CryptoLocker Ransomware Virus Takes Your Files Hostage

Posted by on Nov 3, 2013 in Security

CryptoLocker Ransomware Virus Takes Your Files Hostage

Mike’s Advice: Everyone should have a disconnected offline backup right now. Here is why.

Called CryptoLocker, this new ransomware Trojan holds your files hostage and if you don’t pay up, your files are gone – likely for good.

Cryptolocker uses a solid encryption scheme as well, which so far appears uncrackable. For each victim, it connects to its command-and-control (C2) to download an RSA public key that is used to encrypt the data. For each new victim, another unique key is created and only the Cryptolocker authors have access to the decryption keys.

cryptolocker-malware

What CryptoLocker does

When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

2. It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.”

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

Once Cryptolocker is in the door, currently it targets and encrypts files with the following extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm,
*.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm,
*.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2,
*.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg,
*.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw,
*.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf,
*.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer,
*.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
Note: More file types could even be added in new malware variants.

Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a “pay page,” giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. The ransom is demanded to be paid in less-traceable forms such as Bitcoins and Green Dot Moneypaks. Resetting your clock has no effect on this time limit because the key will be deleted off the Cryptolocker author’s server.

How does the malware get in?
Currently it uses two main infection vectors: via email attachments and via botnets.

Email attacks are fairly easy to avoid: take care with attachments you weren’t expecting, or from people you don’t know well.

Infection via a botnet is a little different, since the crooks are using the fact that you are already infected with malware as a way to infect you with yet more malware.

That’s because most bots, or zombies, once active on your computer, include a general purpose “upgrade” command that allows the crooks to update, replace, or add to the malware already on your PC.

Update 01/06/2014: CryptoLocker ransomware turns from a Trojan… into a worm. The new version can spread between removable drives – posing as activation keys for tools such as Adobe Photoshop and Microsoft Office, seeded on P2P file-sharing networks.

What can I do to prevent this?
Prevention, in this case, is significantly better than cure:

Stay patched. Keep your operating system and software up to date.
Make sure your anti-virus is active and up to date.
Avoid opening attachments you weren’t expecting, or from people you don’t know well.
Make regular backups, and store them somewhere safe, preferably offline.

Contact Mike for a security audit and review of your backup strategy.

Everyone should have a disconnected offline backup.
Unfortunately, there is no known tool to decrypt the files encrypted by CryptoLocker. One good safe computing practice is to ensure you have accurate back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Cloud storage services such as Carbonite can be a useful part of your backup strategy.

This advice applies to everyone who cares about their photos and documents, anything of value on their computer or attached drives. This includes but is not limited to photos, music, documents, letters, email, genealogy research, office files, quick books company files, etc.

Always have a backup of all your photos, documents, music, office files, quickbooks data etc.
An offline backup is recommended such as a USB external hard drive. After the backup is complete, disconnect the drive and store it in a safe place. Make new backups when needed and then disconnect it again. Having an offsite backup is always a good strategy to keep your data safe from flood, fire, theft, etc. So consider keeping one of the backups off site such as a safety deposit box

What type of backup is safe from cryptolocker?
Have a strategy now, before the disaster happens. Mike recommends a flash drive or USB hard drive backup, that you make pre-disaster, then disconnect before disaster.

Keep in mind that if you use a service like Google Drive, Dropbox or even SkyDrive, you have a mirror of your files in the cloud, and if the ransomware encrypts your local files, it will trigger the mirror process and the files in the cloud will also be encrypted. Some services like Dropbox have a Packrat versioning feature that allows you to restore to any previous version of the file, which can help in a situation like this.

Carbonite online backup is a good cloud backup solution. Keep in mind that your cloud backup will have to have versioning feature to be effective against loss from cryptolocker. Versioning is a feature that keeps multiple versions of a file, in case one version gets corrupted, there is a possibility of restoring a version from a previous date.

Will my antivirus / antimalware software block cryptolocker?
Possibly it will, unless a new variant comes out that is not in your antivirus definitions. New variants can come out quickly so the risk is always high. Antivirus works like a vaccine, so if the threat has been detected and identified by the antivirus vendor, it should be blocked. But a new variant of infection can come out that is not vaccinated yet. There is always a possibility that a new variant can infect at any time.

Mike recommends you install Cryptoguard
Mike’s Advice: All Windows users should install HitmanPro.Alert with CryptoGuard ASAP to help prevent data loss from this nasty ransomeware.

What happens if my computer gets infected?
If you are affected by the cryptolocker virus, you should shut down your computer as soon as possible and contact a professional virus expert such as Mike’s Computer Repair. If you suspect your computer is infected, you could suffer more damage if you leave it connected to the internet, leave it running, or try to fix it yourself. Do not plug in any external drives if your computer is infected.

Should You Pay The Ransom?
The ransom message usually comes up after all the files are already encrypted.
If you do not have backups, there is no other way to recover your scrambled files. If your antivirus has already quarantined or removed the malware, then the mechanism to unencrypted the files is also removed. The desktop wallpaper may be replaced with a message that includes a web address where you can re-install the same infection in order to initiate the ransom payment.

We’ll follow the police’s advice here, and recommend that you do not pay up. This sort of extortion – Demanding Money with Menaces, as a court would call it – is a serious crime that should not be rewarded with payment.

Even though CryptoLocker uses payment methods (MoneyPak, Bitcoin) that keep you and the crooks at arm’s length, you are dealing with outright criminals here. Even if you pay, there is no guarantee the ransom holders server is still online to generate the recovery process. If the recovery starts, it can take several hours to unencrypt all the files. After complettion your computer is still compromised and needs professional virus removal and security audits. Obviously, we can’t advise you on how likely it is that you will get your data back if you do decide to pay.

We are the only computer repair business on the North Coast with two locations to serve you. We service Windows and Mac. We sell new computers and fix them too. Mike, Wayne, Zachary, and Dominic are qualified to meet your computer service needs.
Service areas include Long Beach Peninsula, Long Beach, Ocean Park, Ilwaco, Seaview, Chinook, Surfside, Oysterville, Klipsan Beach, Nahcotta, and Naselle. Our Seaside Oregon store serves Astoria, Warrenton, Gearhart, Seaside, Cannon Beach, and Arch Cape.
Call us: Long Beach, WA (360)642-2125 / Seaside, OR (503)717-5523