CryptoLocker : Malware that encrypts all your data with an RSA 256 bit AES

[goretsky Supervisor]

Hello,

 

This is actually a loose family of malware that is grouped by behavior, so the exact encryption mechanisms and actions of each one can vary quite a bit.  In some cases, the malware is created from a kit, which allows for further customization by whomever has purchased a copy.  ESET has published a blog post, Filecoder: Holding your data to ransom, which goes over these in detail, include a screenshot of the builder application, with translation from the native Russian.

 

Regards,

 

Aryeh Goretsky

[Alwaysonacoffebreak]

How the heck do people even come across these kind of malware? Are they looking for an encryption software or something? :/

[AStaUK]

How the heck do people even come across these kind of malware? Are they looking for an encryption software or something? :/

A lot of malware can be picked from legitimate sites through ad banners hosted on poorly protected servers, although there any many other vectors for this type of thing. One reason why at my company we use a web filtering service in addition to a good anti-virus as one level of defence.

[Alwaysonacoffebreak]

People still click on ads they don't know about? o.O And also it's not that much of an legit site if they offer their ads trough services that are not trusted to offer secure ads in the first place.

[AStaUK]

People still click on ads they don't know about? o.O And also it's not that much of an legit site if they offer their ads trough services that are not trusted to offer secure ads in the first place.

You don't necessarily have to click on the ad if an attacker is using a known exploit that hasn't been patched on the clients PC, the article linked by +goretsky gives a good description how these types of things work.

I've had to work on more than a few colleagues PCs where they are missing critical updates and don't have an up to date anti-virus. Education goes a long way to stopping this type of thing, but a large number of people will still click something simply because it says to. Or have young kids that don't know better.

And there is still good old "social engineering", one security company I work with has a 100% hit rate using targeted attacks to gain access to large companies. Once you've gained legitimate access to a corporate network you have access to everything that user had access to and more if you have the skill. Google HBGary, Arstechnica did a great article on how social engineering was used against them.

http://arstechnica.com/tech-policy/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price/

[Ci7]

the unfortunate result it that would justify 'walled graden' systems  more.....

[HughJorgan]

This ransomware infected our network a couple weeks ago.  It even locked the backup files as the IT person had mapped those drives as well.  Hes gone now BTW.  Luckly it didnt lock up the quickbooks files as that would have essentially shut the whole show down. Guess they want to make sure you can pay them.  Moral of the story here, beyond educated use of the internet, is OFFSITE BACKUP.

 

I can also confirm that they followed through on sending up the dycryption once we paid the $300. For us it was like meeting a goof in the alley with a gun demanding money.  We just wanted to go home...so we paid. 

 

I look forward to the day I hear about the arrests.

[Anibal P]

See I don't need to jump through many hoops, I rarely keep anything important on my computers, and the few I do have are backed up automatically to Dropbox, Copy, and G Drive, I can just reformat and get the files off the cloud, and it's all done automatically

[T9RKELL]

Who processes their funds? - usualy something like Ukash

 

As to backups, even offsite sometimes does not work - my friend does backups everyday. One day he got robbed - laptop is gone and several near standing external hard drives too. 

[goretsky Supervisor]

Hello,

For anyone who has paid for the encryption key to this ransomware, would you mind sending me a private message? I have some questions for you.

Thank you.

Regards,

Aryeh Goretsky

[T9RKELL]

Hey guys, 

So my dads office was hit with this last week, it was actually transferred but an adjacent companies network. They share a space with my dads office. None of the malware programs that they have installed picked this up. We were able to remove the malware after several attempts, but now his entire server is encrypted. Does any one know if there has been a successful method to decrypt the files yet? He has backups but unfortunately the IT guy that had set up his server some how turned off back ups last November! 

 

Hum has created a decryption tool, and posted about it at previous pages of this thread, maybe it will help

[T9RKELL]

As to ways of infections, there were several reports of receiving phishing emails with rogue attachments. Next, a lot of people got them at shady sites like porn and torrent.

 

My brother in law runs an infosec blog, he has several interviews with infosec guys, section ofr deaf people with written transcriptions of interesting Black Hat and DEF CON talks. He latest articles are dedicated to ransomware: http://privacy-pc.com/how-to/remove-cryptolocker-virus.html

[techbeck]

PITA.  Had this on someone's computer recently.  Told him to turn off his computer, slaved his HD, and copied files off his system.  Then redid the software.

[+Warwagon MVC]

The problem with cryptoLocker is this.

 

90% of people have no daily backup. 9% Have a daily backup that backing up to an always connected External drive. 1% also have a have a cold (off site backup)

[#Michael]

This is just how bad this malware is getting:

 

 

Now here?s a first ? crooks who realize the importance of customer service.

It?s the latest twist in the global CryptoLocker ransomware attack. This diabolically nasty malware locks up all of the victim?s personal files ? and in some cases, backup files, too ? with state-of-the-art encryption. The bad guys have the only decryption key and they demand $300 or two Bitcoins to get it.

?It?s been a disaster for many of the people hit with it,? said Lawrence Abrams who has been tracking the spread of this infection on BleepingComputer.com

Within the past few days, the criminal gang behind CryptoLocker created a site for victims who need help making their required extortion payments.

?These guys have some big cojones,? said security expert Brian Krebs, who writes the blog KrebsOnSecurity.

The CryptoLocker Decryption Service allows victims to check the status of their ?order? (the ransom payment) and complete the transaction. I am not making this up!

Those who paid the ransom (with either Green Dot cards or Bitcoins), but did not get the decryption key ? or got one that didn?t work ? can download it again.

Those who missed the 72-hour deadline can also get their key, but the price jumps from two Bitcoins to 10. At today?s market value, that?s nearly $4,000. And Green Dot is not accepted with this extended-deadline service.

 

 

Full article over at today: http://www.today.com/money/cryptolocker-crooks-launch-new-customer-service-website-victims-2D11586019

[AStaUK]

I couldn't help but smile after reading the above, crooks with a sense of customer service.

[Dark-Heart]

The people that make virus's and Malware have now realised that there's serious money, to be made by infecting computers with this sort of stuff. So I think that were going to see a lot more of this type of crapware popping up, in the next few years.

[riahc3]

Hello,

Someone created a tool to decrypt right? That should be on the first page of the thread.

Also, I think this is front page news worthy.

[AStaUK]

Hello,

Someone created a tool to decrypt right? That should be on the first page of the thread.

Also, I think this is front page news worthy.

 

I don't think that tool works with the latest versions of Cryptlocker which use much stronger encryption.