You may be aware of Ransomware – it has been around for a very long time and is nothing new. In essence Ransomware, is a type of Malware which restricts access to the system it infects and demands that a ransom is paid to regain access to the system or data (effectively holding a computer to ransom).
Ransomware can come from a massive amount of sources, from automated worms and trojans, through to botnet infections, email delivery/spam, USB drives, websites, the list goes on…
Some variants simply lock a computer until payment is made, others like CryptoLocker actually encrypt the files until payment has been made.
Popular Ransomware of the past includes Winlock, Reveton, AIDS, and recently PRISM variants. A list of the most common types can be found here: http://www.exterminate-it.com/malpedia/ransomware-category/1
Below are some screenshots of commonly seen Ransomware:
Over the last month, a new player hit the Ransomware/Malware field, and to date it is one of the most dangerous versions of Malware that has been encountered. All organisations now need to take action to protect their systems.
It calls itself CryptoLocker and the current infection rate is skyrocketing.
In the last 30 days some vendors spam filters quarantined 56.6 million emails that contained a virus as an attachment, and authorities have been powerless to prevent its spread and infection rates.
Here’s what you need to know
If you run CryptoLocker, it infects your computer like normal Malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It also tries to contact its command and control (C&C) server. The Malware uses a random domain name generation algorithm to try and find a current C&C server.
Some sample Crytpolocker domains might look like this:
Once CryptoLocker contacts its C&C server, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer.
CryptoLocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files CryptoLocker looks for:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
After encrypting your files, CryptoLocker shows a screen warning you that you have 72 hours to pay either $660 USD (2 bitcoins) in order to get your files back (through bitcoins or Moneypak) and, if you don’t pay the amount by this time, the decryption service increases significantly from 2 bitcoins to 10 bitcoins. Utilising current exchange rates and a bitcoin coverter (http://preev.com/), you can expect to fork out ~$3,290 USD, which is around $3500.00 AUD
How do I get infected by CryptoLocker?
There are a number of ways computers are getting infected, however CryptoLocker is primarily delivered via e-mail as a malicious attachment or link from a legitimate looking business email. Previously this was received in the form of fake FedEx, UPS, or delivery company emails, but the latest variants are using specialised tactics and are successful in bypassing a lot of spam filters, so don’t assume just because you have spam/email filtering that you will be safe.
An example Zbot/CryptoLocker email message is:
Within this email is a zip file attachment, contained within that, is a double encoded file pretending to be a PDF, however has an .exe extension, and once executed infects the system. There have also been reports of infections through websites/drive-by-downloads and through some scam sites as well.
Once infected the following is displayed:
What makes this so dangerous is that not only will it infect your computer files, it will search out any drive letters it finds, such as corporate network drives, USB drives and similar and encrypt those as well, therefore devastating company networks.
The other thing to note from Infotech, is that there is absolutely no guarantee you’ll be getting anything back from your $300 – $660 USD payment. Infotech Solutions has seen it not work at all, or only work after multiple payment attempts (at $660 a pop). In a few cases they worked on, two users had both opened CryptoLocker attachments and the files were effectively “double encrypted”. In other cases, the computer that caught the infection had been “cleaned” before I.T. had a chance to quarantine it. The cleaning process removed the virus, but also the pair of decryption keys required to unlock the files that was stored on the computer.
In this instance, or if the antivirus intervenes, you may need to reinfect your machine with CryptoLocker to get a new key for decryption.
For the successful people that paid, and it works you will get a screen like the below:
Sometimes even that fails…
Currently this Ransomware is targeting Windows platforms, infections have been reported on Windows XP, Vista, 7 and we anticipate this to shortly move to Windows 8 and Mac OS platforms.
Can I bypass the system?
Generally speaking no, once infection has occurred there is no way to recover those files unless you pay or have backups that predates the infection. Some people have success using shadow copies to restore, others revert to tape or similar.
“We backup our data every day, so no dramas…right?”
Backup is the only way to recover, however don’t assume because you have backups that you can recover.
If you aren’t keeping 5 days’ worth of backup at a bare minimum, your chance of recovery is slim. CryptoLocker is very sneaky – it will usually start silently encrypting files late in the afternoon around 4 or 5 PM and can run for several days before you either notice some of your files can’t be opened or the CryptoLocker payment screen finally pops up. That means your backups during that time period are toast.
How does Antivirus play a part?
Trend, Symantec, Mcaffee, Kaspersky, although they all have signatures to catch CryptoLocker, every vendor has failed to detect the infection at one point, this is because CryptoLocker is changing constantly. It would seem that any time the detection rate climbs above 10%, a new variant is released and you are back to a very small chance of detecting it. Antivirus is still a key component to protecting your systems, but it certainly shouldn’t be the only one. Additional systems to help prevent/reduce CryptoLocker infections would be an Intrusion Prevention System.
Another thing to note is that if you run heavily locked down workstation SOE’s (standard operating environments) this will also not prevent you from becoming infected as CryptoLocker doesn’t actually install anything, or need admin privileges, and any files that your users have access to modify is susceptible.
How can I prevent becoming a victim?
- Foremost, educate your users! If they don’t visit the malicious site or open the attachment in the first place, this will solve all your issues
- Ensure you have the latest antivirus and that it is up to date
- Utilise additional filtering mechanisms such as Intrusion Prevention Systems or Host Based Intrusion Detection Systems to prevent communication and alert upon infection/changes to systems integrity
- Update all software on your computer, especially Microsoft Office, Adobe products, and Java
- Do not download and install unfamiliar software, even if its maker claims it will prevent Ransomware
- Ensure you have valid, TESTED backups in place
- Deploy CryptoPrevent to the workstations to prevent initial infections, available from here http://www.foolishit.com/vb6-projects/cryptoprevent/
- Deploy the CryptoLocker Prevention Kit Group Policies from here, to prevent spreading of the infection in your environment: http://www.thirdtier.net/downloads (select CryptoLockerPreventionKit.zip)
- Secure your network shares and permissions
If you are infected already…
- As soon as you identify you have been infected, unplug the computer from the network immediately, it may prevent some files from being encrypted
- You need to figure out what damage has been done. Which files have you lost? Do you have backups of these files? If you don’t have backups, have you checked Windows’ System Restore files, which sometimes automatically back up the computer for you?
- Restore your data
- If you have valid backups, wiping your computer is the best way to remove the infection, however a lot of antivirus vendors have clean-up tools you can utilise, or follow the guides such as this one: http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information
- If you do not have backups, it is recommended you don’t pay, as this only reinforces that the system works and more and more of these types of Malware will get created. But, where you have no choice you can attempt to pay…. if your antivirus intervenes (which it will most of the time) you can contact the Malware’s fake customer support site via connection directly to the C&C server’s IP address or through Tor via the f2d2v7soksbskekh.onion/ address
You will be presented with a screen like the below:
Once a payment is made it must have 10-15 bitcoin confirmations before your private key and a decrypter will be made available for download. Once these confirmations have occurred a download link will be displayed that will allow you to download a standalone decrypter. This decrypter will already have your private decryption key stored in the program and can be used to scan for and decrypt encrypted files.
More information can be found here: http://www.bleepingcomputer.com/forums/t/512668/CryptoLocker-developers-charge-10-bitcoins-to-use-new-decryption-service/
If you wish to find out what files have been encrypted, you can use this free tool: http://download.bleepingcomputer.com/grinler/ListCrilock.exe
For existing Kiandra clients who have Managed Services Agreements, the appropriate steps will be taken automatically to protect your network, for other clients requiring assistance, please contact the Kiandra Service Desk.
Reference resources for content: