back to article Unlocking CryptoLocker: How infosec bods hunt the fiends behind it

CryptoLocker, the Bitcoin-hungry ransomware menace that has become 2013’s most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have exclusively revealed to The Register. Dell SecureWorks’ Counter Threat Unit (CTU) set …

COMMENTS

This topic is closed for new posts.
  1. James 51

    Given the tension between the CIS and the West, unless they start targeting people at home it's hard to see how the people behind this are going to be stopped (as oppsed to the latest version of their scheme being stopped by some clever fix).

    1. Sammy Smalls

      Maybe cut Russia off from the interweb? Maybe unthinkable/impractical now but it's not difficult to see a properly tiered internet evolving due to legal differences/indifference between countries. Forget tiering about bandwidth and content, this would be 'connected to the rest of the world or not' structure. Maybe we could have another tier structure that is 'monitored by the NSA/GCHQ or not'.

      1. Anonymous Coward
        Anonymous Coward

        While cutting them off is one thing, the better solution though is a multi-tiered approach.

        1) Go after the interconnect these ISP's use. No interconnect, no Internet access.

        2) RIPE needs to revoke their IP address blocks.

      2. PyLETS
        Devil

        @Sammy Smalls: Net blocking criminal domains

        This already happens with spam to a large extent. Many email MTA admins choose to use the Spamhaus blacklist. Configuring it is easy, but it's up to each host or firewall operator to do the DNS lookups to see if a connection is coming from a listed badguy controlled address. Implementing blocks at a political or geographical level "Maybe cut Russia off .. " is neither as effective nor as targeted as supporting reputable blacklist providers and configuring host and firewall providers to make decisions accordingly. Then it's up to each network or host operator to make their own decisions as to what to block or allow by choosing a reputation provider and configuration, leaving room for competition between blacklist providers based on accuracy of listings.

    2. Spiracle

      In that case translating the payload into Russian and spamming Kremlin addresses might be more effective than running a sinkhole?

  2. Bronek Kozicki
    Pint

    perhaps ....

    .... that's the one thing which will convince your typical users that running Windows without updates and virus protection is not worth the risks. Who knows, maybe in the long run it will even cut the number of zombies out there?

    I could drink to that.

    1. lorisarvendu

      Re: perhaps ....

      Although your sentiment is correct, in this case even a fully-updated Windows and AV will not necessarily help, as a) Cryptolocker does not exploit a Windows vulnerability and b) the waves of attack are often ahead of AV signatures.

      Educating users about the wisdom of not opening every damn email attachment they receive will do far more good, although that doesn't help in cases of compromised web pages.

  3. Richard Jones 1

    Sensible to Suggest Ways of Blocking The Spread?

    We should all know to keep machines as up to date and fully patched as possible.

    We should all avoid clicking on any unexpected mail.

    We should all avoid opening anything from an unknown source.

    Items from known sources but in stupid forms should be ignored, e,g, anything from a Yahoo mail address suggesting someone is lost somewhere overseas.

    But what else should one do in mitigation or prevention.

    Richard

    1. ElReg!comments!Pierre

      Re: Sensible to Suggest Ways of Blocking The Spread?

      > But what else should one do in mitigation or prevention.

      Offline backup. NAS and Dropbox don't count.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Sensible to Suggest Ways of Blocking The Spread?

        And follow this:

        http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent

        1. Anonymous Coward
          Anonymous Coward

          Re: Sensible to Suggest Ways of Blocking The Spread?

          Can the tool mentioned on there be trusted?

          As always, it comes down to trusting that a tool advertised as preventing malware isn't just another guise.

          1. FrankAlphaXII

            Re: Sensible to Suggest Ways of Blocking The Spread?

            You can manually do everything that the tool does for you if you don't trust it. The author goes into detail about what the tool does on the foolishit webpage, so if you don't trust the tool itself, you can still get the same degree of mitigation without using it. It ain't perfect but its a fuck of a lot cheaper than buying bitcoins for criminals.

      3. dwrjones87

        Re: Sensible to Suggest Ways of Blocking The Spread?

        As far as I know, DropBox allows you to revert a file to a previous version, a functionality that this beast can't alter, so therefore I would be tempted to class it. Offline your computer, clean it, go back online, go through all your files on DropBox and revert them or perhaps email support and ask them to do it en-masse for you, and then download, and be more bloody careul about what you open in the future

        1. J__M__M

          Re: Sensible to Suggest Ways of Blocking The Spread?

          "revert a file to a previous version, a functionality that this beast can't alter"

          Say what? Please explain, because this is exactly the part that is keeping me awake at night... like right now, for instance. Seriously, how hard do you think it will be to delay the "pay up or you're fuct" message for, say, 31 days? Not hard at all is how hard, and it also wouldn't be hard to make the file selection process a little more intelligent than the file extension shotgun method they're using now.

          The next iteration of this thing will have scrambled files working their way though 30 days of snapshots like a hot knife through buttah.

    2. Anonymous Coward
      Anonymous Coward

      Re: Sensible to Suggest Ways of Blocking The Spread?

      All very well, but that still doesn't necessarily save you when you visit a forum/comments page (perhaps initiated from a perfectly above-board Google search) which has some malicious script injected which instantly redirects you to an exploit-laden site hosted on some bulletproof host that's been hosting malware for years.

      Chrome pops up a message telling you you're entering a site with a bad malware reputation, but not before dialogs have popped up and your AV (or a theatrical scary mock 'AV') appears.

      Of course I speak from bitter experience. Did I hit the hard-power-off button fast! Turns out my AV did block a 1MB payload... but can I ever be sure there weren't additional exploits that could have slipped through the AV net and gone undetected? Scans clean, but logically you can't prove you're not pwned.

      Chrome. On fully up-to-date Win7/64bit. NOD32.

      1. Steven Raith

        Re: Sensible to Suggest Ways of Blocking The Spread?

        "Chrome. On fully up-to-date Win7/64bit. NOD32."

        To be honest, if you're thinking about searching for something potentially dodgy (in whatever capacity), you owe it to yourself to set up a basic Linux (or any other OS you are happy with, as long as it's not vulnerable to cross compiled stuff, etc) VM and use that for searching out scary stuff.

        Even with a Windows VM, you can snapshot it before you start so you can roll back to a working version, NAT it out of your main network, etc.

        It's not as hard as it sounds, and it's well worth researching and implementing it, especially if you're now newly paranoid about that sorta thing.

        No OS zealoutry, just good old fashioned common sense. :-)

        Steven R

        1. David 14

          Re: Sensible to Suggest Ways of Blocking The Spread?

          Or maybe just download the free VMware Viewer application from www.vmware.com and then download one of the many pre-packaged Web Browser Linux appliance virtual machines. This makes a VM on your machine that is a rock-solid barrier between your web browser and your on-machines files. Use your regular browser for known and trusted sites, let the appliance be your way to browse the net for fun or even for "dodgy" stuff... lol.

    3. J__M__M

      Re: Sensible to Suggest Ways of Blocking The Spread?

      We should all... have all our users on all our networks that always follow all the "We should all" instructions we give them. All.

      (rim shot)

      Great crowd, thank you very much. I'm here all week.

    4. nematoad
      Linux

      Re: Sensible to Suggest Ways of Blocking The Spread?

      If all else fails and getting things sorted out is proving to be a problem.

      Use TAILS. (The Amnesiac Incognito Live System) Look on it as Tor on steroids.

      See:

      https://tails.boum.org/

    5. Psepha

      Re: Sensible to Suggest Ways of Blocking The Spread?

      Has anyone used http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#prevent ?

      FollishIT appears to have a tool that may help in blocking it but not had time to try it out.

    6. gubbool

      Re: Sensible to Suggest Ways of Blocking The Spread?

      EMET

      Enhanced Mitigation Experience Toolkit

      Free from Bill.

  4. Conrad Longmore
    Facepalm

    Russia or Eastern Europe?

    Russia or Eastern Europe? Really? Who would have guessed that?

    1. collinsl Bronze badge

      Re: Russia or Eastern Europe?

      Unless of course the team is in some other country and is just obfuscating themselves to be in Russia/Eastern Europe?

      1. Destroy All Monsters Silver badge
        Pint

        mcvax!moskvax!kremvax!chernenko

        In Putin's Russia, encryption uses you!

  5. John Smith 19 Gold badge
    Unhappy

    Note the games theory aspect. It's an "honest" criminal.

    You pay money -->get files back.

    No money --> no files back (AFAIK).

    So it uses the Microsoft Crypto API ?

    Is this ever called the CrAPI by any chance?

    I also note it seems to rely on a set of "Cryptographic Service Providers."

    I presume that like any windows service they can be manually shut down if they are too slow/resource heavy/useless for user convenience by going to the start menu, choosing run and typing "services.msc" ?

    1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Note the games theory aspect. It's an "honest" criminal.

      Prior art. It appears there is a how to do manual

      http://link.springer.com/chapter/10.1007%2F11556992_28

      Information Security

      Lecture Notes in Computer Science Volume 3650, 2005, pp 389-401

      Building a Cryptovirus Using Microsoft’s Cryptographic API

      Adam L. Young

      This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.

  6. veti Silver badge

    Want to declare an interest?

    "Thieving", "scourge", "menace", "gang of crooks" - while not unreasonable in context, are still strong words, and I can't help feeling they're not typical of the coverage usually given to viruses/trojans/etc on this site. There is an uncharacteristic degree of venom there.

    In the interests of full disclosure, could El Reg clarify whether anyone involved in the writing or editing of this or other BitLocker stories has actually been affected by it at first hand?

    1. Anonymous Coward
      Anonymous Coward

      Re: Want to declare an interest?

      You don't need to have been burgled or have had your car nicked to consider burglars or car theives to be a menace/scourge/theiving gits etc.

      I've had a couple of sites affected by this (thankfully with offline backups etc) and I fully support the sentiment, TBH. This malware is particularly nasty, and no amount of AV will stop a user from ignoring the warnings and letting it loose on their network.

  7. phil dude
    Linux

    hmmmm, there are those that backup...

    and those that WILL backup... D.Adams.

    I'm feeling the need for some tape in my life....

    P.

  8. Chairo
  9. Shannon Jacobs
    Holmes

    This is why "Live and let spam" is bad

    Kind of too late now, but if these criminals had been driven out of business years ago, then they wouldn't have become the monstrous threat they now are. Not all, but most of the infrastructure they are now using has evolved steadily over the years of playing patty-cake with the spammers. The scams have been profitable enough to keep them at it, and now we have this ongoing fiasco.

    In particular, if the major email providers had been serious about shutting down the spammers' business models starting some years ago, maybe we would not have reached this point. Now it's basically too late and we are dealing with serious and professional criminals, but... Imagine if the email providers had bothered to provide integrated anti-spammer tools starting several years ago. Rather than playing games and feeding the spammers while they grew so strong and dangerous, we--ALL of the people who sincerely and fiercely hate spam--could have helped shut down ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help and protect ALL of the spammers' victims. The "victims" is not just the suckers who send money to the spammers, but the corporations whose reputations are abused by the spammers, and even all of the other people who use the Internet.

    Tell you what. I'll sponsor a prize for anyone who can convince me the spammers make ANY positive contribution to the world. I'm not saying we can cure their vicious sociopathy, but we could have pushed them under less visible rocks.

    Oh well. Evidently it's too late now. We don't have any option but to live with them--and in perpetual fear of clicking on the wrong attachment.

  10. Anonymous Coward
    Anonymous Coward

    cyber-threat is run from Eastern Europe - or Russia

    I think you will find Russia is in Eastern Europe

    1. nematoad
      Headmaster

      Re: cyber-threat is run from Eastern Europe - or Russia

      "I think you will find Russia is in Eastern Europe"

      Well, to be pedantic, a small part of Russia is in Eastern Europe.

      The vast majority, by area, is in Asia.

  11. MJI Silver badge

    They need culling

    Only answer now, if these people disappear it will put off copycats.

  12. Anonymous Coward
    Anonymous Coward

    Offer a reward

    Offer a $<multi> million reward and amnesty for information leading to the capture and prosecution of the offenders.

    Some of those involved will have no qualms about turning in the rest of their group to get a life of anonymous luxury on some hot island for the rest of their days.

    Once the identitied are know do not leave it up to the US to distribute justice. Instead, deal with the Russion authorities and have them take care of matters. For they are far more scary in their approach to making an example of such people.

    1. Anonymous Coward
      Anonymous Coward

      Re: Offer a reward

      " Instead, deal with the Russion authorities and have them take care of matters"

      Dream on, mate! A big part of the problem is that the Russian state and Russian criminals exist on a continuum, not a binary scale. And not in the manner of the ongoing till-dipping and employ-your-mates graft prevalent in the US or UK, but on a much larger, more open and more brutal scale. We all know what happens to investigative journalists in Russia for example - murdered, and the authorities never seem to find the cuplrits.

      So the chances are that the Cryptolocker gang are already part of criminal/political gang run by a mid level oligarch in some sh1tty oblast in southern Russia. And if they aren't they'll be looking to use their new found wealth to buy friends and influence. The only prospect of the authorities turning on them is if those same authorities think they aren't getting their cut, and have the back up of even more powerful thugs.

      Progessively isolating increasingly large amounts of the internet is the only answer, because that would force the Russian government's hand when the tap is about to be turned off. But I simply don't think that US or European politicians are clever enough or brave enough to start such a move. Funny, isn't it. All this NSA and GCHQ data and phone scraping and storing "to keep us safe" and the useless f*ckers can't protect us from spam or business-grade malware?

    2. davemcwish

      Re: Offer a reward

      I suspect that if that was offered, the actual reward will be:-

      life of anonymous luxury = encaration in a United States Naval Station

      on some hot island = Guantánamo Bay, Cuba

  13. Anonymous Coward
    Anonymous Coward

    Advanced bitcoin thieving ransomware menace ..

    Ban this Google Android Malware immediately ...

  14. 2cent

    Is this the right key?

    "Using the Microsoft CryptoAPI, Cryptolocker encrypts each file with a unique AES key, which is then encrypted with the RSA public key received from the crooks’ server. "

    Does this mean that replacing or removing Microsoft CryptoAPI stops CryptoLocker from action before or during infection?

    1. Bronek Kozicki
      Unhappy

      Re: Is this the right key?

      I guess it would also stop your computer from working. Sadly, this particular API is part of the operating system and most likely used internally (also under user own credentials).

This topic is closed for new posts.

Other stories you might like