back to article Fiendish CryptoLocker ransomware: Whatever you do, don't PAY

A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds. CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185 …

COMMENTS

This topic is closed for new posts.
    1. Anonymous Coward
      Anonymous Coward

      Re: Oldschool Extortion Virus - Got to love it - But I was left with more questions than answers

      http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/

      1. Anonymous Coward
        Anonymous Coward

        Re: Oldschool Extortion Virus - Got to love it - But I was left with more questions than answers

        #1. Thanks for the link AC14:42. As an example story It was a good read on how SME's can get badly burnt letting users have free access to files on shared network drives. I'd hate to be an employee who has to face the boss admitting he was the unwittingly mug who pulled the trigger! However, what the article and related linked articles failed to do was give 'details' on the various other ways SME's etc can get hit....

        #2. TrendMicro: "Based on our analysis, the threat starts with a dropper component".... So CryptoLocker isn't stealing active IP's from hacked websites and then going open port hunting... And it isn't initiating remote attacks using botnets that scan for open ports using random IP's. OK, that's a relief!

        #3. TrendMicro: "always observe best computing practices such as avoiding visiting unverified sites, clicking links from unknown sources, and avoiding executing/opening attachments from dubious email messages"....... We could use a little more info though than just "visiting unverified sites". How are the droppers working on unverified sites. Is JAVA or Flash or JavaScript a requirement?

        #4. BleepingComputer: "Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection... Through Trojans that pretend to be programs required to view online videos."....... Ok, but how widespread are these infected web sites and what client machine weaknesses are needed to spread the infection i.e. Java / Flash / JavaScript / other 3rd party plug-ins?

        #5. I think a lot of SME's have basic virus protection. But getting hit by drive-by' website attacks can be trickier to contain. Lets say its Friday afternoon, and a few workers hunt for xmas travel plans. They're busy checking photos & videos and not asking if a Mom & Pop or small scale travel site has been compromised or is 'verified', 'What browser warnings?!'

        #6. With the UK Govt pushing for filtered internet connections, I've been asking why ISP's don't offer automatic filtering at the pipe level, to block Virus / Malware / Spyware / Bank Trojan keyloggers? Wouldn't it be good business for ISP's?

        #7. Key unanswered question: For those who paid, did they receive a working key?

  1. Piro Silver badge

    Title is basically incorrect

    If you pay, which is your ONLY OPTION unless you have offline backups, then you do actually get your data back.

    If you don't, that data is lost forever.

    1. lglethal Silver badge
      Thumb Down

      Re: Title is basically incorrect

      How do you know this exactly? You actually paid these scum?

      Why would the virus writers bother to even provide the fix. Its much simpler to have the encryption happen, demand money, get paid, and disappear. If you have a fix on the internet somewhere, some smart White Hat will probably track it down eventually, obtain the key, and then spread it around and you've just lost your revenue source.

      Sure you have to spread at least some rumours that paying gets your files back, to give people some incentive to pay, but its hardly in your interest to actually HAVE the key available online somewhere.

      1. Darren Barratt

        Re: Title is basically incorrect

        Secondary payload. Fix the data, tell the dozy user it's fixed, then leave the software in place. User will institute a backup regime until they get bored, so after 6 - 9 months, run and update on the malware, shiny new front end and key and go through the process again.

        1. Charles 9

          Re: Title is basically incorrect

          Plus by hibernating like this, the malware has a chance of getting INTO the backup, tainting it so that trying to restore it could result in immediate re-infection.

          1. lglethal Silver badge
            Go

            @ JAK

            You seem to be forgetting how easy it is to salt the internet with false reviews, false twitter comments, false facebook posts, etc. There are companies out there that will happily do thousands of the things for you for the price of a cuppa. So just because there are "comments" out there saying people got their stuff back, you would be a fool to believe that 100%!

            Darren's comment about the secondary payload in the decryption is about the only reason I can think of for them to provide any sort of file decryption. So if there are REAL comments about them actually decrypting the files, I would almost bet on it that those PC's are now owned in one way or another by the pricks who created this virus.

            So once again, why would you pay?

      2. JAK 1

        Re: Title is basically incorrect

        Actually it is in their interest to provide the key, if people do a cursory search and see that no one ever got their files back then they won't bother paying, but if they see lots of posts from (un)happy customers with their data unencrypted they are far more likely to have a punt for $300

        from what I've read it seems that the key that they would provide to you is unique to your machine, so there wouldn't be the worry about a white-hat being able to crack it

      3. Derpity

        Re: Title is basically incorrect

        They will decrypt your files if you pay and apparently they're very cordial when you call them. Second hand information from a trusted source but still second hand.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Title is basically incorrect

          Excellent service, 10/10.

          Would decrypt again.

          1. ecofeco Silver badge
            Trollface

            Re: Title is basically incorrect

            "Excellent service, 10/10.

            Would decrypt again."

            *SNERK*

  2. Tromos

    Online backups

    It's either online or it's a backup. It can't be both at the same time.

    1. chris lively

      Re: Online backups

      You must be new to computers.

      Do some research and educate yourself.

      1. the spectacularly refined chap

        Re: Online backups

        You must be new to computers.

        Do some research and educate yourself.

        No, he probably knows more about backups than you do. Too many people take short cuts with backups e.g. "You don't need dedicated backup with RAID - it IS the backup" and all that baloney. If your backup are online, mounted volumes then they are just as susceptible to fat finger syndrome as your live data. Potentially a single clanger could take out both.

        In other words, not a backup.

      2. Anonymous Coward
        Anonymous Coward

        Re: Online backups

        @Chris - It can be nearline and be a backup, but if it's online it's a copy. It may be versioned, but it's not a backup if it's on the same hardware as the thing it's a backup of.

        A backup needs to be offline or nearline, remote from the system it's backing up and versioned. If it doesn't have one of these things, it's not a backup, it's just a copy or an archive.

      3. Tromos

        Re: Online backups

        Not that new to computers. I remember making backups 44 years ago. The spools of magnetic tape had a plastic ring placed on the back to enable writing otherwise the tape drives could only read them. It was a running job until the tape was dismounted and the ring taken out, and only then was it regarded as a backup.

  3. MJI Silver badge

    Where do I send the bill to?

    One of our customers was attacked by this.

    Luckily a lot of their system was in use but enough got infected.

    We had assumed it was a hardware failure!

  4. MJI Silver badge

    Perhaps good target for intelligence services

    Find them, send in special forces, eliminate them.

    Earn back some trust.

    1. veti Silver badge

      Re: Perhaps good target for intelligence services

      You're assuming the whole scam isn't being run by the NSA.

      Gotta do something to claw back that money being sequestered out of their budget...

  5. CheesyTheClown

    Kinda lame

    If they're using DH (likely) and they're using the same keypairs to encrypt and decrypt all the files, pause the machine, backup and copy a crap load of small word files to the machine and let it run its course. Once you have enough sample data with both source and scrambled and you have the local keypair and you have the remote public key, tree search the key bits and factor to a brute forceable length. Then GPU farm the remaining bits of the missing private key. Then decrypt.

    what's the issue?

    1. Frumious Bandersnatch

      Re: Kinda lame

      If they're using DH (likely) and they're using the same keypairs to encrypt and decrypt all the files, ...

      I was going to contradict you (and had a nice summary of how RSA worked all written up and everything) until I realised you're not saying what I thought you were. If I'm understanding you correctly, you're actually implying a chosen-plaintext attack. A quick search suggests that you might be on to something (pdf)

      1. Frumious Bandersnatch

        Re: Kinda lame

        Oops.. my mistake. That paper I linked to is about a chosen cyphertext attack, not a chosen plaintext attack. I did plenty of comments saying that RSA is vulnerable to chosen plain-text attacks, but I wasn't able to dredge up a paper to that effect.

      2. CheesyTheClown

        An alternative hack... but in the spirit

        If you take 10,000 files (or less, I'd need a proper sample set to work with) and make them sequential patterns, the given that you have g sub x and intend to recover g sub y when in possession of G sub X and G sub Y, then you encrypt the large data set using g sub x and G sub XY and factor characteristics of the common exponent the logarithms... I'm not conveying this right. I see it mentally, but am not good at wording. I read part of the paper you linked which takes a similar approach and might actually even shorted the brute force attack remaining.

        Using my method, you construct a tree of common traits of possible key values based on the fact that you're actually in possession a single private key and both public keys. It's something I came up with when Diffie identified another weakness in the keys.

        The main idea is that the Diffie Hellman Problem is called a "hard problem" not an "impossible problem". We already have more information available if we have the client's private key than the algorithm accounts for. We also have the ability to encode known sequential or patternistic data sets. This means we should be able to attack the algorithm by identifying common traits of the cipher when comparing the algorithm, the data sets and the outputs produced. This of course would be infeasible without the private key used for encoding.

        I've always had issues coping with the DHP when the encrypting private key is included in the algorithm. After all, it should be theoretically possible to reverse much of it. After all, unless you actually specifically drop data making it useless to begin with then you should be able to work backwards through it.

        I'm guessing someone smarter than I can probably hack more of it algorithmically, I have major limitations in that field, but I am pretty damn good at factoring based on producing tweaked data sets to build search trees or sets to brute force.

        Let's face it, there's a reason we key cycle 3072 bit keys... it's because they should be recoverable by someone somewhere as their sample sets grow... in fact Diffie makes direct reference to this in the original paper and later articles. We're simply expanding the known sample set and exploiting the inherent weaknesses.

  6. Anonymous Coward
    Anonymous Coward

    Another good reason to move to Windows RT

    Just sayin'...

    1. handle

      Re: Another good reason to move to Windows RT

      Another good reason? What's the first one?

  7. PLAzmA

    Shame

    Its ok, but in honesty a lack of variable zoom or mouse pointer sucks, i will stick to Remote RDP Enterprise on android, with the mouse in trackpad mode its by far the best system ive used on a small screen.

  8. Nigel 11
    Flame

    Nuke the perps from orbit?

    If the USG spent a bit less on exterminating terrorists and a bit more on exterminating slime like this, the NSA might get better publicity. (And I do mean exterminate. How many many-years of human enterprise do these sub-humans waste in order to make a few bucks? I rest my case.)

    1. Vais

      Re: Nuke the perps from orbit?

      I find it disturbing that you can even compare taking hundreds of lives with destroying data - however large it might be. And if you are really concerned in wasted human achievements, better look at the huge corporations that do everything they can to slow the progress of technology and science in order to keep their financial control over the population...

      1. This post has been deleted by its author

        1. Charles 9

          Re: Nuke the perps from orbit?

          "If it was possible to identify a command and control server and take it down in seconds, a lot of this crime would get a lot more difficult.

          Also, a simple point, computers need a clearly labelled physical button called something like "Disconnect from Network" which would stop all network activity without the need go go through any menus. The second someone thinks they've clicked on a bad link, being able to hit that button would stop a lot of infections."

          1) Even if you could ID a C&C server, what if it turns out to be in a country hostile to you? That's why there are a lot of Chinese-, Russian-, and Eastern-Europe-based servers. They may not be as inclined to cooperate with you, and matters of state can keep you from applying pressure.

          2) If it's that bad, PCs probably need something more drastic: a return of the Reset button. Forget disconnecting from the network. You'll probably need a full memory flush and more than likely a new IP address and set of rules. And that's assume the malware didn't manage to report intel back in the split second it was in your machine. Not so much nuking from orbit, but still on the level of "dump out and start over".

    2. Lars Silver badge
      Flame

      Re: Nuke the perps from orbit?

      Indeed. And if you can send money I would hope it's also possible to get the guys, but is anybody seriously interested in such things.

  9. sisk

    It seems to me that getting the key and then disseminating it through the internet would be a simple matter for a serious security firm. Infect a honeypot, pay the ransom (in a way that you could either trace or recover your money later, of course....no sense giving the crooks money for real), then capture the private key when it phones hope with a man in the middle attack. If it uses HTTP (yes, yes, very unlikely, I know) this could be a very trivial way to get the key and build it into a cleanup utility. Even if it uses a more secure protocol it shouldn't be too difficult a task for security experts.

    1. handle

      Am I missing something, is more than one person here missing something: why on earth would the same private key be used for every attack?

      1. Vais

        Someone above said that it WAS different for every infected computer. Things are rarely that easy to fix as sisk implies. In security attacking is almost always easier than defending. Or at least the attacker can defeat the defense in almost every scenario given enough resources and motivation on his part.

  10. Anonymous Coward
    Anonymous Coward

    Re: It encrypts .doc, .dwg etc

    You must work for our IT Security department, they're good at talking out of their collective corporate a**e as well.

  11. Anonymous Coward
    Anonymous Coward

    Will it work for me?

    What about my files?

    My files seem to eschew this funky modern .xxx thing and rely on some magic bytes to distinguish themselves.

    Will this thing encrypt them? Perhaps I should try and get it to work in Wine ...

    On a more serious note - get yourself an OwnCloud running on an old machine or something if ordinary backups are not compelling for you. OC does versioning. Why not run up one for your small firm or family?

    As for the bigger firms - check your backup regimes and then your web n email proxies. Your staff should not be even seeing these emails in the first place and obviously you've warned them countless times on what to look out for in a dodgy email. You'll be using at least three AV solutions plus various firewall and SMTP blocklists and all the other stuff so it wont be a problem ...

    Cheers

    Jon

  12. Anonymous Coward
    Anonymous Coward

    One of the IP's that the ransomers used was 184.164.136.134. According to ARIN, it is owned by SECURED SERVERS LLC. Their servers were obviously not secured.

    With this malware needing to phone home, their compromised network of machines is always influx and there is a good chance that once one is shutdown, the private key is also gone.

    Most of their payment methods means it won't be long before those providers find a way to recoup the money. Some of them, you should be able to pay with a credit card and then file a claim with your credit card company. This leaves the likes of these payment companies holding the bag and they won't like that. Eventually the ransomers will be tracked down. Chances are they are in Russia or the like and they are not targeting locally so they won't face the consequences of their actions.

  13. psychonaut

    seen 3 of these now

    Its very nasty. Ive done a tonne of research on this.

    To clear up some misconceptions

    1) every decrypt key is different so theres no point in trying to use a honeypot

    2) apparently you do get your files back if you pay (havent done this personally though)

    3) its also trivial to remove although I wipe every machine I see with it anyway

    4) if you do remove it before paying you cant then pay them unless you have the strain that changes your wallpaper to give you the ip address to pay with (cute huh??). If you (deliberately) reinfect in order to get the pay screen you double encrypt

    5) if you use offsite backup like carbonite it will backup the encypted file over the top of the good file as soon as it changes. However carbonite have a dedicated team to help with this as its tedious to manually restore versions of 1000000 files. They can spot when the infection happened and roll back your files to before any of them were encrypted so you can then restore all. You get back every file in the latest version before that file was encypted.

    Im seriously impressed with carbonite. All 3 of my customers that got hit had carbonite (cos they accepted my advice to get it) and all 3 are fine. Just rebuild the machibe and we are good to go

    Fortunately my customers nearly all have carbonite so this wont be effecting my customers much. The ones that dont have it were warned...

    1. 9Rune5

      Re: seen 3 of these now

      Thanks for the tip psychonaut. I've contemplated online backup for my personal files before, but this is the first affordable service I've come across.

      1. psychonaut

        Re: seen 3 of these now

        You are welcome. They also do unlimited pcs and nas for 155 quid per year per 250gb in addition to the other home plan of 42 per year for unlimited. They also have server backup including sql for about 400 per year. Also become a reseller and get 30% discount.

  14. jason 7

    Had this a few times too.

    Customers lost all their docs.

    However, most were just using the lapsed McAfee AV that was installed on the laptop when they bought it 4 years ago.....

  15. Sime

    The video here shows Sophos detecting this virus, but I've got a copy of CryptoLocker obtained from a clients site a couple of weeks ago and it's not picking it up here. Nor is AVG/MSE/Symantec. Unless my customer is (un)lucky enough to have been hit by a different strain :-\

    1. Tezfair

      The customer who had this had AV scanning at the ISP, Symantec / Brightmail on their exchange server and eset on the desktops. Yes, paranoid, but apparently a waste of time.

      I'm aware that new versions come out all the time, so i'm guessing my clients are at the top of the email list

  16. John Smith 19 Gold badge
    Unhappy

    So what AV's *do* detect it?

    Obvious question really.

    1. jason 7

      Re: So what AV's *do* detect it?

      This is the big rub with AV software. They are always 24 hours behind. The code for the malware it re written and tweaked daily almost hourly and then released in the wild.

      The AV companies make it easier as they allow 30 day trials of their software to test against.

      I have seen every type of mainstream AV beaten. I tell my customers getting a virus is like getting a cracked windscreen. You can go years without one and then get two in as many weeks.

      I do recommend adding EMET 4.0 as a bolster to your security. It's designed to enforce all the memory protection techniques to prevent zero day stuff. Really only works with Vista and above.

      If you run modern software you shouldn't have a problem.

      http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

      http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/

  17. RobotGuy

    Nasty evil thing

    I spent last Tuesday dealing with an infection from this thing. Luckily, I'd set up rsnapshot on our main network drives and it was extraordinarily easy to roll them back 4 hours to before the encryption was done. The rest of the time was spent trying to actually find the damn thing on the infected PC. I assume that our AV got it, but too late, as I couldn't find any of the files or registry entries that were supposed to be there. Eventually I gave up and just nuked the whole machine just to be on the safe side.

    1. jason 7

      Re: Nasty evil thing

      I've found its dead simple to remove. It doesn't really hide itself all that much because...it doesn't have to. The damage is done.

      Combofix cleaned it up pretty quick. Worth checking out. Further scans with two other products found nothing more. Okay so the docs are hosed but that's too bad.

      However, I'm sure it will mutate.

  18. ecofeco Silver badge
    Facepalm

    $300?

    Let's see... if they managed to scam 10,000 people in one month that's...

    Holy crap I am in the wrong business.

    1. Anonymous Coward
      Anonymous Coward

      Re: $300?

      > Holy crap I am in the wrong business.

      And, according to comments above, they provide excellent customer service too. :-)

  19. Anonymous Coward
    Anonymous Coward

    A weakness?

    Apparently it doesn't encrypt files until it gets the individual private key from a control server. So if all outgoing connections are blocked by default for whatever the executable happens to be (e.g. by Windows 7 Firewall Control), the filesystem will be left untouched. Is this correct?

This topic is closed for new posts.

Other stories you might like