Tuesday, May 6, 2014

How to prevent your computer from being infected by ransomware Crypto Virus?

This warning came through our Corporate Security. It is real, and this Trojan malware is on the raise. Beware!

What is CryptoLocker? 

CryptoLocker or Crypto virus is a ransom-ware Trojan that targets Microsoft Windows systems. This Trojan encrypts the victim’s hard-drive and holds it for ransom. There is no guarantee that the contents of the hard drive will be recoverable if the ransom gets paid. The first recorded instance of this kind of virus attack was in September 2013 with several known variants existing today.

Image and video hosting by TinyPic

How it propagates?

Typically, the CryptoLocker attack comes from a legitimate looking email attachment or a link enticing the recipient to double-click it. If the user opens the attachment or link, this malware encrypts selected files stored on local or mounted network drives, with the private key stored only on the malware's control servers. The malware then displays a pop-up message offering to decrypt the data only if a ransom is paid by a deadline either through a pre-paid voucher or Bitcoin. This is invariably accompanied by a threat to delete the private key if the deadline passes and no payment is received. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

What happening?

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

When you first become infected with CryptoLocker, it will save itself as a random named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following autostart entries in the registry to start CryptoLocker when you login:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker_<version_number>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker_<version_number"

The infection will also hijack your .EXE extensions so that when you launch an executable it will attempt to delete the Shadow Volume Copies that are on the affected computer. It does this because you can use shadow volume copies to restore your encrypted files. The command that is run when you click on an executable is:

"C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet

The .EXE hijack in the Registry will look similar to the following. Please note that registry key names will be random.

"Content Type"="application/x-msdownload"






@="\"C:\\Users\\User\\AppData\\Local\\Rlatviomorjzlefba.exe\" - \"%1\" %*"

Once the infection has successfully deleted your shadow volume copies, it will restore your exe extensions back to the Windows defaults.

The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm. Some examples of domain names that the DGA will generate are lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate with it and receive a public encryption key that will be used to encrypt your data files. It will then store this key along with other information in values under the registry key under HKEY_CURRENT_USER\Software\CryptoLocker_0388. Unfortunately, the private key that is used to decrypt the infected files is not saved on the computer but rather the Command & Control server.

CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files Registry key.

When it has finished encrypting your data files it will then show the CryptoLocker screen as shown above and demand a ransom of either $100 or $300 dollars in order to decrypt your files. This ransom must be paid using Bitcoin or MoneyPak vouchers. It also states that you must pay this ransom within 96 hours or the private encryption key will be destroyed on the developer's servers.

Image and video hosting by TinyPic

How to avoid the attack?

* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup. If you are attacked with ransomware you may lose that document you started earlier this morning, but if you can restore your system to an earlier snapshot or clean up your machine and restore your other lost documents from backup, you can rest easy. Remember that Cryptolocker will also encrypt files on drives that are mapped. This includes any external drives such as a USB thumb drive, as well as any network or cloud file stores that you have assigned a drive letter. So, what you need is a regular backup regimen, to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup.
* Whether using your email, do not double-click on attachments/links from unknown sources.
* If you receive an email from a trusted source, scrutinize the email and be cautious about clicking on any attachments or links.
* Be careful with email that has been classified as junk.
* Be on the look-out for any attachments that have a double-extension, such as attachment.pdf.exe. Enable the option “Show hidden file-extensions” to see the full file-extension, as it can be easier to spot suspicious files.
* Be cautious when visiting all external websites.  Malware originates from websites that appear legitimate.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Intrusion Prevention Software, to disallow a particular, notable behavior used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders. If (for some reason) you have legitimate software that you know is set to run not from the usual Program Files area but the App Data area, you will need to exclude it from this rule.
* Disable RDP. The Cryptolocker/Filecoder malware often accesses target machines using Remote Desktop Protocol (RDP), a Windows utility that allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits.

What to do if your computer is infected?

* Despite the virus’s warning not to “disconnect from the Internet or turn off the computer,” this is exactly what you should do immediately. Unplugging your computer may save some of your files, if the virus is still in the process of infecting them.
* Use System Restore to get back to a known-clean state. If you have System Restore enabled on your Windows machine, you might be able to take your system back to a known-clean state. But, again, you have to out-smart the malware. Newer versions of Cryptolocker can have the ability to delete “Shadow” files from System Restore, which means those files will not be there when you try to to replace your malware-damaged versions. Cryptolocker will start the deletion process whenever an executable file is run, so you will need to move very quickly as executables may be started as part of an automated process. That is to say, executable files may be run without you knowing, as a normal part of your Windows system’s operation.
* If you do have a backup, it’s time to wipe your computer of the virus, and restore from the drive image.
* Paying or not paying the ransom is up to you, but there were some reports that even paying the ransom did not help to unlock the files.
* Set the BIOS clock back. Cryptolocker has a payment timer that is generally set to 72 hours, after which time the price for your decryption key goes up significantly. (The price may vary as Bitcoin has a fairly volatile value. At the time of writing the initial price was .5 Bitcoin or $300, which then goes up to 4 Bitcoin). You can “beat the clock” somewhat, by setting the BIOS clock back to a time before the 72 hour window is up. Note that it might only delay the “execution”, but you may need to have more time to decide how to deal with situation.
* It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.
* It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled.

Will paying the ransom actually decrypt your files?

Paying the ransom will start the decryption process of the CryptoLocker infection. When you pay the ransom you will be shown a screen stating that your payment is being verified. Reports from people who have paid this ransom state that this verification process can take 3-4 hours to complete. Once the payment has been verified, the infection will start decrypting your files. Once again, it has been reported that the decryption process can take quite a bit of time.

Be warned, that there have been some reports that the decryption process may give an error stating that it can't decrypt a particular file. At this point we have no information as how to resolve this. Visitors have reported that the infection will continue to decrypt the rest of the files even if it has a problem with certain files.

Image and video hosting by TinyPic

What to do if your anti-virus software deleted the infection files and you want to pay the ransom!

As many anti-virus programs would delete the CryptoLocker executables after the encryption started, you would be left with encrypted files and no way to decrypt them. Recent versions of CryptoLocker will now set your Windows wallpaper to a message that contains a link to a decryption tool that you can download in case this happens. There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.

How to prevent?


CryptoPrevent is a tiny utility to lock down any Windows OS (XP, Vista, 7, 8, and 8.1) to prevent infection by the Cryptolocker malware. Incidentally, due to the way that CryptoPrevent works, it actually protects against a wide variety of malware, not just Cryptolocker! CryptoPrevent is completely FREE for personal and commercial usage.

Cryptolocker Prevention Kit

The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious they have decided to make these materials available to everyone.

The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too.

The kit can be downloaded as a single packaged ZIP from the link: http://www.thirdtier.net/downloads/CryptolockerPreventionKit.zip

CryptoLocker Prevention Kit by Pearl Computer

A kit compiled by Pearl Computer is also a tool for preventing the CryptoLocker virus from infecting your servers and workstations.

Sources and Additional Information:

No comments:

Related Posts Plugin for WordPress, Blogger...