This warning came through our Corporate Security. It is
real, and this Trojan malware is on the raise. Beware!
What is
CryptoLocker?
CryptoLocker or Crypto virus is a ransom-ware Trojan that
targets Microsoft Windows systems. This Trojan encrypts the victim’s hard-drive
and holds it for ransom. There is no guarantee that the contents of the hard
drive will be recoverable if the ransom gets paid. The first recorded instance
of this kind of virus attack was in September 2013 with several known variants
existing today.
How it propagates?
Typically, the CryptoLocker attack comes from a
legitimate looking email attachment or a link enticing the recipient to
double-click it. If the user opens the attachment or link, this malware
encrypts selected files stored on local or mounted network drives, with the
private key stored only on the malware's control servers. The malware then
displays a pop-up message offering to decrypt the data only if a ransom is paid
by a deadline either through a pre-paid voucher or Bitcoin. This is invariably
accompanied by a threat to delete the private key if the deadline passes and no
payment is received. If the deadline is not met, the malware offers to decrypt
data via an online service provided by the malware's operators, for a
significantly higher price in Bitcoin.
What happening?
CryptoLocker is a ransomware program that was
released around the beginning of September 2013 that targets all versions of
Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This
ransomware will encrypt certain files using a mixture of RSA & AES
encryption. When it has finished encrypting your files, it will display a
CryptoLocker payment program that prompts you to send a ransom of either $100
or $300 in order to decrypt the files. This screen will also display a timer
stating that you have 72 hours, or 4 days, to pay the ransom or it will delete
your encryption key and you will not have any way to decrypt your files. This
ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the
payment and it is verified, the program will decrypt the files that it
encrypted.
When you first become infected with CryptoLocker, it will
save itself as a random named filename to the root of the %AppData% or
%LocalAppData% path. It will then create one of the following autostart entries
in the registry to start CryptoLocker when you login:
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
"*CryptoLocker"
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"CryptoLocker_<version_number>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
"*CryptoLocker_<version_number"
The infection will also hijack your .EXE extensions so
that when you launch an executable it will attempt to delete the Shadow Volume
Copies that are on the affected computer. It does this because you can use
shadow volume copies to restore your encrypted files. The command that is run when
you click on an executable is:
"C:\Windows\SYsWOW64\cmd.exe" /C
"C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
The .EXE hijack in the Registry will look similar to the
following. Please note that registry key names will be random.
[HKEY_CLASSES_ROOT\.exe]
@="Myjiaabodehhltdr"
"Content
Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\Myjiaabodehhltdr]
[HKEY_CLASSES_ROOT\Myjiaabodehhltdr\DefaultIcon]
@="%1"
[HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell]
[HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open]
[HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open\command]
@="\"C:\\Users\\User\\AppData\\Local\\Rlatviomorjzlefba.exe\"
- \"%1\" %*"
Once the infection has successfully deleted your shadow
volume copies, it will restore your exe extensions back to the Windows
defaults.
The infection will then attempt to find a live Command
& Control server by connecting to domains generated by a Domain Generation
Algorithm. Some examples of domain names that the DGA will generate are
lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and
xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate
with it and receive a public encryption key that will be used to encrypt your
data files. It will then store this key along with other information in values
under the registry key under HKEY_CURRENT_USER\Software\CryptoLocker_0388.
Unfortunately, the private key that is used to decrypt the infected files is
not saved on the computer but rather the Command & Control server.
CryptoLocker will then begin to scan all physical or
mapped network drives on your computer for files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls,
*.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst,
*.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf,
*.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf,
*.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw,
*.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der,
*.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds files that match
one of these types, it will encrypt the file using the public encryption key
and add the full path to the file and the filename as a value under the
HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files Registry key.
When it has finished encrypting your data files it will
then show the CryptoLocker screen as shown above and demand a ransom of either
$100 or $300 dollars in order to decrypt your files. This ransom must be paid
using Bitcoin or MoneyPak vouchers. It also states that you must pay this
ransom within 96 hours or the private encryption key will be destroyed on the
developer's servers.
How to avoid the attack?
* Back up your data. The single biggest thing that will
defeat ransomware is having a regularly updated backup. If you are attacked
with ransomware you may lose that document you started earlier this morning,
but if you can restore your system to an earlier snapshot or clean up your
machine and restore your other lost documents from backup, you can rest easy.
Remember that Cryptolocker will also encrypt files on drives that are mapped.
This includes any external drives such as a USB thumb drive, as well as any
network or cloud file stores that you have assigned a drive letter. So, what
you need is a regular backup regimen, to an external drive or backup service,
one that is not assigned a drive letter or is disconnected when it is not doing
backup.
* Whether using your email, do not double-click on
attachments/links from unknown sources.
* If you receive an email from a trusted source,
scrutinize the email and be cautious about clicking on any attachments or links.
* Be careful with email that has been classified as junk.
* Be on the look-out for any attachments that have a
double-extension, such as attachment.pdf.exe. Enable the option “Show hidden file-extensions” to see
the full file-extension, as it can be easier to spot suspicious files.
* Be cautious when visiting all external websites. Malware originates from websites that appear
legitimate.
* Disable files running from AppData/LocalAppData
folders. You can create rules within Windows or with Intrusion Prevention
Software, to disallow a particular, notable behavior used by Cryptolocker,
which is to run its executable from the App Data or Local App Data folders. If
(for some reason) you have legitimate software that you know is set to run not
from the usual Program Files area but the App Data area, you will need to
exclude it from this rule.
* Disable RDP. The Cryptolocker/Filecoder malware often
accesses target machines using Remote Desktop Protocol (RDP), a Windows utility
that allows others to access your desktop remotely. If you do not require the
use of RDP, you can disable RDP to protect your machine from Filecoder and
other RDP exploits.
What to do if your
computer is infected?
* Despite the virus’s warning not to “disconnect from the
Internet or turn off the computer,” this is exactly what you should do
immediately. Unplugging your computer may save some of your files, if the virus
is still in the process of infecting them.
* Use System Restore to get back to a known-clean state. If
you have System Restore enabled on your Windows machine, you might be able to
take your system back to a known-clean state. But, again, you have to out-smart
the malware. Newer versions of Cryptolocker can have the ability to delete
“Shadow” files from System Restore, which means those files will not be there
when you try to to replace your malware-damaged versions. Cryptolocker will
start the deletion process whenever an executable file is run, so you will need
to move very quickly as executables may be started as part of an automated
process. That is to say, executable files may be run without you knowing, as a
normal part of your Windows system’s operation.
* If you do have a backup, it’s time to wipe your
computer of the virus, and restore from the drive image.
* Paying or not paying the ransom is up to you, but there
were some reports that even paying the ransom did not help to unlock the files.
* Set the BIOS clock back. Cryptolocker has a payment
timer that is generally set to 72 hours, after which time the price for your
decryption key goes up significantly. (The price may vary as Bitcoin has a
fairly volatile value. At the time of writing the initial price was .5 Bitcoin
or $300, which then goes up to 4 Bitcoin). You can “beat the clock” somewhat,
by setting the BIOS clock back to a time before the 72 hour window is up. Note
that it might only delay the “execution”, but you may need to have more time to
decide how to deal with situation.
* It is not advised that you remove the infection from
the %AppData% folder until you decide if you want to pay the ransom. If you do
not need to pay the ransom, simply delete the Registry values and files and the
program will not load anymore. You can then restore your data via other
methods.
* It is important to note that the CryptoLocker infection
spawns two processes of itself. If you only terminate one process, the other
process will automatically launch the second one again. Instead use a program
like Process Explorer and right click on the first process and select Kill
Tree. This will terminate both at the same time.
Is it possible to decrypt files
encrypted by CryptoLocker?
Unfortunately at this time there is no way to retrieve
the private key that can be used to decrypt your files without paying the
ransom. Brute forcing the decryption key is not realistic due to the length of
time required to break the key. Also any decryption tools that have been
released by various companies will not work with this infection. The only
method you have of restoring your files is from a backup or Shadow Volume
Copies if you have System Restore enabled.
Will paying the
ransom actually decrypt your files?
Paying the ransom will start the decryption process of
the CryptoLocker infection. When you pay the ransom you will be shown a screen
stating that your payment is being verified. Reports from people who have paid
this ransom state that this verification process can take 3-4 hours to
complete. Once the payment has been verified, the infection will start
decrypting your files. Once again, it has been reported that the decryption
process can take quite a bit of time.
Be warned, that there have been some reports that the
decryption process may give an error stating that it can't decrypt a particular
file. At this point we have no information as how to resolve this. Visitors
have reported that the infection will continue to decrypt the rest of the files
even if it has a problem with certain files.
What to do if your
anti-virus software deleted the infection files and you want to pay the ransom!
As many anti-virus programs would delete the CryptoLocker
executables after the encryption started, you would be left with encrypted
files and no way to decrypt them. Recent versions of CryptoLocker will now set
your Windows wallpaper to a message that contains a link to a decryption tool
that you can download in case this happens. There are numerous reports that
this download will not double-encrypt your files and will allow you to decrypt
encrypted files.
How to prevent?
CryptoPrevent
CryptoPrevent is a tiny utility to lock down any Windows
OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware.
Incidentally, due to the way that CryptoPrevent works, it actually protects
against a wide variety of malware, not just Cryptolocker! CryptoPrevent is
completely FREE for personal and commercial
usage.
Cryptolocker
Prevention Kit
The SMBKitchen Crew and Third Tier staff have put
together a group materials that were published as part of our SMBKitchen
Project and only available to subscribers. However because this virus is
spreading so rapidly and is so serious they have decided to make these
materials available to everyone.
The kit includes an article on cleaning up after
infection but more importantly provides materials and instruction for deploying
preventative block using software restriction policies. The articles provide
instruction for installing them via GPO on domain computers and terminal servers,
and non-domain joined machines too.
CryptoLocker
Prevention Kit by Pearl Computer
A kit compiled by Pearl Computer is also a tool for
preventing the CryptoLocker virus from infecting your servers and workstations.
Sources and
Additional Information:
http://www.wintips.org/how-to-remove-cryptolocker-ransomware-and-restore-your-files/