since been delisted but in my opinion it is a dubious program which is not very effective compared to others with a proven track record and I would not trust all the detections provided by its scanning engine.

Newer versions of SpyHunter apparently installs it's own "Compact OS" and uses Grub4Dos loader to execute on boot up. The user no longer sees the normal Windows boot menu but instead sees the GRUB menu. For some folks this has resulted in SpyHunter causing a continuous loop when attempting to boot. An example was reported in this topic.

Further, AV-Test has not included SpyHunter in the comprehensive testing analysis that would reveal how SpyHunter compares to the best anti-spyware in terms of protection, repair and usability.

When searching for unfamiliar or unknown malware on the Internet, it is not unusual to find numerous hits from untrustworthy and scam sites which misclassify detections or provide misleading information. This is deliberately done more as a scam to entice folks into buying an advertised fix or removal tool. SpyHunter is one of the most common "so-called" removal tools pushed by these sites.

Netghost56

Grinler, on 28 Oct 2013 - 09:30 AM, said:

Typical BS from those types of virus removal guide blogs. All they are trying to do is sell the product.

Thanks for letting us know.

Kind of ironic but last night CNBC did an episode of American Greed that was about Innovative Marketing and Winfixer scareware (fake AV) -- the forerunners of ransomware, IMO.

AV companies were again caught without pants

In other words like in most cases of game changing viruses in the past AV companies were caught without pants. Payments servers were still up on Oct 15 and several users reported the decryption keys were delivered, at least initially. But most successful cases of decryption by paying the ransom are limited to September. While for early victims chances of getting the decryption key after payment were close to 100%, they gradually drop; now in late October even if you pay the ransom, there is no guarantee that the keys will be delivered, as most servers used are probably already taken down and the criminals might be already on a run.

Rebooting PC does not clear the timer. It continues from the setting it has before reboot. It is unclear if it can buy you additional time (you can keep PC in shutdown state for while) as timer might be also ticking on the "mothership" with the private key.

It took from approximately two weeks for major AV products to detect this Trojan (until September 17). So again most AV companies were caught without pants. Only approximately a month later some
AV programs can block the Trojan from running (CryptoLocker Recap A new guide to the bleepingest virus of 2013. sysadmin):

I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.

This is also an interesting case when disinfection means destruction of your data. Unless you reinstall the Trojan there is no way you can decrypt any of encrypted by Trojan files. Please note that this Trojan can be reinstalled in case of necessity and unless related registry entries were cleaned still can accept payment of ransom. It is unclear how time counter behaves in this case. It is probably does not make sense if the counter expired.

This is also an interesting case when disinfection means destruction of your data.
Please note that this Trojan can be reinstalled in case of necessity

It also stressed the value of cold backups, good spam filter and filtering executable attachments (most victims opened attachments, which probably would be blocked by a good spam filter). Another viable defense path is installing more strict group policies, blocking executables in your Documents and Settings folder and enforcing strong software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming as well as %AppData%\*\*.exe. See Prevention for some ideas of creating such group policies.

Paying ransom does not guarantee that you will get your files back, only cold backup does

The criminals actually decrypt files after you paid ransom (Proper Care & Feeding of your CryptoLocker Infection) if (that that's big if in October) their servers are still up.

Here is one success story: Cryptolocker – An Executive Infection - RobPickering.com

As servers used by CryptoLocker are not under the gun, chances that they will be able to push back you private key diminish with time. Here is a relevant discussion:

CryptoLocker :

Had a client with no offsite backups, so I advised them to pay the ransom of $300. 4 days later 85,000 files decrypted.

bluesoul:

It's actually very, very clever. If there was no real benefit to paying them, people wouldn't pay them. Take into consideration the many people with failed backup systems and even $300 doesn't measure up to lost productivity in having the files unusable forever; suddenly paying the ransom is the logical choice. When you look at the file masks, it's obvious it's targeted at businesses, in particular graphic designers and photographers, though the Office files obviously would hit just about any of us.

PBI325:

Yeah, I guess that makes sense. If they never delivered word would spread that the entire thing is completely bogus and people would find other ways to combat the infection. Kind of shooting themselves in the foot if they don't deliver.

I wonder if they're nice enough to clean out your computer of their randsomware or they leave their traces behind.

Names assigned to Trojan by various AV vendors

Names as always vary from one AV company to another. Microsoft uses name TrojanWin32-Crilock.A Other security and antivirus programs use different names (VirusTotal):

Antivirus Result Update
Agnitum Trojan.Kazy!HF4Ga+lwjwI 20130916
AhnLab-V3 Trojan/Win32.Blocker 20130917
AntiVir TR/Crilock.B 20130917
Antiy-AVL Trojan/Win32.Blocker 20130917
Avast Win32:Malware-gen 20130917
AVG Ransomer.CEL 20130916
Baidu-International Trojan-Ransom.Win32.Blocker.cfwh 20130916
BitDefender Gen:Variant.Kazy.243236 20130917
Bkav W32.VariantMedfosF.Trojan 20130917
ByteHero 20130916
CAT-QuickHeal Trojan.Crilock 20130917
ClamAV 20130917
Commtouch W32/Trojan.BXXK-0690 20130917
Comodo UnclassifiedMalware 20130917
DrWeb Trojan.Encoder.304 20130917
Emsisoft Gen:Variant.Kazy.243236 (B) 20130917
ESET-NOD32 Win32/Filecoder.BQ 20130916
F-Prot 20130917
F-Secure Gen:Variant.Kazy.243236 20130917
Fortinet W32/Filecoder.BQ 20130917
GData Gen:Variant.Kazy.243236 20130917
Ikarus Trojan-Ransomer.CEL 20130917
Jiangmin 20130903
K7AntiVirus Trojan 20130916
K7GW Trojan 20130916
Kaspersky Trojan-Ransom.Win32.Blocker.cfwh 20130917
Kingsoft Win32.Troj.Undef.(kcloud) 20130829
Malwarebytes Trojan.Ransom 20130917
McAfee RDN/Ransom!dp 20130917
McAfee-GW-Edition RDN/Ransom!dp 20130917
Microsoft Trojan:Win32/Crilock.A 20130917
MicroWorld-eScan Gen:Variant.Kazy.243236 20130917
NANO-Antivirus 20130916
Norman CryptoLocker.A 20130916
nProtect 20130917
Panda Trj/Ransom.AZ 20130916
PCTools 20130916
Rising 20130917
Sophos Troj/Ransom-ABV 20130917
SUPERAntiSpyware 20130917
Symantec Trojan.Ransomcrypt.F 20130917
TheHacker 20130917
TotalDefense 20130916
TrendMicro TROJ_RANSOM.NS 20130917
TrendMicro-HouseCall TROJ_RANSOM.NS 20130917
VBA32 Trojan-Ransom.Blocker.1193 20130916
VIPRE Trojan.Win32.Cryptolocker.mc (fs) 20130917
ViRobot Trojan.Win32

Only around September 16, 2013, more then a week after the launch of the Trojan, sufficiently robust signatures to detect and block it in memory were deployed. Only one AV program detected it at launch

Jiangmin 20130903

Infection vectors

Infection vectors of Cryptolocker were pretty traditional for malware:

Once CryptoLocker has been downloaded and executed by the downloader, it ensures its automatic start during boot by using (in one variant, other may differ) the following registry value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CryptoLocker = %appdata%\{CLSID}.exe 
(note that the file name consists of random hexadecimal numbers).

CryptoLocker first attempts to connect to a command-and-control server, after which it generates a 2048-bit RSA public and private key pair, and uploads the key to the server. The malware then attempts to encrypt data on any local or network storage drive that the user can access using a 2048-bit RSA key, targeting files matching a whitelist of file extensions.

Attached drives and networked computers are also vulnerable to the attack. Cloud storage backup can be destroyed unless versioning is implemented.

While the public key is stored on the computer, the private key is stored on the command-and-control server; CryptoLocker demands a payment of US$300 with either a MoneyPak card or Bitcoin to recover the key and begin unencrypting files. For some victims who paid ransom, it took six days to get recovery key

Infected users also have a time limit to send the payment. Malware threatens to delete the private key if a payment is not received within 3 days. If this time elapses, the private key might be destroyed, and your files may be lost forever.

Due to the extremely large key size it uses, files affected by the worm can be considered lost. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.

Targeted files

When you are infected, the server generates the keypair and sends out the public key which is used to encrypt all your files. The virus stores this public RSA 2048-bit key in the local registry. By the time the notification pops up, it's already encrypted everything. It's silent until the job is done. It appears that if they are in fact using the public key to encrypt files -- that removes the possibility of any type of key recovery, and also explains why it is extremely slow to encrypt/decrypt files. That might be not true:

I thought I read somewhere that the actual encryption was a symmetric encryption (maybe AES). They created a per-file symmetric key and encrypted that with the RSA public key and stored it inside the encrypted file as a header. Obviously this would be much faster and with a per-file key you can really give up on any kind of decryption effort since you'd have to attack it on a file-by-file basis.

To decrypt goes to a C&C server for a private key -- the private key only leaves the server upon confirmed payment.

The virus uses the registry to maintain a list of files and paths, so not moving the files around is vital to decryption if you are paying them (CryptoLocker Recap A new guide to the bleepingest virus of 2013. sysadmin)

The timer it gives you to pay the ransom is real, as multiple users have reported that once the timer ran out, the program uninstalled itself.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, 
eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, 
p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, 
wpd, wps, xlk, xls, xlsb, xlsm, xlsx

Different version might have slightly different set of encrypted files, for example:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif

Attached drives and networked computers are also vulnerable to the attack. Unless backups are versioned they can be destroyed by encryption.

An approximate calculation of the total size of ramsom collected gives millions of dollars:

Even if we use the extremely conservative estimate of 5000 users per day, which is a no-effort infection rate, this is still 240,000 infections over the roughly ~48 days since the malware went public.

Given the estimated 3% payout rate (which I believe is also conservative), that equals a total earnings to date of $2,160,000 based on two conservative estimates.

Encryption process

Cryptolocker will encrypt users' files using a variant of asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption. Private key exists for limited time on C&C server and is deleted if the user does not pay ransom.

Below is an image from Microsoft depicting the process of asymmetric encryption.

There is nothing new in the encryption process used, other then the ability of criminals to hide the command and control center as without the ability to generate private key the scheme does not make sense. Here we see an interesting proof of NSA guys focus. With the ability to intercept most of world traffic they have could stop this criminal network in a matter of a couple of weeks. But it might well be that this Trojan is not related to matters of national security.

According to Guardian 3% of victims pay ransom. Looks like the process of pushing private key back is manual process and can take a week since the payment.

Here is good description of the process (KernelMode.info)

Feel free to add anything you find that I haven't covered in my notes yet. At least from what I can tell so far, decryption without paying the ransom is not feasible.

Ability to hide command and control center

As malware exists for more then a month, it is clear that it has sophisticated mechanisms for hiding command and control center. Ability to hide command and control center is by-and-large based on the greed of domain names registrars, which serve as a clear accomplices of this criminals (ability to use Domain generation algorithm ). Here is a description of the process from CryptoLocker - a new ransomware variant Emsisoft Blog

If that fails the malware will start generating seemingly random domain names using a domain generation algorithm. This is done by creating a seemingly random string of characters based on the current system time and prepending it to one of the following seven possible top level domains:

If you know the algorithm, you are able to predict which domain name the malware is going to contact on any given day, thus allowing the attacker to set up new domains in case old domains or the abovementioned fixed IP is taken down. At the time this blog post was written, we found the following randomly generated domain names to be active:

Once a suitable command and control server has been found, the malware will start to communicate through regular HTTP POST requests.

Public key used by the malware for communication with its command and control server

Public key used by the malware for communication with its command and control server

HTTP merely acts as a wrapper though. All actual data exchanged during the communication between the bot and its command and control server is encrypted using RSA. The public key used for the encryption of the communication is thereby embedded inside the malware file. Using RSA based encryption for the communication not only allows the attacker to obfuscate the actual conversation between the malware and its server, but also makes sure the malware is talking to the attacker's server and not a blackhole controlled by malware researchers.

File encryption

Decoded initial request to obtain RSA public key used for encryption

Decoded initial request to obtain RSA public key used for encryption

Once the system has been successfully infected and a communication channel to the command and control server has been established, the malware will start the encryption process by requesting an encryption key. A typical request includes the version of the malware, a numeric id, the system's network name, a group id as well as the language of the system.

Decoded reply send by the server to a key request

Decoded reply send by the server to a key request

Here information about the domains mentioned above:

Domain ID:D169656517-LROR
Domain Name:QAAEPODEDAHNSLQ.ORG
Created On:09-Sep-2013 19:21:11 UTC
Last Updated On:26-Sep-2013 06:57:41 UTC
Expiration Date:09-Sep-2014 19:21:11 UTC
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT HOLD
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_29729026
Registrant Name:Jerry Khoury
Registrant Organization:N/A
Registrant Street1:613 W Johanna St
Registrant Street2:
Registrant Street3:
Registrant City:Austin
Registrant State/Province:TX
Registrant Postal Code:78704
Registrant Country:US
Registrant Phone:+1.4844348723
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:DI_29729026
Admin Name:Jerry Khoury
Admin Organization:N/A
Admin Street1:613 W Johanna St
Admin Street2:
Admin Street3:
Admin City:Austin
Admin State/Province:TX
Admin Postal Code:78704
Admin Country:US
Admin Phone:+1.4844348723
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:DI_29729026
Tech Name:Jerry Khoury
Tech Organization:N/A
Tech Street1:613 W Johanna St
Tech Street2:
Tech Street3:
Tech City:Austin
Tech State/Province:TX
Tech Postal Code:78704
Tech Country:US
Tech Phone:+1.4844348723
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:CS1.BIBSSHAREPOINTS.COM
Name Server:CS2.BIBSSHAREPOINTS.COM

And:

Domain Name: XEOGRHXQUUUBT.COM
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.PublicDomainRegistry.com
Referral URL: http://www.PublicDomainRegistry.com
Name Server: CS1.BIBSSHAREPOINTS.COM
Name Server: CS2.BIBSSHAREPOINTS.COM
Status: clientDeleteProhibited
Status: clientHold
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 26-sep-2013
Creation Date: 09-sep-2013
Expiration Date: 09-sep-2014

Microsoft reports that the following DNS names were used:

In the wild, we've observed the ransomware contacting the following servers, possibly to download the key it uses as part of its encrypting process:

  • 184.164.136.134
  • blcusrwmwsce.ru
  • cqatmhkbawod.co.uk
  • duhjqmogmwfc.com
  • eafikccupbrb.biz
  • nhbgpmbhfclx.biz
  • omyfjcovigxw.org
  • pqgunhsbugov.info
  • qvethwgpxkbu.net
  • vajgqwtrpgjn.ru
  • wfhfkmhgskvm.co.uk
  • wpkhlcnfhldx.org
  • xjouorllfkml.com
  • xuigfrbtkppw.info
  • yypvjwfywpgv.net

Here is an interesting article from TrendMicro that outlines new methods used (http://blog.trendmicro.com/trendlabs-security-intelligence/latest-pushdo-variants-challenge-antimalware-solution/)

Command-and-control (C&C) server communication is essential for botnet creators to control zombie computers (or bots). To hide this from security researchers, they often use rootkits and other "tricks". However, hiding the network traffic – specifically from monitoring outside an infected computer – is not an easy task, but is something that the botnet creators have improved through the years.

Detecting and blocking C&C communication is one way to protect users against the dangers of botnets. Threat actors know this, thus they have developed different ways to make the C&C communication more resistant to network security products.

In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down several times in the past. They are also known to distribute ZeuS/ZBOT variants.

Pushdo Hides Among the Crowd

If you are a potential attacker, the best way to not get caught is to blend your communications with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand this and adopted this strategy into their latest malware.

As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests to the real C&C server. However, most of these requests serve as mere distractions.

pushdo-traffic-1

Figure 1. PUSHDO Network Traffic Snippet

The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly chooses 20 among them and requests either the root path or the path of "?ptrxcz_[random]". Some of these domains belong to large companies or famous educational institutions, while some are obscure websites. This makes C&C server identification using network traffic analysis more difficult as it can be tough to distinguish real C&C connections among the fake ones.

CNC-Pushdo-2

Figure 2. Decrypted list of the 200 domains

Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS) the malware can initiate against the 200 web severs on the list. Though the true intention is not to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these websites.

Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however, poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs to check the whitelist first. If the whitelist is not good enough, there may be some false positives and inadvertently make legitimate websites inaccessible to users.

Pushdo DGA Complicates Matters

Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular among botnet malware these days. It's purpose is to make malware more resistant to C&C takedowns.

Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each day. It tries to connect to not only domains for a given day, but also all domains generated from days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains each day. It seems most of them are parked domains right now and point to an advertisement page (Figure 3).

generated-domains-PUSHDO

Figure 3. Screenshot of Pushdo Generated Domain

This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication, as the malware generates different domains for each day.

During our analysis, we effectively monitored Pushdo's C&C using Trend Micro Web Reputation Services feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query requests came from different locations, suggesting that there are still other computers infected by this malware.

wrs-query-trendmicro-screenshot

Figure 4. Requests sent to Trend Micro Web Reputation Service

Traditional method of combating malware, such as file-signature detection, may not be sufficient in today's threat landscape. Malware authors and the likes have developed effective tactics against signature-based detection like polymorphism and use of packers.

Monitoring behavior of a malware inside sandbox is a good approach to address this challenge – but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services, provides more robust protection against these threats.

Prevention

NOTE: this part was updated on May 24 wqith the metrail from Wanna Cry which represents the next generation of ransomware and also reached global epidemics level.

Unlike most Trojans this one does not Admin access to inflict the most damage. This particular malware does not exploit any vulnerability in the OS. Here are some ideas of proactive prevention of this and similar viruses:

This Trojan explicitly target backups in addition to files with MS Office extensions and such (see above). Backups now need to be protected by keeping them offline and putting online only when need arise. Network drives should unmapped. Rotating physical disks is also a good idea.

After computer is infected all malware needs is the write access to the files. Below we will list some more generic ideas of proactive prevention of this and similar ransomware:

Tighten rules in Windows firewall

There is no reason for example to allow your computer/laptop to connect to network printers outside your local network. You can also tighten setting using Microsoft provided interface: Windows 7 Firewall How It Compares Against Other Firewalls.

From viewing firewall rules table it is clear how insecure Windows is and how many proprietary services enjoy unlimited connectivity. Espeailly updaters for proriatory software, which for sure are full of security holes.

For example, why Logitech software can connect anywhere. It should be limited to logitech.com

Also few people use remote (located somewhere on Internet) SMB services. Still it is enabled. For this worm restricting the port 445 on your firewall is the measure to attempt first.

Backup critical files daily, unmount drive after use, and use non-standard extensions for the backups

Canary in a coal mine method

You can protect your computer based on the fact that rancomware typically access files and directories in alphabetical order. This is not 100% proof trick, but it might help to detect the ransom ware before it encrypted you most valuable files.

Create a honeypot directory that is first of C: drive (for example A_centinel). chances are that it might be visited by the ransomware first. Put a couple of Linux ISO into them, compressing them with zip archiver. Then create a small Excel or Ms Word document (those two types of files are targeted by all ransomware ) that will serve as canary with the name which alphabetically precede those two or three "huge" files, designed to slow the work down.

Also put the same "canary file" and a "huge" file in your Documents folder as well as the directory where you store backups. You can also do the same trick with other directories with valuable data if you have such. You may change the name but I doubt that such worms are engaged in de-duplication business ;-)

After that write a small script, for example in Perl, which monitors the content of "canary" file using Cygwin diff utility or something like that. Run it each 10 min or so via scheduler. If content of canary file in any of "watched" directories changed send email, flash alert and shutdown or halt the computer.

If yu think you need a coiuple of minutes before the shutdown, to slow the worm down you can replace "canary" files in all "other" directories with your huge-file ( do not create a new files as directories might be scanned only once).

Elimination of free memoery, for example which launching multiple "dummy" processes (which for exampel calculate prime numbers and store them in memory), or space on the drive also can help . If you use small SSD as your C-drive on your laptop you can generate a dummy file so that there are no space on the drive. That means that new file can't be written to the disk. On desktops with thier huge harddrives this is a more difficult understating and does not make any sense, but on 120GB SSD drive this isa very quick operation.

Unmounting the volume with backup also can help, in this sense storing the backup of USB3 drives is preferable option (I use Unix Terminology, but yes Windows allow to put the USB volume offline; Microsoft's own DevCon is the command-line version of Device Manager. See also windows - Remove USB device from command line - Super User).

Tightening of Group Policies

One of the most viable methods for preventing this type of malware from running is to tighten your Group Policy. Details may vary and depends on your level of understanding Group policies. Here is one, reasonably simple, but effective variant that does not require other then superficial understanding of Group Policies and was created for CryptoLocker Prevention

You get the idea from the description od a tool developed for Cryptolocker:

CryptoPrevent Computer Technician - PC Repair Software Foolish IT LLC

CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or 'ransomware', which encrypts personal files and then offers decryption for a paid ransom.

Recent Changes:

◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first. No harm would come from the duplicate rules, but my OCD was bothering me.

◦v2.2 – added additional restriction policies to better protect Windows XP against the latest strains – prior versions were not protecting %username%\local settings\application data and their first level subdirectories, but rather only %username%\application data and their first level subdirectories. Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules for better compatibility with all OSes.

◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a reboot doesn't quite do the trick… Also added a re-test for active protection to determine if a reboot prompt should be displayed after Undo, on the chance that it is still required.

◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the rules.

◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0

There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains and OSes that have access to group policy editor (Professional versions of Windows) leaving Home versions without a method of protection. It also isn't the most intuitive of installations for the average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately, like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the Group Policy Editor available in Professional versions of Windows, and is a time consuming manual task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically.

CryptoPrevent is a single executable and is fully portable (of course unless you download the installer based version) and will run from anywhere, even a network share.

Prevention Methodology

CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows - but rest assured they are still there!

Executables are blocked in these paths where * is a wildcard:

The first two locations are used by the malware as launch points. The final four locations are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well.)

NOTE: Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will scan for and protect all user accounts on the system. This is accomplished despite an apparent bug in Microsoft's software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)… so protection for %temp% folders is now applied by expanding the full path to the user's temp folder in each rule set, and replacing the username with an * in the rules so that a single rule can cover all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn't working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.

Here are similar ComputerWorld recommendations (computerworld.com):

Here's how to do it:

  1. Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll show you how to create two here -- one for Windows XP machines (which use slightly different paths for the user space) and one for Windows Vista and later machines.
  2. Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember easily.
  3. Choose Computer Configuration and then navigate through Policies � Windows Settings � Security Settings � Software Restriction Policies.
  4. Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
  5. Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
  6. Under Path, enter %AppData%\*.exe.
  7. Under Security level, choose Disallowed.
  8. Enter a friendly description, like "Prevent programs from running in AppData."
  9. Choose New Path Rule again, and make a new rule like the one just completed. Use the following table to fill out the remainder of this GPO.
Path Security Level Suggested Description
%AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData
%UserProfile%\Local Settings\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space

*Note this entry was covered in steps 5-8. It is included here for your easy reference later.

WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.

Close the policy.

To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules based on the following table.

Path Security Level Suggested Description
%AppData%\*.exe Disallowed Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe Disallowed Prevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\*.exe Disallowed Prevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\*.exe Disallowed Prevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exe Disallowed Prevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp\*.zip\*.exe Disallowed Prevent unarchived executables in email attachments from running in the user space

Close the policy.

Once these GPOs get synchronized down to your machines -- this can take up to three reboots to happen, so allow some time -- when users attempt to open executables from email attachments, they'll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.

Unfortunately, taking this "block it all in those spots" approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.

AppLocker

AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will not do anything for you.

But if you are a larger company with volume licenses that is deploying the enterprise editions of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply block programs from running -- except those from specific software publishers that have signed certificates.

Here's what to do:

  1. Create a new GPO.
  2. Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
  3. Click Configure Rule Enforcement.
  4. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  5. In the left pane, click Executable Rules.
  6. Right-click in the right pane and select Create New Rule.
  7. On the Before You Begin screen, click Next.
  8. On the Permissions screen, click Next.
  9. On the Conditions screen, select the Publisher condition and click Next.
  10. Click the Browse button and browse to any executable file on your system. It doesn't matter which.
  11. Drag the slider up to Any Publisher and then click Next.
  12. Click Next on the Exceptions screen.
  13. Name the policy something like "Only run executables that are signed" and click Create.
  14. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.

NOTE: Also take this opportunity to review the permissions set on your file server share access control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions, so if the user who gets infected is logged into an account that has very limited permissions, the damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of business application vendors to further tighten loose permissions that are "required" for "supportability" -- often these specifications are needlessly broad.

Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing and save yourself a lot of problems.

Other worthwhile ideas

This Trojan explicitly target backups in addition to files with MS Office extensions and such (see above). Backups now need to be protected by keeping them offline and putting online only when need arise. Network drives should unmapped. Rotating physical disks is also a good idea.

Restoration of files from backup

The big lesson here is that daily cold-storage backups are very important

Cryptolocker does not affect Acronis backups so in this case restoration is pretty straitforward. But this is just an accident. New variants/copycats can well target those extensions too.

System restore point is not a REAL option. It keeps the files encrypted, it only restores to a point where the files of the malware was not present on the system. The ghostexplorer only works IF you have shadowcopy functionality and have it turned on. That means you do not have the shadowcopy turned on and you do a system restore, the files are lost, paying for the decryption after a system restore is not possible anymore.

The only good possible way to prevent dataloss is to have a BACKUP on a disk/tape which can regress for a couple of days till before the infection.

There are only two options for recovering encrypted files, and they all rely on either having System Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good as they will commit the encrypted files to the cloud.

Using ShadowExplorer gives a better graphical frontend for restoring large amounts of files (though this will not help with mapped drives, you'd need to run it on the server in that case).

Undelete software doesn't work as it encrypts the files in place on the hard drive, there is no copying going on.

The first thing is to try is Windows shadow copies (computerworld.com)

Mitigation: Previous versions (shadow copies) and ShadowExplorer

If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation strategies available to you. (Of course, you can always restore from backups as well.) Both strategies involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows. This is turned on by default in client versions of Windows, and best practices for storage administration have you turning this on manually on Windows Server-based file servers. If you have left this setting alone, you likely have backups right on your computer or file share.

Previous versions

To restore the previous version of a file using the traditional Windows interface, just right-click the file in question and choose Properties. If System Restore is enabled or your administrator has enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab in the Properties window. This will list all of the versions on record of the file. Choose a version before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere else, or Restore to pop the backup right where the encrypted file belongs. You can open the files directly from this box too if you are not sure of the exact date and time of infection.

ShadowExplorer

ShadowExplorer is a downloadable free tool that makes it much easier to explore all of the available shadow copies on your system. This is a useful ability when you have a wide range of files infected with Cryptolocker and need to restore a swath of them at once.

When you install and run the tool, you can select the drive and the shadow copy date and time from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer menu, you can choose the folder and file you want, and then right-click and select Export. Choose the destination on your file system to put the exported shadow copies on, and then you have your backup restored. Of course, this is a previous version, so it may not have the most current updates to your files, but it is much better than having lost them completely or having to pay a ransom for them.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Jun 10, 2014] Massive botnet takedown stops spread of Cryptolocker ransomware by Gregg Keizer

Jun 10, 2014 | Computerworld
The takedown earlier this week of a major malware-spewing botnet has crippled the distribution of Cryptolocker, one of the world's most sophisticated examples of ransomware, a researcher said today.

But replacements already stand in the wings, prepared to take Cryptolocker's place.

"Since last Friday, we've seen no new activity and no new infections," said Keith Jarvis, a security researcher at Dell SecureWork's Counter Threat Unit (CTU), referring to Gameover Zeus, a two-year-old botnet that U.S. and foreign authorities took down in a broad coordinated campaign announced Monday. Gameover Zeus had been the sole distribution channel for Cryptolocker

.... ... ...

On Monday, the U.S. Department of Justice (DOJ) revealed that it, along with law enforcement agencies in several other countries, including Australia, Germany, France, Japan, Ukraine and the U.K., had grabbed control of the Gameover Zeus botnet. Criminal charges have also been filed against the alleged administrator of the botnet.

... ... ...

Jarvis said that SecureWorks -- which has been in the forefront of analyzing Cryptolocker, and was one of the private security firms that assisted law enforcement prior to this week's take-down -- estimated the Cryptolocker haul at a minimum of $10 million since its debut.

... ... ...

Some victims who refused to pay the ransom incurred significant losses recovering control of their files and restoring files from backups, if they had them. During their investigation, U.S. authorities interviewed numerous Cryptolocker victims; examples cited in court documents said businesses pegged recovery and remediation costs between $30,000 and $80,000.

... "This is a well-written piece of software," said Jarvis. "And they got the encryption right. There are no loopholes and no flaws."

Earlier examples of ransomware were often sloppy, and in some cases their lock-out mechanisms could be circumvented. Not so with Cryptolocker. Once run, it left victims with only two options: Pay the ransom or restore the now-inaccessible data from backups.

... ... ...

[Jun 02, 2014] Wham bam Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet

So it took more then half-a-year (8 months) to get to the bottom; and at the end Symantec researchers "poisoned" the botnet. I think all federal officials in three latter agencies responsible for that should be fired...
Computerworld Blogs
"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cybercrimes that you might not believe if you saw them in a science fiction movie," reported the DOJ.

By secretly implanting viruses on computers around the world, they built a network of infected machines – or "bots" – that they could infiltrate, spy on, and even control, from anywhere they wished. Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States. And then the criminals turned that information into cash by emptying the victims' bank accounts and diverting the money to themselves.

Justice Department Assistant Attorney General Leslie Caldwell stated:

Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.

US-CERT (United States Computer Emergency Readiness Team) also issued a GameOver Zeus P2P Malware alert today.

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

[Jun 02, 2014] Game Over for 'Gameover' Malware

tomsguide.com

Two of the most insidious and widespread types of malware have been "disrupted," and at least one man allegedly behind them has been indicted, according to an announcement today (June 2) by the United States Department of Justice.

In a partnership with security companies, experts and other countries' law-enforcement agencies, the Department of Justice helped orchestrate "Operation Tovar," a mission to identify the criminals behind the Gameover banking Trojan and the botnet it controls, as well as the Cryptolocker ransomware, and sabotage the associated crimeware campaigns.

According to Deputy U.S. Attorney General James Cole, the Gameover operation was successful and the group's alleged leader, Russian citizen Evgeniy Mikhailovich Bogachev, has been indicted by a federal grand jury in Pittsburgh.

Gameover, adapted from the infamous ZeuS banking Trojan after the ZeuS source code was released in 2011, infects Windows computers worldwide and corrals them into a botnet, intercepts users' passwords and other financial information and uses the stolen credentials to make or redirect wire transfers from the bank accounts of infected users to accounts controlled by the criminals behind the malware. According to Cole, Gameover has been implicated in the theft of more than $100 million dollars from American victims alone.

The Gameover botnet has also been identified as the primary distributor of Cryptolocker, a type of ransomware which holds infected computers "ransom" by using encryption to render the files on them unreadable.

The 14-count indictment against Bogachev, who is believed to be in southern Russia, accuses him of acting as the administrator of the Gameover botnet. The counts include conspiracy, computer hacking, wire fraud, bank fraud and money laundering.

At the same time, an Omaha, Nebraska criminal complaint charges Bogachev with conspiracy to commit bank fraud in a separate case invovling a variant of the ZeuS malware called "Jabber ZeuS," after the instant-messaging software it used to communicate with its handlers.

A third civil injunction filed by the United States in the Pittsburgh federal court alleges that Bogachev is the leader of a cybercrime gang responsible for creating and operating both Gameover and Cryptolocker.

In addition, the Pittsburgh court also authorized U.S. law enforcement to intercept traffic between computers infected with Gameover and Cryptolocker and the servers controlling these malicious programs. For example, the FBI can collect the IP addresses of computers infected with these types of malware in order to help study them and devise defenses against them.

"At no point during the operation did the FBI or law enforcement access the content of any of the victims' computers or electronic communications," the Department of Justice announcement states.

However, judging by similar situations, it is highly unlikely that Bogachev will actually face trial in the US.

[Jun 02, 2014] Fed Cyber Sleuths Stop 'Gameover Zeus' and 'Cryptolocker' Crime Sprees

ABC News

The Justice Department has disrupted what it calls one of the most sophisticated cyber threats ever, and they are now trying to capture the man behind it all, federal prosecutors announced today.

Over the weekend, federal cyber cops essentially paralyzed a massive computer virus known as "Gameover Zeus," which diverted millions of dollars from companies' bank accounts, and blocked another virus known as "Cryptolocker," which first took control of a user's computer files and then demanded ransom in return for the user's own files, according to federal prosecutors. Both viruses were the work of an overseas criminal gang allegedly run by Russian hacker Evgeniy Bogachev, who is now among the FBI's most-wanted cyber criminals.

"Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cyber-crimes that you might not believe if you saw them in a science fiction movie," the head of the Justice Department's Criminal Division, Leslie Caldwell, told reporters in Washington. "By secretly implanting viruses on computers around the world, they built a network of infected machines – or 'bots' – that they could infiltrate, spy on, and even control, from anywhere they wished."

Starting in 2011, Bogachev, 30, allegedly used "spear-fishing" – or fake – emails to infect computers with the "Gameover Zeus" virus. Once infected, Bogachev would "hijack computer sessions and steal confidential and personal financial information" that could then be used to funnel money overseas, the according to U.S. Attorney for the Western District of Pennsylvania David Hickton.

In October 2011, a Pennsylvania composite materials company was hit, and "within a matter of hours after banking credentials were compromised, hundreds of thousands of dollars were being siphoned from the company's bank accounts," Hickton said.

More than two years later, in November last year, the police department in Swansea, Mass., became a victim of the "Cryptolocker" virus when an employee opened an email that looked like it was from a "trusted source," Hickton said. When "Cryptolocker" strikes, a timer often appears on victims' computer screens, giving them 72 hours to pay hundreds of dollars if they want their files back – from family photos to business records, law enforcement officials said.

In the case of the Swansea police department, the department paid the ransom and contacted the FBI, according to law enforcement officials.

As of April 2014, "Cryptolocker" had attacked more than 200,000 computers, and more than half of those attacks occurred in the United States, Deputy Attorney General Jim Cole said. In addition, in its first two months of operation alone, the criminals behind "Cryptolocker" collected an estimated $27 million in ransom payments from victims, he said.

As for the "Gameover Zeus" virus, security researched estimate that between 500,000 and 1 million computers around the world have been infected with it, and a quarter of the victims are inside the United States, according to Cole. In total, federal authorities believe U.S. victims, often small and mid-size businesses, have lost more than $100 million to "Gameover Zeus."

Federal authorities believe the man running the Eastern European criminal gang responsible for the two viruses is now in Russia, and they are hoping the Russian government will help bring him to justice.

The Justice Department unsealed criminal charges in Pittsburgh, Pa., and in Omaha, Neb., charging Bogachev with computer hacking, wire fraud, bank fraud, money laundering and other violations of U.S. law.

To keep "Gameover Zeus" from being reconstituted, federal authorities have obtained court approval to redirect communications from "malicious servers" to substitute servers, and both U.S. and foreign law enforcement officials seized computer servers integral to "Cryptolocker," authorities said today.

[Jun 02, 2014] Global police operation disrupts aggressive Cryptolocker virus by Tom Brewster & Dominic Rushe

[Jun 02, 2014] The Guardian

US authorities named Russian national Evgeniy Bogachev as the face of a malicious software scheme responsible for stealing millions from people around the world, after a successful campaign to disrupt two major computer networks.

Digital police from across the globe announced they had seized control over the weekend of two computer networks that had been used to steal banking information and ransom information locked in files on infected computers. But they warned people with infected computers to take action now to prevent further attacks.

US and European officials announced they had managed to crack the malicious software (malware) known as Gameover Zeus that had been used to divert millions of dollars to bank accounts of criminals. The authorities have also cracked Cryptolocker – a malware that shutout hundreds of thousands of users from their own computers and ransomed the data.

... ... ...

The US authorities identified Bogachev, of Anapa in the Russian Federation, as Gameover Zeus's main administrator. At a press conference, deputy attorney general James Cole called him "a true 21st-century criminal who commits cybercrimes across the globe with the stroke of a key and the click of a mouse …These crimes have earned Bogachev a place on its list of the world's most-wanted cyber criminals."

According to the FBI's "cyber most wanted" list Bogachev has been using variants of the Zeus malware since 2009 and communicates using the online monikers "lucky12345" and "slavik". Gameover Zeus (GOZ) started appearing in 2011 and is believed to be "responsible for more than one million computer infections, resulting in financial losses in the hundreds of millions of dollars".

"He is known to enjoy boating and may travel to locations along the Black Sea in his boat," according to the FBI.

The Cryptolocker software locked PC users out of their machines, encrypting all their files and demanding payment of one Bitcoin (currently worth around Ł300, or $650) for decryption.

It's believed Cryptolocker, which the FBI estimated acquired $27m in ransom payments in just the first two months of its life, has infected more than 234,000 machines.

A chief suspect from Russia has been identified, but is still at large, Troels Oerting, head of Europol's European Cyber Crime Centre (EC3) told the Guardian. He said other arrests related to the operation were "in progress".

The global effort to stop the spread of the Cryptolocker ransomware has focused on its delivery method, GOZ. The malware connected infected machines by peer-to-peer connections – in theory making it harder for the authorities to track and stop.

GOZ was designed to steal people's online banking login details, who were usually infected by clicking on attachments or links in emails that looked innocuous. However, it also dropped Cryptolocker on their computers.

"Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals," said Andy Archibald, deputy director of the NCA's National Cyber Crime Unit.

... ... ...

Not-for-profit body Get Safe Online has worked with the NCA to launch a dedicated section of its website to provide guidance and tools, although at the time of publication the website appeared to be offline.

Behind the scenes, the law enforcement groups have been taking over points of control in GOZ's peer-to-peer network: an action known as "sinkholing" in the security world. By doing this, they have been able to cut off criminal control over the infected computers.

Dismantling peer-to-peer operated malware is difficult, but it has been done before: for example one case of a data-stealing virus called ZeroAccess, which infected as many as 1.9m PCs in 2013.

In that case, security researchers from Symantec managed to send lists of fake peers to infected machines, which meant they could no longer receive commands from the controllers of the malicious network, known as a botnet.

Symantec researchers said today that key nodes in GOZ's network had been disabled, along with a number of the domains used by the attackers.

... ... ...

wombatman -> Worried9876

I read it was hackers from both Russia and Ukraine started it off, it is just that now the USA have a filed a case just against one individual who is Russian (Evgeniy Mikhailovich Bogachev).

http://www.justice.gov/opa/documents/dgzc/complaint.pdf

Clearly however this was not a one-person operation, but cynical people may say the USA would not like to name any Ukrainian defendents in this case. The complaint even names him as the alleged leader of the criminal enterprise.

Ninetto

<quote> "Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals,"</quote>

...with the exception of the criminals von NSA/NCHQ?

Katagami -> Ninetto

...with the exception of the criminals von NSA/NCHQ?

Oh ffs change the record.

This is about criminal organisations screwing over people like me and you. It's got nothing to do with intelligence agencies collecting data and if anything they should be given some credit here.

Wake up and stop attributing blame to something you (probably) know very little about.

tr1ck5t3r -> Jack Jazz

This only affects Windows PC's.

If people want to install a safe operating system on their computer, Ubuntu has achieved the highest rating out of all the operating systems when reviewed by an arm of GCHQ.

http://www.omgubuntu.co.uk/2014/01/ubuntu-12-04-secure-os-uk-government-gchq

http://www.gchq.gov.uk/press_and_media/press_releases/Pages/new-platform-security-guidance.aspx

And whilst the report focuses on Ubuntu 12.04 LTS, the new Ubuntu 14.04 LTS is available to download with even more privacy and security enhancements.

http://www.ubuntu.com/desktop

It wont cost you a penny

Sheepless

Very poor publicity by the NCA. It's not merely this article which is confusing: the NCA's own announcement fails to explain the significance of this "two-week opportunity".

wombatman -> Sheepless

The authorities disrupted the command and control (C&C) servers that were managing the major network distributing the GameoverZeuS Trojan and the Cryptolocker ransomware. It's only a matter of time before those behind the botnet set up new C&C servers and regain control. Though that may even happen in days and not the 2 weeks.

Ortho -> wombatman

Yeah, the 'two weeks' thing is just a random estimate. Not at all helpful.
What they should be saying is 'get your computer protected NOW- and keep it up to date in future'.

jungle_economist

On AVG there is a blog post from October 2013 detailing how this came to light Sep'13. Someone above wrote "Symantec may be able to act that fast..." Almost a year after the fact?? Seriously - who is this targeted at?

tr1ck5t3rjungle_economist

Some viruses have been undiscovered for several years.

Antivirus is next to useless for zero day exploits.

RobDeManc

It's my belief that these viruses come from the security software houses. It is their way of keeping us buying their software. LOL

I don't see what difference 2 weeks will make.

Paul Tunstead -> RobDeManc

Wow, your onto how big pharma works, well done you.

consciouslyinformed -> RobDeManc

And who says a little suspicion does anyone harm? I agree with your concerns, and have stated comments like yours. Worked in marketing companies for a few years prior to university, and this is indeed the type of gnarly stuff companies do, in order to continue making $$$$ from established customers!!


Doosh79

Meh, worst case it needs a fresh install, anyone with half a brain should have back-ups of important stuff.

OrthoDoosh79

The sort of person who doesn't have adequate protection is often the same sort of person who, when you ask about what they use for backing up, says, 'backing up?'.

NoToNeoDoosh79

Installing is time consuming. You need everything you are used to as well as the OS. It takes me about 2 weeks to get a formatted drive back to how I like it by re-installing everything.

No hassle with Clonezilla though (about 1 hr to get my machine back). Don't even need to install anything. Just image regularly.

EazyGoinKingCheese

Unfortunately - if you are already infected, as soon as you connect your memory stick or external drive, the trojan will start encrypting its content.

Cryptolocker – An Executive Infection

October 28, 2013 | RobPickering.com

On Monday morning, I got a call from one of our Executives telling me that his home computer was displaying a strange message and asking for some assistance. I asked what was displaying on the screen and he responded, "It's asking for me to pay them money to get my files". After listening to Steve Gibson's (@SGgrc) and Leo Laporte's (@leolaporte) Security Now podcast from last Wednesday (#427: A Newsy Week), I dreaded the answer to my next question. "Please read me what it says on the screen, " I asked. He responded with, "Your personal files are encrypted! Your important files encryption produced on this computer…", oh no…

My Executive's personal home computer had been infected with Cryptolocker. This is what the screen looked like (pardon the poor quality, these are camera phone shots):

CLWelcome

I knew what I was facing because of Steve's excellent description of the problem. I also knew we probably needed to pay the random to get my Executive's personal files restored. However, I wanted to get more information about protecting our Enterprise, as well as more information on how the decryption and payment operated. So, off to Google…

I found a really good and thorough discussion of the Cryptolocker infection on BleepingComputer.com, They do a great job breaking down a lot of the information and providing some resources for Enterprises to combat the virus. They also have a VERY active support forum with over 85 pages of updates including over 1200 posts dating back to September 6, 2013.

So, I absorbed a lot of that information and set my team to work. I also sent someone over to my Executive's home to work with him on recovery. The rest of this post is what we've done and our plans for the future.

Each computer's infection has a Command / Control server that holds the public (and private) keys that were used to transmit the actual encryption key used to encrypt your files. This server's operation is critical to the successful recovery of your personal (or business) files. So if it goes offline (or is taken offline) before you can pay the ransom, the key is lost. If you try to work around the infection, you risk the client telling the server to delete the key.

The Command / Control server is one of many that the software uses, the one for this infection was "http://eyebjjtyvkaulgh.org" and is presented on an information screen by the infection. Knowing that the Malware could get removed by anti-malware software, they provide a download link to the De(en)cryption software, so you can reinstall it. Nice! You'll also notice the file icon which is a link to a file stored on your local hard drive that lists all of the files that were encrypted.

CLCommand

I decided to look up some information about that URL:

  1. According to DNS, the host resolves to the IP address 50.116.8.191
  2. According to WHOIS, the domain was registered with a Private Registration (no surprise) in Queensland, AU on October 26, 2013
  3. According to WHOIS, the DNS servers for the domain are: (ns1.happilyresist.com and ns2.happilyresist.com), most likely just the hosting providers stock servers.
  4. According to ARIN, the IP address is owned by Linode, a Virtual Server hosting provider located in Galloway, NJ

Based on the date of the registration, I suspect the domain was registered specifically for this infection, as that timing is suspiciously close to the date of the actual infection. If I'm right, that means that each infection has it's own Command/Control server dedicated to it. The reason for the ransom countdown is that they only want to pay for the Command/Control server for a short time, and then they delete the entire server instance when the time expires, not just the key.

This is the HTML of our Command / Control Server, you can use some of the more unique strings found on this page to search Google for these servers, there is at least one other I found that is currently online. Also, note that the text and the background colors are the same. You have to highlight the page to see the text:

?
<html>

<body style="color: #0F0; background-color: #0F0;font-size:10%">

<h1>Temporary notes:</h1>

<ul>

<li>

<b>You cannot restore files after time has expired!</b> Setting the system clock back will not help you!<br/><br/>

Uninstall action and expiry time controlled by server, your key pair destroyed after uninstall (time has expired)! <h2>You can't control it!!!</h2>

After <u>uninstall</u> (if you try reinstall) you obtain a new key pair from server.<br/><br/>

<h2>You can reinstall software only if time has not expired!</h2><br/><br/>

</ul>

Uninstall temporary disabled.<br/>

Soon will be available the decryption service... Stay with us <IMG class=wp-smiley alt=:) src="http://robpickering.com/wp-includes/images/smilies/icon_smile.gif">

</body></html>

There were only two payment options available: MoneyPak or Bitcoin.

CLPayment

The Bitcoin address for the payment was 1AXgfzpiimunqsrSFn2qgM8YgKGqqgPwU4 (hasn't been used, as it was most likely uniquely created just for this infection). We ended up purchasing a "Green Dot MoneyPak" and submitting it for payment of our ransom.

CLMoneyPak

The infection provides lots of helpful instructions on how to buy and use a MoneyPak. It provided similar instructions on "Getting Started with Bitcoin" and how to make the payment. All very educational! Once payment was made, the following screen appeared:

CLPaymentActivation

At this time, you are awaiting the payment to be accepted and, hopefully, the decryption to begin. According to the screen the payment confirmation is a manual process and could take up to 2 days to process. Then of course, the decryption itself is going to take a while.

After waiting for approximately 2-3 hours, our payment was processed and the system automatically started decrypting files. It provides a window showing you what directory it's working in and a list of the files that have been scanned and "recovered".

CLFileDecryption

Also, there is now a file on your Desktop called "Your Private Key.bin", which is presumably the encryption key. I took a look at the file, but it's a binary key, so not terribly useful. We archived a copy of it just in case.

Oddly, when scanning system directories (like "Program Files") the "Files recovered" doesn't increase, but the "Files scanned" does. The implication is that it's scanning the entire drive again. Why? I'm not sure. We know the virus has a list of all of the files it encrypted, there shouldn't be a reason to re-scan the whole drive(s), just decrypt all of the files in the list it already made.

At this point, I'm a bit nervous about the outcome. I've read where after decryption ends, the system BSODs, or reboots. If you let it reboot, it re-infects your system and you're back to Square 1. However, I know for a fact that the decryption is happening because documents on the Desktop that were encrypted (and the icons changed because the file extension changed) are back to normal.

During the course of the decryption, we did log a few errors (3 I believe), these appeared to be Microsoft Office temporary files (autorecovery files actually), and I believe the tilde (~) in the file name is what caused the decryption to fail. The tilde is a special path character in Linux/Unix, and perhaps the decryption library doesn't handle them correctly (although they appeared to encrypt fine!).

CLErrors

The decryption finally finishes and you're presented with this screen:

CLDecryptComplete

At this point we have no idea what the software is doing. If you click Cancel we're unsure what the software will do (it says it will delete itself), of course, for all we know the software is re-encrypting the whole drive as the system is sitting there. We opted to power off the system without interacting with the software at all. This seemed to be the best solution. We then pulled the drive from the system and are mounting it to an off-net (non-Windows) computer for file recovery.

I'll post progress updates as we have them.

Why are these people doing this? Because crime does pay. The two Bitcoin addresses that were originally used in the early versions of the infection (back in September) were:

The two addresses above amassed 46 and 55 BTC respectively according to BlockChain.info. That's 101 BTC in under 60 days, or $21,000 at today's value. This of course only covers the two known addresses, there are hundreds (or thousands) more. By reading the BlockChain you could explore the addresses that were used to offload the coins out of those addresses, but that is tedious work.

As the great W.O.P.R. once said, "The only winning move is not to play.":

[Oct 29, 2013] DNS Sinkhole campaign underway for CryptoLocker - News

A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server. This method is now being used against CryptoLocker, a file encrypting ransomware that requires a $300 USD ransom from victims in order to get their files back. We have been monitoring and helping CryptoLocker victims since its release in early September. This infection has been devastating for its victims.

For quite a while, we have noticed that an unknown organization has started redirecting, or sinkholing, CryptoLocker domains to sinkdns.org hostnames. When CryptoLocker attempts to communicate with certain domains it will instead be sent to a server hosted in the sinkdns.org domain. The connection will also contain the http headers Server: You got served! and X-Sinkhole: malware cryptolocker sinkhole. By sinkholing the domains, communication between an infected computer and the malware's Command & Control server is not able to take place. If CryptoLocker is unable to communicate with a C&C server and receive a public key used to encrypt files, it will endlessly loop till it can. By breaking this communication, security researchers aim to halt CryptoLocker before it further encrypts other infected computer's files.

Unfortunately, this sinkhole is not completely successful at this time. Tests have shown that CryptoLocker will eventually find a non-sinkholed hostname that is part of its Domain Generation Algorithm and begin encrypting the files. Furthermore, in order for a person to pay the ransom and decrypt their files they will need to be able to reach one of infection's C&C servers. If all its domains become blocked, then affected users will no longer be able to pay the ransom if they wish to do so. As you can see this is a double-edged sword.

At this time no organization has taken credit for the sinkhole campaign. If anyone has any information on the sinkdns.org domain, please let us know here. For more information about CryptoLocker, please see this guide: CryptoLocker Ransomware Information Guide and FAQ.

CryptoLocker Its Spam and ZeuS-ZBOT Connection Security Intelligence Blog Trend Micro

CryptoLocker, the latest strain of ransomware , is best known for trying to force users into paying a fee by encrypting certain files and then later offering a $300 decrypting tool. In this entry, we discuss how it arrives and how it is connected with other malware, most notably ZBOT/ZeuS.

We reported earlier that CryptoLocker malware not only blocks access to the infected system, but also forces users to buy a $300 decrypting tool by encrypting certain files. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function.

Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and found a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):

Figure 1. Screenshot of spam with malicious attachment

Once this attachment is executed, it downloads another file which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).

Figure 2. CryptoLocker infection chain

This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents.

Notes on CryptoLocker Encryption

Although the ransom note only in CryptoLocker specifies "RSA-2048" as the encryption used, our analysis shows that the malware uses AES + RSA encryption.

RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)

The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available.

For information on which files are encrypted, users can check their system's autostart registry.

registry-editor-cryptolocker

Figure 3. List of encrypted files as seen on system's registry

[Oct 28, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013. sysadmin

Through group policy you can set a powershell logon script to dump any *.exe files found in your users appdata to a text file. Depending on how many users in your company, you can monitor it by looking through the text files once a day. Checking for a folder named after a random string, followed by an exe file.

Appdata\Roaming\3afdef3\34345da.exe for example.

This can provide some early warning and has allowed us to catch a few users running cryptolocker before it had finished encrypting.

For companies with a lot more computers to monitor, you can use splunk to read all your text files for you and report anomalies.

Powershell script below: Make sure to edit the path to save the text file

$date = Get-Date -Format MM-dd-yy
$path = "\\**Networksharetosaveto**\$env:USERNAME-$date$path.txt"
$apps = Get-childitem -Recurse "$Env:USERPROFILE\AppData\Roaming\*" -Include "*.exe" | select -ExpandProperty fullname

if (!(Test-Path $path)) {
Add-Content $apps -Path $path -Force

CryptoLocker Recap A new guide to the bleepingest virus of 2013. sysadmin

Minnow:

I had a user yesterday tell me they got a link they were warned was spam, clicked it anyway, the antivirus blocked the site and locked them out for 10 minutes, showed a warning that the AV did that, and tried to click it again anyway before asking me if they shouldn't have done that.

I can't tell if this an Id10T error or if he is legitimately trying to get out of work for a few days...

===

I found that simply copy/pasting the folder containing Spotify.exe to Program Files allowed it to run. However, it would not update (not unexpected). It did still function, though.

[Oct 28, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013. sysadmin

I can verify that Spotify is affected [by Group policies which prevent virus from running]

===

I thought i was being diligent last friday when I put those SRPs in place. I came in monday to people complaining that spotify doesn't work.

Here are the exceptions you need to allow spotify to install/run/uninstall:

%appdata%\Spotify\spotify.exe

%appdata%\Spotify\spotifyLauncher.exe

%appdata%\Spotify\spWebInst0.exe

%userprofile%\appdata\LocalLow\Temp\SpotifyUninstall.exe

I also disallowed %userprofile%\appdata\*.exe

and %userprofile%\appdata\local\*.exe just in case.

Also to spare some headaches, windows 7 clients need to be restarted the first time the SRP is applied or they won't work. Subsequent changes only require a gpupdate /force.

*also if you can I would just block all *.zip attachments to emails. I put that in place on monday and i've already deleted several dozen emails coming in masquerading as financial data, voicemails, government forms, etc that have a .zip with a malicious .exe inside it. I'm willing to deal with the extra step of verifying an email and releasing it from the filter than having somebody try to run this shit.

Cryptolocker How to avoid getting infected and what to do if you are - Computerworld

Don Hancock

Interestingly, I recently "fought" this particular virus with a client of mine. While it had THREATENED that it would delete his "encryption key," in fact his data wasn't affected at all. I merely started in Safe Mode with Command Prompt and then ran msconfig where I found where the "virus" was loading and merely deleted the file. Using explorer.exe showed that all files were actually still present and hadn't been encrypted at all. This is merely a variant of what I call the "FBI Virus" (since that's what it started out as). It prevents you from doing just about anything in Normal Mode. Even in Safe mode, it still launches. This is because it appends your shell= line in the registry to include itself when Windows Launches (which includes Safe Mode). However, starting in Safe Mode With Command Prompt doesn't load the "virus" because you're not using the shell= command line in the registry.
It's really quite simple.
I did have a tech the other day, though, that couldn't run ...Command Prompt; in which case he either had to remove the hard drive from this computer and attach it to another, or boot to some OS from CD (I prefer UBCD since it has a Remote Registry Editor).
My point is, it's not that difficult to remove once you know how it's done.

Voice_ofReason > Don Hancock

I suspect you didn't run across CryptoLocker itself, but just another variant of the older ransomware apps.

Russell Johnson

Follow the money! Where is law enforcement?

Ramon S

The first thing I do on any Windows system is disable the hide known file extensions option. It is a security problem, it should not be enabled by default, and that feature should not even be there in the first place.
How many times did I come across files name like worddoc.doc.docx just because unknowing users had this option enabled and for good measure add the file extension to the file name. Also, telling them to open worddoc.docx always comes back with the complaint that they cannot find the file in the location specified.
Microsoft should release a patch that disables this feature and rips it out entirely

USASAgencyman

Criminally Misleading From PC Tuneup???

hxxp://pctuneup.org/cryptolocker-virus-removal/

Quote

CryptoLocker virus: is a series of ransomeware infections that we have recently classified as extremely dangerous and recommend removing immediately. This page will show you precise instruction on how to remove the CryptoLocker virus.
The CryptoLocker virus hijacks the computer and limits is functionality in an attempt to hold your PC ransom. It will make claims that your access to your computer is limited and other similar warnings and to unlock the encryption the infected user will need to pay a "fine." It is important to note that all of the warnings and messages that come from the CryptoLocker Hijack virus are fake and should be disregarded. However, the CryptoLocker Hijack virus will not allow the computer to work normally until it is completely removed. The CryptoLocker Hijack virus will not go away on its own, action must be taken to remove it. Please see below where we show our easy step-by-step removal instructions for the CryptoLocker Hijack virus.


Hope they don't snag too many with this...

Bruce Hinton

[Oct 25, 2013] CryptoLocker A particularly pernicious virus By Susan Bradley

October 24, 2013 | Windows Secrets

Online attackers are using encryption to lock up our files and demand a ransom - and AV software probably won't protect you.

Here are ways to defend yourself from CryptoLocker - pass this information along to friends, family, and business associates.

Forgive me if I sound a bit like those bogus virus warnings proclaiming, "You have the worst virus ever!!" But there's a new threat to our data that we need to take seriously. It's already hit many consumers and small businesses. Called CryptoLocker, this infection shows up in two ways.

First, you see a red banner (see Figure 1) on your computer system, warning that your files are now encrypted - and if you send money to a given email address, access to your files will be restored to you.

CryptoLocker warning

Figure 1. CryptoLocker is not making idle threats.

The other sign you've been hit: you can no longer open Office files, database files, and most other common documents on your system. When you try to do so, you get another warning, such as "Excel cannot open the file [filename] because the file format or file extension is not valid," as stated on a TechNet MS Excel Support Team blog.

As noted in a Reddit comment, CryptoLocker goes after dozens of file types such as .doc, .xls, .ppt, .pst, .dwg, .rtf, .dbf, .psd, .raw, and .pdf.

CryptoLocker attacks typically come in three ways:

1) Via an email attachment. For example, you receive an email from a shipping company you do business with. Attached to the email is a .zip file. Opening the attachment launches a virus that finds and encrypts all files you have access to - including those located on any attached drives or mapped network drives.

2) You browse a malicious website that exploits vulnerabilities in an out-of-date version of Java.

3) Most recently, you're tricked into downloading a malicious video driver or codec file.

There are no patches to undo CryptoLocker and, as yet, there's no clean-up tool - the only sure way to get your files back is to restore them from a backup.

Some users have paid the ransom and, surprisingly, were given the keys to their data. (Not completely surprising; returning encrypted files to their owners might encourage others to pay the ransom.) This is, obviously, a risky option. But if it's the only way you might get your data restored, use a prepaid debit card - not your personal credit card. You don't want to add the insult of identity theft to the injury of data loss.

In this case, your best defense is prevention

Keep in mind that antivirus software probably won't prevent a CryptoLocker infection. In every case I'm aware of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin rights does not stop or limit this virus. It uses social engineering techniques - and a good bit of fear, uncertainty, and doubt - to trick users into clicking a malicious download or opening a bogus attachment.

Your best prevention is two-fold:

1) Basic method: Ensure you keep complete and recent backups of your system. Making an image backup once or twice a year isn't much protection. Given the size of today's hard drives on standalone PCs, an external USB hard drive is still your best backup option. A 1TB drive is relatively cheap; you can get 3TB drives for under U.S. $200. For multiple PCs on a single local-area network, consider Michael Lasky's recommendations in the Oct. 10 Best Hardware article, "External hard drives take on cloud storage."

Small businesses with networked PCs should have automated workstation backups enabled, in addition to server backups. At my office, I use Backup Box by Gramps' Windows Storage Server 2008 R2 Essentials (site). It lets me join the backup server to my office domain and back up all workstations. I run the backups during the day, while others in the office are using their machines - and I've had no complaints of noticeable drops in workstation performance.

The upcoming release of Windows Server 2012 R2 Essentials (site) will also include easy-to-use, workstation-backup capabilities. Recently announced Western Digital drives will also act as both file-storage servers and workstation-backup devices.

2) The advanced method: If you have Windows Professional or higher, you can tweak your systems to protect them against CryptoLocker. You'll want to thoroughly test the impact of the settings changes detailed below - and be prepared to roll back to your original settings if needed. (After making some of these changes, you might not be able to install or update some applications.)

All business and Pro versions of Windows include the ability to prevent certain types of software from launching from specific locations. CryptoLocker launches from a specific location and in a specific way (well, for now). By implementing Windows' Software Restriction Policies rules, we can block CryptoLocker from launching its payload in your computer.

Software Restriction Policies (more info) t to other systems. Also, take the extra step of undoing the changes and checking whether the test system still runs as expected. Most important: Back up all systems before making the changes.

To make the changes, click Start/Control Panel/Administrative Tools. Click Local Security Policy and locate Software Restriction Policies under the Security Settings heading. Right-click it and select New Software Restriction Policies. Right-click Additional Rules and select New Path Rule to open the new-rule dialog box shown in Figure 2.

New Path Rule

Figure 2. Creating a new path rule to block CryptoLocker

The following rules block applications such as CryptoLocker from running in the defined locations. For example, the first set of rules applies to the specific user folder %Appdata%, which equates to user\{yourusername}\appdata\roaming.

Enter the following sets of Path, Security Level, and Description information as separate rules:

For Windows XP, enter the following:

and

For Windows Vista and higher, use the above settings plus the following:

and

Additional paths for blocking ZIP-file locations are described in the bleepingcomputer.com CryptoLocker Ransomware Information Guide and FAQ. The following will ensure the virus can't launch from embedded or attached .zip files.

From archive attachments opened with 7zip:

From archive attachments opened with WinZip:

From archive attachments opened using Windows' built-in .zip support:

Figure 3 shows the Software Restrictions Policies section with newly entered rules.

New policies

Figure 3. A completed set of software restriction policies

When you're done entering new rules, reboot your system so that the changes take effect. Again, if you discover you can no longer update some applications or install software, you might need to undo some of these changes. Look in your application event log - or in the admin section - for the specific rule that's misbehaving. (To open the log, click Control Panel/Administrative Tools/Event Viewer; then, in the navigation pane, click Windows Logs/Application. For more on the Event Viewer, see the Oct. 27, 2011, Top Story, "What you should know about Windows' Event Viewer.")

As the malware authors change their tactics, you might need to revisit the rules settings; I'll try to post updates into the Windows Secrets Lounge whenever needed.

For even stronger CryptoLocker protection, those folks with solid IT savvy might want to consider application whitelisting - i.e., setting up a list of applications approved to run on their workstations. All other software installations are blocked. See the National Security Agency (yes, that NSA) document (downloaded PDF), "Application whitelisting using Software Restriction Policies."

Be aware that application whitelisting is a highly advanced tactic. Take some time to determine all allowed applications in order to properly set up application whitelisting.

Once again, keeping your AV software up to date is not the panacea for CryptoLocker. The hackers using this exploit are adapting the virus so quickly that AV vendors can't keep up with the many CryptoLocker variations in play. It's up to individual users to stay vigilant about what they click. The bad guys just keep getting badder.

Maybe_Forged comments on Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know.

Maybe_Forged 5 points6 points7 points ago

Owner of an IT company here. We have several hundred clients and I'd like to report what we've dealt with so far.
  1. The primary source of infection are users opening email attachments. Our clients that use messagelabs or rackspace for anti spam/hosted exchange have not been hit at all. Coupled with Trend Micro blocking new malicious websites seems to keep them safe. As you see a layered approach is best but not not always foolproof. Some clients that have AV gateways enabled on the sonicwall don't pick this up and I suspect they never will ultimately proving them to be useless.

We setup a honeypot VM and have been able to get a cryptolocker infection via Java exploits. So ignore Java updates at your peril. The latest version pops up a warning and lets you know not to run.

The creator of this virus is doing his best to defeat traditional AV and it is working. What isn't working for this bastard are spoofed emails if your email server/anti spam is setup and worth a damn.

  1. We have a lot of clients using Network Solutions as their email provider and they have been passing these infected emails with spoofed addresses like it's their business. We are quickly getting our customers off that garbage.
  2. Two, yes two clients out of so many of ours have been hit. One had a backup so we did not pay the ransom and the other had nothing so they paid. All of a sudden now they have money for a real backup solution.
  3. We are using this opportunity to educate our customers on best practices when it comes to doing shit on the internet.
  4. SRP is useless unless you have roaming profiles and we think the best way to implement it is to just whitelist certain programs like Chrome, etc, and deny the rest. For Windows 7 AppLocker has been an amazing tool though sadly we still have a few organizations running XP

tl;dr: Get proper anti spam for your email server/service. It's cheap insurance against users who like to be idiots with attachments Backup your stuff and test it. Don't wait for a disaster.

bluesoul

Interesting, no prior reports of Java as a vector of infection. I'm not surprised exactly, but that's all the VM did? You're sure that was the vector?

EDIT: Also, roaming profiles and the roaming folder of AppData aren't that intrinsically linked. We have no such setup on our server and the SRP was prevented from running on a VM via the SRP

Maybe_Forged

Correct, it's not a common vector but it uses a .JNLP file as a dropper. I think our engineer said Java u40 and up will provide a security warning and prevent it from running.

[Oct 24, 2013] disturbing_bitcoin_virus_encrypts_instead_of/

October 15, 2013

Sorry to hijack top post in a "best" sort, but the number of infections is getting high enough that some Canadian Bitcoin exchanges are getting multiple requests for Bitcoin from affected users:

On the topic of this post, this is starting to look like just the start of something really, really, bad with Malware for sure. While I feel the need to warn people of the threat, part of me wonders if publicity for this thing will only signal to other Malware authors this is the new effective method...

[+]Doctor_McKay 17 points18 points19 points ago (9 children)

[–]Doctor_McKay 17 points18 points19 points ago

This thing scares the crap out of me. I have all my important stuff backed up in Dropbox, but since Dropbox is a live backup, I'd be SOL if it starts encrypting everything in my Dropbox folder, which Dropbox then syncs...

I rented a cheap VPS and wrote a Java app to download my Dropbox via OAuth once per day and store it in an AES-encrypted zip with a randomly-generated password stored in a text file encrypted with RSA, for which the private key is in several cold-storage locations.

Overkill? Maybe. But I'm paranoid now.

===

Doesn't Dropbox store multiple versions? So in theory you should still be ok, though I have no idea how many versions and what limitations it has on versioning so a real backup is of course better.

Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know. sysadmin

9/17 EDIT: All 9/17 edits are now covered under Prevention.

10/10 EDIT: Google matches for CryptoLocker are up 40% in the last week, and I'm getting 5-10 new posts a day on this thread, so I thought I'd update it with some interesting finds from fellow Redditors.

<

10/10 MEGA EDIT: I now have an active CryptoLocker specimen on my bench. I want to run down some things I've found:

10/18 EDIT: Hello arstechnica! Please read through comments before posting a question as there's a very good chance it's been answered.

New developments since 10/15:

A file encrypted twice and decrypted once is still garbage.

The waiting for payment confirmation screen stayed up for 16 days before a decryption began, so don't lose hope if it's been up a while.

The DWORD values in the registry have no bearing on decryption. Renaming an encrypted file to one on the list in the registry will decrypt it. However, I would presume this would only work for files that the virus encrypted on that machine as the public key is different with every infection.

Adding any new matching files to somewhere the virus has access will cause them to be encrypted, even at the "waiting for payment confirmation" screen. Be careful.

Hitting "Cancel" on a file that can't be found doesn't cancel the entire decryption, just that file.

TLDR:

1)If you are still waiting for payment activation after two weeks dont give up- I just got mine 16 days later! Payment servers are still up!

2)the individual file "salts" are not needed for decryption, so if you somehow brute forced the private key it would work for ALL files, not just one file as some AV vendors are claiming.

3)during the "waiting for payment activation" phase, newly found files are still being encrypted, disconnect all media until payment is activated, it will pause and prompt you if files are missing during decryption.

4)Rebooting does not ruin the "waiting for payment activation" screen if you paid, it still comes back up.

5)Clicking cancel on a "failed to decrypt file" message does not cancel the entire encryption process.

6)Cryptolocker can be 'tricked' into decrypting any file that was encrypted by renaming/matching file path to a missing file the decryption stopped on and clicking retry, the salts do not matter.

7)Decryption is done in the same order encryption was done, so if you somehow got encrypted twice, it will not reverse itself properly from what i can tell. I was wrong, it did decrypt properly. See update below

8)ZFS everything. If you care about any of your data, move it to a ZFS based system, setup hourly snaps for easy versioning in windows and do offsite replication. Also, pick 2 more backup solutions that aren't crashplan.

Full Story: Sysadmin for a SMB here that got hit ~2 weeks ago, had about 1.5 out of 5.5 TB of network shares shredded before i was able to unplug the lan cable of the offending computer. Turns out our backup solution(s) silently failed since april and we were looking at a staggering amount of data loss. The $300 was a no-brainer, but after 2 weeks of "Waiting for payment activation" i began to loose hope. So much that i tried to deposit the moneypak back into my paypal acct only to be asked for my SSN which i fortunately didnt feel like giving out.

Fast forward 16 days after infection, i rebooted the infected laptop and was greeted by the cryptolocker prompt again (which had previously disappeared after 14 days) and figured i would connect it to guest wifi in the off chance i get activated- 2 hours later: PAYMENT ACTIVATED!! So now i am prompted saying it cant find the first encrypted file on the mapped drives, so i scramble to reconnect the old encrypted drives that have been abandoned and follow the registry export in winmerge watching it do its magic. After 45 mins it hits the first file it cant find- someone had deleted 8 files from a share! I didn't want to click cancel, as i thought that would cancel the whole decryption process, so i made an asdf text file and renamed to the missing file+path and it said "FILE NOT ENCRYPTED" but still would not go past it. Here is the interesting part: I copied and renamed a known-encrypted pdf to the name+path of the missing file and it took it without complaint- AND DECRYPTED IT. So that basically proves that the random dword "salts" are not used by decryption thus confirming what the OP had speculated.

A couple other pointers if you decide/need to pay the ransom: Decryption will halt at any files missing, so dont worry about having the (partially) encrypted drives mapped while its waiting for payment activation. Its not worth sacrificing any good data at this point. Keep it disconnected from everything on a guest wifi and wait for payment activation before you reconnect to anything important. It was still encrypting any new data introduced to it while waiting for payment activation.

Regularly export your cryptolocker reg key to view the list of encrypted files, save versions of this and use comparision tools like winmerge to keep track of the decryption/encryption process. Once a file is decrypted, it is removed from the reg key. My reg key was 28megs at its peak!

I actually tried to get sneaky and copy the encrypted network shares to an external 3tb drive and connect it to the infected computer and share the external drive locally then map the correct drive letters. Unfortunately cryptolocker saw this as a whole new drive and went in a re-encrypted everything on it again. As of now cryptolocker has successfully decrypted the original network shares, but it currently stopped waiting for the usb drive to be plugged back in. I am curious if it will successfully decrypt a file that has been encrypted twice. My gut reaction would be no, but after seeing how it decrypted the spoofed file/path i am curious. It must be taking some sort of shortcut to encrypting the files if it can move this fast on an old core2duo...

I was never comfortable with our NTFS hardware raid-5 setup for the shared drives. I had actually setup a ZFS SAN (napp-it+openindiana) to move these shares to so we could get snaps/versioning and offsite replication on the shared drives but i never was able to get the GPO maps to work with san authentication. Once we got infected, this became a top priority and i sorted out the maps and moved all unencrypted data to the ZFS SAN and switched users over to this.

Anyways, i had been immersed in this thread for the last 2 weeks and figured i would post my experience. Good luck to everyone!

edit: Cryptolocker doing its thing: http://imgur.com/q3XOuDz

UPDATE: I have test decrypted several files that were encrypted twice and to my surprise they did decrypt successfully with the single decryption pass! This only applies to files that somehow managed to get encrypted twice with the same infection (read: same private key), which may not help that many people. What happened in my situation was that i reintroduced a copy of the encrypted files to the infected system under a different path name and it re-encrypted all of the already-encrypted files.

[Oct 24, 2013] How to remove Crypto Locker

KTTC Rochester, Austin, Mason City News, Weather and Sports

We had a call from a client with a strange virus asking for $300. As IT Professionals, we have seen this a million times and suit up to go save the day. We roll out to the clients location as normal, get inside for what we expect to be a 15 minute removal and find the most dangerous virus / mal-ware we have ever seen.

Crypto Locker - How to remove

Crypto Locker is an up front, and honest program. It is not making false claims or trying to make threats it cannot deliver on. That is what makes it so unique when compaired to other malware programs out there. Like an arrogant little kid who knows he pulled a fast one over on you and you have no choice but to do what he says.

To sum up, Crypto Locker starts out by putting a big giant warning on your screen that tells you the following.

So how do you remove it?
The answer is... you don't. You pay and hope they actually unlock your files or else you lose your files. Which is the second piece of this virus that makes it so unique. If you pay, they ACTUALLY UNLOCK your files. According to Geek.com

"Amazingly, paying the Cryptolocker ransom does actually initiate the decryption process."

We have also seen other accounts of payment resulting in unlocked files. Criminals who keep there word are a rare breed indeed. There is obvious risk that you might have a Crypto Locker knock off, who might take your money and run. So there is no guarentee. However if you have critical data that is locked up in Crypto Locker and you do not have backups (or your backups got locked up as well) then it might be worth the $300 gamble.

What should I NOT do?
DO NOT try to run an anti-virus and remove crypto locker. You will be successful in removing Crypto Virus but your files will still be locked up. And once the software is removed, or once the timer runs out they are not joking when they say noone can unlock the files.

How do I decrypt the files that Crypto Locker encrypted?
The only way to do this is to get the key that was used to encrypt the files. Below are examples of people who have tried to self-decrypt.

"The infected PC no longer shows the dialog box to pay the ransom. The timer ran out and now it is gone. I can find no trace of it, but the files are still inaccessible."

"Unfortunately this case is pretty much hopeless. Removal of the above infection is fairly easy but it won't decrypt encrypted files."

"I just came across the same issue! Nothing is removing it! Please help!!!!"

So far, noone has come up with any way to decrypt the files. This is because RSA-2048 is not a made up encryption. Infact... noone has ever cracked any RSA-2048 encrypted documents. Atleast not publicly and there is a $200,000 reward out for anyone in the world who can do so.

http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

This means that without the key which the virus maker has, you cannot unlock your files, atleast not with any known methods that have been developed and are available to the public. There is not even any known ways of doing it by the government. From what we know, the NSA themselves could not unlock your files even if it was a matter of national security!

Can't I use someone elses key?
No, this encryption has a private and public key, and also has a separate key for decryption than it does for encryption. This is why if you remove Crypto Locker before the files are unlocked not even the virus maker can unlock it because he doesn't know which key goes to it.

This virus is 100% honest from what we can tell, and there is no other known method of retrieving the data other than paying, and then you are hoping the criminals are kind enough to continue to unlock the files. This might not be the news you are looking for but its the truth.

Even if you choose to pay to unlock the files, we highly recommend having the entire machine deleted then reloaded with a fresh operating system. They got in once and they might still be in your computer sitting and waiting for a month or two before they pull another lock down on you.

What can I do to protect myself or my business from Crypto Locker?
The best protection is a robust data backup plan, up to date antivirus and up to date patches from an experienced IT professional. If you have inhouse IT then have them walk you through the disaster recovery plan. If you are a small or medium company then outsource critical functions like this and get a Service Level Agreement which covers complete data loss.

No IT firm/person can eliminate all risk, but with proper planning even the worst senario can be mitigated.

[Oct 24, 2013] CryptoLocker Prevention

Not tested but the idea to use group policies is right

CryptoPrevent Computer Technician - PC Repair Software Foolish IT LLC

CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker malware or 'ransomware', which encrypts personal files and then offers decryption for a paid ransom.

Recent Changes:
◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first. No harm would come from the duplicate rules, but my OCD was bothering me.
◦v2.2 – added additional restriction policies to better protect Windows XP against the latest strains – prior versions were not protecting %username%\local settings\application data and their first level subdirectories, but rather only %username%\application data and their first level subdirectories. Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules for better compatibility with all OSes.
◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a reboot doesn't quite do the trick… Also added a re-test for active protection to determine if a reboot prompt should be displayed after Undo, on the chance that it is still required.
◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the rules.
◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0

There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains and OSes that have access to group policy editor (Professional versions of Windows) leaving Home versions without a method of protection. It also isn't the most intuitive of installations for the average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately, like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the Group Policy Editor available in Professional versions of Windows, and is a time consuming manual task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes, while being easy enough for the average Joe to do, and optionally providing silent automation options for system admins and those who need to immunize a lot of computers automatically.

CryptoPrevent is a single executable and is fully portable (of course unless you download the installer based version) and will run from anywhere, even a network share.

Prevention Methodology

CryptoPrevent artificially implants group policy objects into the registry in order to block certain executables in certain locations from running. Note that because the group policy objects are artificially created, they will not display in the Group Policy Editor on a Professional version of Windows - but rest assured they are still there!

Executables are blocked in these paths where * is a wildcard:
◦%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2, etc.)
◦%localappdata% (on Vista+) and any first-level subdirectories in there.
◦%temp%\rar* directories
◦%temp%\7z* directories
◦%temp%\wz* directories
◦%temp%\*.zip directories

The first two locations are used by the malware as launch points. The final four locations are temporary extract locations for executables when run from directly inside of a compressed archive (e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from directly inside the download, it is actually extracted to a temporary location and run from there – so this guards against that as well.)

NOTE: Protection does not need to be applied while logged into each user account, it may be applied only once from ANY user account and it will scan for and protect all user accounts on the system. This is accomplished despite an apparent bug in Microsoft's software prevention policies that does not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)… so protection for %temp% folders is now applied by expanding the full path to the user's temp folder in each rule set, and replacing the username with an * in the rules so that a single rule can cover all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to protect all user accounts, but it was later discovered that methodology wasn't working on all systems. If you applied protection with prior versions and want temp extracted exes blocked, you may want to reapply protection with v2.2 to ensure it will work for you.

[Oct 24, 2013] Cryptolocker ransomware found on campus

October 14, 2013 | University of Wisconsin-Madison

The Office of Campus Information Security (OCIS) is aware of a relatively new ransomware trojan actively attacking campus users and computers. The ransomware is commonly called Cryptolocker, but is detected as Trojan.Ransomcrypt by Symantec or Trojan:Win32/Crilock by Microsoft.

Like all file encrypting ransomware, Cryptolocker's goal is to encrypt your data and try to sell it back to you, or else. Unfortunately, the bad guys that wrote Cryptolocker did something that other ransomware has not always managed–they got their encryption right. Once your files are encrypted, there is no way to decrypt them without paying the ransom.

Cryptolocker uses standard malware attacks to get itself on your computer: social engineering emails with the trojan attached, drive-by downloads from infected web sites, and inclusion in additional malware downloaded by other trojans already infecting a computer (botnets).

Antivirus applications are detecting Cryptolocker, but are struggling to successfully block it before it encrypts files.

What can I do?

Paying the ransom is not recommended, however, once your files are encrypted, the only sure way to get them back without paying up is from a backup. So prevention is much better than a cure.

[Oct 24, 2013] Destructive malware "CryptoLocker" on the loose - here's what to do

nakedsecurity.sophos.com/

What CryptoLocker does

When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

2. It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your "CryptoLocker ID."

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

→ Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

→ Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a "pay page," giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is surprisingly similar to what it was back in 1989.)

→ With the private key, you can recover your files. Allegedly. We haven't tried buying anything back, not least because we know we'd be trading with crooks.

[Oct 23, 2013] Fiendish CryptoLocker ransomware

The Register

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back," adds the firm. "But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Re: Already seen this

"You can't kill this virus in normal ways."

So, it manages to run despite having a software restriction policy in place preventing any vaguely executable code from running outside of program files or authorised network shares?

I've been receiving the companies house emails regularly. I've had a few users run them with nothing more harmful than the standard SRP prohibited text since outlook opens attachments in a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.

Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will vanish overnight because the users can't run the bloody things if they try.

Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer instead of task manager and PSKILL to kill things instead of the "end task" button in task manager. If you want malware dead, don't allow it to gracefully close through a task manager request to close. That's just letting it run more instructions. Figure out where the file and all it's dependencies are from process explorer and then either suspend or terminate it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete it.

It encrypts .doc, .dwg etc

So what? In the corporate world those files should be held in some kind of version control and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not be the master, they should be the published version of a document under proper control (also, users don't need write access to *everything*). As for local files that are being worked on; well, those are backed up as well aren't they?

And why the HELL do people open an attachment without first scanning it? When coming in from outside, open it on a machine which has actual work files on it. Are they totally mentally deficient? Run Outlook in a separate VM. Problem solved.

If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame, look in the mirror.

Then call MS and ask them why their software is so shit.

I can see this being a serious worry for home users. Top-tip: stop opening random files.

Re: It encrypts .doc, .dwg etc

How naeve can you get? ! Obviously never worked for a large corporation then. The idea that they do things properly always is just naivety. Release documents will (should) be in a document management system, but there are always many documents which are not.

Reality check

And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?

Re: It encrypts .doc, .dwg etc

I really hope your not an IT support guy, Users are .... users... they are not IT experts, the same way that IT Experts are not brain surgeons. Yes good practice is always good, but...

Cloud backup

If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?

It'd be recoverable if you had a cloud locker with version control, but still annoying.

Re: Cloud backup

DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week.

TkH11

It never ceases to amaze me how many people open and click on links in emails without knowing who they're from. Even my employer (who shall remain nameless) has become infected despite there being a fairly recent and high profile campaign targetting computer security and phishing emails. Some people are just dumb.

Mike Bell

To be fair, a bit of social engineering is involved here by making the file look like something that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs are normally harmless viewable documents. If they possess a little geekiness, they might know that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and they'd know that executables can be camouflaged like this.

I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need a life.


DrXym

I was talking to someone a week ago who got a popup in their browser warning they were downloading pirated software and to click to acknowledge this. The sad thing is that while they didn't click, they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which would just be malware of some kind.

I assume the criminals wouldn't bother with these scams if people didn't fall for them.

Wild Bill

From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't take place until the virus is able to phone home to one of its many servers, which have their domains automatically created using a Domain Generation Algorithm.

Is there not any software that can block all domains which are obviously gobbledygook and are therefore likely to have been automatically generated by a nasty? It appears DGAs are used by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).

Cryptolocker Hijack program - Page 5 - General Security

Education is really the only way to prevent this unfortunately. Without education people will continue to open email attachments they shouldn't, use weak passwords, and provide little or no network security.

These types of encrypting malware are the new breed of moneymakers for malware developers, especially as they be created by individuals, or small groups, rather than larger organizations. In the past it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that method was pretty much eliminated. Ransomware, such as this Cryptolock, ACCDFISA, and DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now BitCoins.

As always, I suggest noone pay them if they can avoid it as it just encourages them to continue. On the other hand, I know that not everyone has a backup of their data for whatever reason and that it is necessary to get this data back by any means.

====

Hi,

We have been able to remove this by creating a Kaspersky Rescue Disk: http://support.kaspersky.com/viruses/rescuedisk#downloads

Once booted into this you can use the File Manager and register editor to remove the start up entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate the random file (this will also show you where on the system this is loading from. Remove this reg entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

Once the reg entry is deleted the use the File Manager function to browse to where this file is located and delete this file.

Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker screen appears, you should then run a scan with your current AV software or download Malwarebytes: http://www.malwarebytes.org/ and run a scan with this. It maybe best to run this scan with the computer in safe mode.

[Oct 23, 2013] CryptoLocker Recap A new guide to the bleepingest virus of 2013

sysadmin

tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives with 2048-bit RSA encryption, which is uncrackable for quite a while yet.

WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having UAC on or off.

MalwareBytes Pro and Avast stop the virus from running.

Sysadmins in a domain should create this Software Restriction Policy which has very little downside (you need both rules).

The timer it presents is real and you cannot pay them once it expires. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup (including versioning-based cloud backups), or be SOL.

... ... ...

Vectors: In order of likelihood, the vectors of infection have been: Payload: The virus stores a public RSA 2048-bit key in the local registry, and goes to a C&C server for a private key which is never stored. The technical nuts and bolts have been covered by Fabian from Emsisoft here. It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif

Many antiviruses have been reported as not catching the virus until it's too late, including MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by reverting registry changes and removing the executables, leaving the files behind without a public or private key. Releasing the files from quarantine does work, as does releasing the registry keys added and downloading another sample of the virus.

[Oct 23, 2013] Proper Care & Feeding of your CryptoLocker Infection A rundown on what we know. sysadmin

Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.

For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here.

Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it.

Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.

Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed.

CryptoLocker

September 19, 2013
Re: CryptoLocker " Reply #2 on: , 07:35:20 PM "

We too got hit with this crypto ransomware. It infects the PC's and encrypts the hardware with such a hard encryption that it can't be decrypted by anything right now. There's good and bad news..

The Good news is, you can still get your files by 1 of 2 ways..

1.) making sure you have system restore points you can use a piece of software called GhostExplorer which will essentially take a ghost image from a system restore and restore your files to then. *you will need to back up the crucial files/ docs/ emails* THEN i would suggest reformatting the PC and starting from scratch.

2.) OR you can pay them the $300.00 (which is what we did, cause we did not have restore points active) and then they will give you a private key to insert within the time requested and they will decrypt the files and release your pc back. once it's done decrypting your files back, it will uninstall invisibly and remove itself form the PC.. Again back up your files and (esp the email in appdata) and reformat your PC.

Currently there is nothing on the market that is blocking this ransomware. IT's nasty and even has gotten senators and state representatives. They have then put a investigation out to the FBI. I'm told (from what i read) that there is a chance if your infected and PAY.... FBI could contact you and will need to help the best that you can.

the BAD news is.. if you don't have $300.00 or system restore turned on.. OR you wait till after the timer... your screwed.. you lost all your data and can never get it back. The software will delete the secure Private key that it encrypted your files with off their server and there will be no way for you to get it back.

From what i've read these guys started with Version 1.0 which charged people $100.00 and have since grown exponentially and have created 2.0. This version charges $300 through a Green Money Card you buy at your local gas station. It's supposedly untraceable. They make approx 300k+ per month with this scam and it has grown into what we would call a "small buisness". They do apparently always comply when you call them and are really nice to talk to on the phone.. which is extremely odd since they are scamming you. They tell you on the phone that it's a service they provide to let you know how vulnerable you really are.. and they will legitimately give you back all your files. (which they really do, oddly enough you can trust them with that).

They say the best way to prevent this, is to have your PC's on a domain and there is a domain RULE that you can setup when the PC starts that will stop files that are unexpected to run. I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this is the only way to prevent this from happening.

MOST of these scams that people get infected with DO come into a PC via email labeled from USPS or some other supposedly reliable source. but instead it infects the users pc and starts encrypting files. Also if your PC is on a network and connected to network drive (on a server) it will grab that Hard drive also and encrypt the whole server. Which is basically what happened to us.. Which is why we paid to have it released. I hate doing it.. but it is.. what it is... and they got us... it sucks..

hope this info helps you or someone!

CryptoLocker Trojan

Connection wіth thе C&C server іs established through еіthеr а hardcoded IP (184.164.136.134, whiсh iѕ dоwn now) оr іf thаt fails through а domain generation algorithm located аt 0x40FDD0 аnd seeded bу GetSystemTime. At thіs time xeogrhxquuubt.com аnd qaaepodedahnslq.org arе bоth active and point tо 173.246.105.23.

Thе communication channel usеѕ POST tо thе /home/ directory оf thе C&C server. Thе data іѕ encrypted uѕіng RSA. Thе public key сan bе fоund аt offset 0x00010da0 inѕide thе malware file.

On first contact thе malware wіll send іn аn information string containing thе malware version, thе system language, aѕ well аs аn іd аnd а group id. In return іt receives а RSA public key.

Once a suitable command and control server has been found, the malware will start to communicate through regular HTTP POST requests.

HTTP just goes about as a wrapper. However, all genuine information traded throughout the correspondence between the bot and its command and control server is encoded utilizing RSA. The public key utilized for the encryption of the communication is consequently inserted inside the malware index. Utilizing RSA based encryption for the communication not just permits the attacker to encrypt the actual connection between the malware and its server, additionally it verifies the malware is conversing with the attacker's server and not a virtual lab controlled by malware analysts.

Once the framework has been solidly tainted and a communication channel to the command and control server has been made, the malware will begin the encryption process by soliciting an encryption key. A normal request incorporates the version of the malware, a numeric ID, the system name, a group id and additionally the language of the system.

The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on Crypt String to Binary A.

• The malware targets files using the following search masks:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

The encryption used to encode records matching these mask is a mix of RSA and AES. Fundamentally the malware will prepare another AES 256 key for every document it is set to encode. The key is then used to encode the file. The AES key itself is then encrypted utilizing the public RSA key acquired from the server. The RSA encrypted blob is then saved together with the encoded file content inside the encoded document. As a result encrypted records are somewhat bigger than their originals. Also the malware records the file it is encrypted inside the HKCU\Software\CryptoLocker\Files key. Vаlue names аrе thе file paths wherе "\" haѕ bееn replaced wіth "?". Sadly, as soon as the encryption of the data is done, reversing it is not possible. To get the file exact AES key to decrypt a file, you need the private RSA key matching to the RSA public key generated for the victim's system by the command and control server. Though, this key never leaves the command and control server, putting it out of span of everybody with the exception of the attacker.

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Top articles

Sites

Video of Cryptolocker (Note: many videos of YourTube are fake and promise to remove the virus)

Useful articles

Ransomware

Cryptovirology

DNS

Group policy info

Technical descriptions

Malware Defense History

Wikipedia:

Destructive malware "CryptoLocker" on the loose - here's what to do by Paul Ducklin on October 12, 2013 (Sohpos)

CryptoLocker attacks that hold your computer to ransom The Guardian

10 ways to beat CryptoLocker

5 Ways to Keep Your Computer Safe from CryptoLocker Ransomware Virus – QuickTip from CMIT Solutions CMIT Solutions

WannaCrypt makes an easy case for Linux - TechRepublic



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019