CryptoLocker : Malware that encrypts all your data with an RSA 256 bit AES


Recommended Posts

Today I heard reports of a new piece of malware that is going around. This one is particularly nasty, It Encrypts all of the data on your drive and mapped network drives with a RSA 256 bit AES key. Once encrypted there is no way to decrypted. The only way to get the files back is from an off site backup (because if the backup drive is local it also gets encrypted) or to actually pay them the money in which they apparently decrypt your data.

 

crilock.png

 

A video from Remove-malware.com


 

 

Over the past few days Emsisoft?s malware research team has received numerous reports of a new file encrypting ransomware strain. This new family of ransomware is commonly referred to as CryptoLocker or Trojan:Win32/Crilock.A.
Ransom note as presented by CryptoLocker

Ransom note as presented by CryptoLocker

Like all file encrypting ransomware (also known as crypto malware) the goal of the attacker is to encrypt important files on the victim?s system in order to compel them to pay a ransom in return for their files.
Initial infection and establishing communication

Based on the data we have gathered so far, the infection is mainly spread via social engineering techniques. Multiple victims received emails with alleged customer complaints containing an attachment that is in fact a malware downloader. This downloader then downloads and installs the actual CryptoLocker malware. Once CryptoLocker has been downloaded and executed by the downloader, it ensures its automatic start during boot by using the following registry value
- See more at: http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/#sthash.YwfgyrMP.dpuf

 

 

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Link to comment
Share on other sites

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.

Link to comment
Share on other sites

Oh. How rude! Time to make all my network drives read-only! (technically all but 1 - RAID5 can deal with 1) I don't have any other way to practically deal with =P

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

Link to comment
Share on other sites

Yeah I have a client who got this on Monday. Had to restore from backup rather than deal with the encryption. Pretty nasty indeed.

 

That's the problem, it's amazing they even had backups. 99% of people have no backups. The 1% that actually have backups, they are local and not offsite.

  • Like 2
Link to comment
Share on other sites

That's the problem, it's amazing they even had backups. 99% of people have no backup.

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.

Link to comment
Share on other sites

You are right. The only reason this client had backups was because they called me to get their system straightened out after being neglected for years. Only just a few months ago did I set up a backup with retention.

 

What kind of offsite did you configure for them?

Link to comment
Share on other sites

No point in havign a backup attached to the machine that your backing up in my opinion

 

No it's good to have both local and off site. If it's not connected to the machine (Not counting online) then it never gets done. It needs to be automatic. But in this case you also have to do off site as well one that is not connected.

Link to comment
Share on other sites

What kind of offsite did you configure for them?

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call. 

Link to comment
Share on other sites

It was a local backup to an external drive on the server. They will also be getting offsite soon though after this close call.

 

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.

Link to comment
Share on other sites

You're lucky the malware didn't crawl to the server drive and encrypted that too. Because apparently this malware encrypts mapped drives as well.

This malware starts on a client machine and encrypts any data that user has access to which would include the mapped drive the user had but not the local disks on the server. There's another malware that super hides all data in the same way.

Link to comment
Share on other sites

 

More on topic, I would imagine UAC wouldn't really protect against this at all as it could run in user space and still do a lot of damage! (getting to run is a different story)

It would to an extent.  Basically anything in program files would be safe.. as long as it is not elevated though UAC.. however all documents, data, etc would be vulnerable.

Link to comment
Share on other sites

Generally speaking, your server shouldn't be getting infected, unless you're using the server? - I would imagine this spreads by "client initiated methods" (email, websites, etc). We have windows 2008 at work, and any backup it creates unmaps any drive letter from the backup drive, so I assume this would be sufficiently well preserved (including the fact it isn't visible over the network)

 

The fact that it checks network drives is what really bothers me. I have my home windows backup set to backup to a network location...so in this case it would whack that backup too. I would guess VERY few people have disconnected/read-only backups.

 

edit: money can be "easily" hidden through some random array of shell companies...or more easily nowadays, any cryptocurrency =/

Link to comment
Share on other sites

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

 

Malware no longer users credit cards, but untraced pre paid money packs.

Link to comment
Share on other sites

the malware is pretty funny,but clever. shouldnt it be easy to bust these guys? who processes their funds?

I don't see how it's funny? Sure you could argue that everyone needs to have backups, but we live in a world where that is not the case, and people losing their data because of some criminals is not something that I would find funny in any way.

Link to comment
Share on other sites

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

 

Yesterday I went to a customers house and while I was there I opened up "Syncback" ...to check how her backups were dong that I setup up for her last time I was there. All the backups said "Scan Failure". So I asked her I said, uh where is your backup drive? Well long story short last time I was there I configured it and told now "go to walmart and buy an portable external hard drive" ... Apparently she never did.

Link to comment
Share on other sites

i knew there was a reason I backup ALL my drives to two 3TB hard drives I keep disconnected both in my office and in a safety deposit box which gets rotated once a month :)

you're a smart fella for doing that. the deposit box seems a bit excessive though, unless you're keeping digital copies of invoices and receipts.

Link to comment
Share on other sites

you're a smart fella for doing that. always good to have backups not connected.

 

Correct,  for the really important stuff I also use Carbonite.

Link to comment
Share on other sites

Malware no longer users credit cards, but untraced pre paid money packs.

 

so something like ukash? if so, then couldnt the people at ukash do the transaction, then watch it on their end and see where their funds end up?

Link to comment
Share on other sites

Remember: If you use something like Windows Home Server, you can configure local backups that are not accessible to the client, which should reduce the damage by this threat.

Link to comment
Share on other sites

I don't know if this still applies, but it is encouraging ...

 

The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

 

If you only have a single hard disk, just download the tool to your Desktop and run it. It will automatically scan your hard disk and decrypt the files it found to be infected without deleting the encrypted originals. You can then check the decrypted files if they open properly. Once you verified the files were decrypted properly you can delete the encrypted HTML files.

 

If you have more than one hard disks with encrypted files, things a slightly more complicated. To scan and decrypt files on those other hard disks you will have to pass the additional drives as a command line parameter:

  1. Press the R key while holding down your Windows key.
  2. Type in "cmd.exe" and press Enter.
  3. The Windows Command Line prompt should show up.
  4. You first need to switch into the directory where you downloaded the decryption tool to. This can be done using the cd command:
    cd /d "<path>"

    Just replace <path> with the path you downloaded the decryption tool to. If you downloaded it to C:\Users\Administrator\Downloads for example the exact command line to type in should look like this:

    cd /d "C:\Users\Administrator\Downloads"

    If you did everything right you will see that the command prompt changed slightly and now references the download directory.

  5. Run the decryption tool with a list of all your drives you want the tool to scan. If you have a C:, D: and E: drive for example, run the tool like this:

    decrypt_mblblock.exe C:\ D:\ E:\

    Please be patient while the tool is running.

The tool also features a few additional parameters, but unless you plan to automate the entire decryption process those are most likely not very interesting for you. If for some reason the tool fails to decrypt certain files on your system, please let me know and I will see if I can update the tool. If you have further questions or run into any unexpected problems, please let me know as well smile.png.

 

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.