CryptoLocker Ransomware

CryptoLocker


We recently dealt with a local business that was infected with this dangerous piece of software. While this business was not a client or managed customer we received a call from them for malware removal.

 

The Facts:

  • Windows XP Professional.
  • Machine was infected with several known backdoor infections not just cryptolocker.
  • CryptoLocker alerted user via popup letting them know their files were encrypted and to decrypt they must send 2 bitcoins or $300 via MoneyPak.
  • 28,000 files encrypted/useless.


We discovered sure enough their documents and pictures were encrypted.  We then went to their backup and found that this too was encrypted.  We discovered that any mapped shares accessible (write access) via the infected machine were also encrypted.  It did not however encrypt network shares not mapped but accessible.  We immediately began research into the software.  In this case (worst case) the conclusion was made to gamble on making payment, after all there was nothing really more to lose after discovering their backup was also bad. Once payment was made the software took a few hours then started decrypting all the files it originally encrypted.  Obviously many measures have since been taken to aid in this sort of "ransomware" instance, including the most basic, a working backup.  At this time Malwarebytes claims to catch this however with the machine being infected with other known viruses we conclude cryptolocker was passed via backdoor trojan or RAT. It is likely most AV software would have alerted to the prior infections.


Basic pro-active advice to anyone else that encounters this software:

 

  1. Consider becoming a managed client!!
  2. A working backup both offsite and onsite with rotation. Not just a simple file based backup.  The backup location should not be mounted to any one system and should contain EVERYTHING, not just user locations. Encrypted IMAGE backup.
  3. Stop running Windows XP, this is going out anyway next April 2014. In this case, had it been a Windows 7+ machine we likely would have been able to "restore previous version" of the encrypted files avoiding payment to them.
  4. Always run more than a single instance of anti-virus/antimalware software. Not one solution will catch everything.
  5. UPDATE UPDATE UPDATE, this includes 3rd party software along with Microsoft updates.
  6. Consistently educate/remind best practice regarding web/email usage.
  7. Enable SHOW file extensions for ALL files. The more someone sees the extensions for their files such as a PDF or DOCX they may be inclined to question something via email purported to be a doc with an extension ZIP or EXE.
  8. And finally again..consider becoming a managed client!!

 

Up to date information:

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383

http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402/

 

We have posted some specific information below to possibly aid in the takedown of this software. The "privatekey" does not appear in the registry until payment is made.

 

[HKEY_CURRENT_USER\Software\CryptoLocker]
"VersionInfo"=hex:2a,30,9c,81,c3,37,d2,d3,b4,3a,ce,d3,f4,5e,f6,f8,c7,56,f1,f4,\
  c1,51,ff,f6,dc,4b,ed,af,c0,56,e8,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,b0,96,5a,d9,fb,98,02,\
  ab,c5,c1,77,ec,b9,ed,7d,cd,d4,d7,4a,ee,eb,ed,50,df,b6,f6,70,db,c5,c8,06,cf,\
  d7,cc,33,d1,81,c1,33,f2,81,cb,33,e5,81,fe,33,fd,81,c5,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,aa,81,9e,33,a4,81,98,\
  33,ad,81,96,33,ad,81,9c,33,a4,81,98,33,aa,81,9a,33,a5,81,9a,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,9d,33,ac,81,9e,33,bc,81,fb,33,cf,81,ea,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,9d,0b,ff,b4,ca,00,f9,b5,9e,07,fa,b0,cc,52,\
  a5,e0,9f,00,fa,b2,cb,51,a4,b9,99,04,fd,e4,9d,05,f9,b8,c8,0b,f9,b6,9d,51,fa,\
  b0,ae,33,9c,81
"PublicKey"=hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00,00,01,00,01,00,6b,\
  4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,be,\
  35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,fb,\
  a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,f7,\
  52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,3a,\
  b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,83,\
  6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,df,\
  af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,00,\
  56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,d3,\
  20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,86,\
  ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,9e,\
  0d,b1,73,4e,e4
"Wallpaper"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,\
  00,73,00,20,00,61,00,6e,00,64,00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,\
  67,00,73,00,5c,00,55,00,73,00,65,00,72,00,5c,00,4c,00,6f,00,63,00,61,00,6c,\
  00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,\
  70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,\
  00,61,00,5c,00,4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,\
  57,00,61,00,6c,00,6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,\
  00,70,00,00,00,92,84,e1,b9,f9,f1,4e,80,20,50,d7,8a,20,e7,70,8a,20,e7,70,8a,\
  9e,f0,ee,b9,38,7a,da,8a,18,99,de,8a,b0,02,d5,8a,e0,8a,d3,8a,20,e7,70,8a,00,\
  00,00,00,ff,ff,ff,ff,00,00,00,00,08,00,00,00,2c,2c,71,a7,f9,f1,4e,80,e8,8e,\
  d3,8a,20,e7,70,8a,00,a9,d5,8a,59,94,ed,b9,68,2c,71,a7,70,2c,71,a7,80,2f,de,\
  8a,ed,b6,54,80,00,00,00,00,20,e7,70,8a,c8,2c,98,89,18,99,de,8a,30,e7,70,8a,\
  00,7a,da,8a,94,2c,71,a7,00,22,de,8a,ed,b6,54,80,00,00,00,00,b0,2c,98,89,00,\
  00,00,00,10,38,a1,8a,10,38,a1,8a,00,2c,98,89,38,2d,98,89,00,00,00,00,00,00,\
  00,00,98,00,00,00,73,10,5c,80,00,00,00,00,05,00,00,00,b4,2c,71,a7,d7,10,5c,\
  80,a8,2c,98,89,46,69,6c,e5,00,a9,e0,8a,00,00,00,00,a8,2c,98,89,a8,2c,98,89,\
  cc,2c,71,a7,e6,b4,5b,80,00,00,00,00,b0,2c,98,89,c8,2c,98,89,00,a9,e0,8a,fc,\
  2c,71,a7,e2,67,52,80,c8,2c,98,89,00,00,00,00,cc,02,00,00,b0,2c,98,89,00,00,\
  00,00,b3,c3,5b,80,88,c6,88,89,20,6a,f4,e6,20,b0,58,89,00,a9,e0,8a,44,2d,71,\
  a7,49,c4,5b,80,20,6a,f4,e6,c8,2c,98,89,cc,02,00,00,01,00,00,00,9f,01,12,00,\
  00,00,00,00,64,2d,71,a7,2c,f5,42,01,64,c5,5b,80,c8,2c,98,89,70,9c,00,00,02,\
  00,00,00,00,00,00,00
"PrivateKey"=hex:07,02,00,00,00,a4,00,00,52,53,41,32,00,08,00,00,01,00,01,00,\
  6b,4e,b3,ff,72,08,32,03,84,35,7c,84,5b,89,1a,35,87,37,6a,ba,5f,af,0a,f3,2b,\
  be,35,85,41,70,c8,f9,36,ff,19,3d,81,1f,e9,37,dd,d2,2c,47,b9,53,4f,01,34,51,\
  fb,a9,d1,5b,fd,88,59,c2,ee,d6,e2,c4,e0,8e,1f,ca,85,6a,4b,cb,b9,e7,d9,79,32,\
  f7,52,7f,13,03,54,3e,0b,c2,c5,7b,23,36,a1,c1,db,d9,06,f1,fc,20,71,ab,d0,13,\
  3a,b5,53,f4,f9,cf,8e,a8,38,23,d3,f4,54,1e,7e,b4,a6,38,16,75,1a,e9,ea,cf,6c,\
  83,6e,ce,f0,61,88,12,cc,50,3e,a8,a5,0e,c2,4d,45,29,a4,81,6d,1f,81,66,69,48,\
  df,af,2f,08,2b,8a,30,5c,87,9e,63,ca,56,d6,c6,f6,8a,6c,66,ec,29,2a,96,57,08,\
  00,56,a6,12,ee,fe,39,37,ee,92,ac,c9,ab,b2,21,9c,57,90,7a,d4,84,a9,7d,b3,24,\
  d3,20,2a,21,1d,64,6e,dd,5b,f5,07,7b,df,10,58,a0,e8,91,b8,56,1a,ac,f5,95,a2,\
  86,ba,2b,5b,5c,24,11,fd,5a,59,9b,42,85,53,08,ef,78,74,dc,e6,83,10,ee,b9,59,\
  9e,0d,b1,73,4e,e4,e1,1f,66,6a,df,96,03,4d,d8,c5,11,89,97,dd,a2,7e,c7,45,27,\
  f6,b6,21,dd,61,b8,ed,cf,c5,e4,cf,3a,da,d8,16,09,62,e9,e4,f2,7e,02,f5,d3,38,\
  21,9b,ee,95,4f,ab,4f,9a,89,7b,28,4c,37,7a,68,5d,b7,07,f8,a0,24,ff,62,97,7f,\
  e4,64,c4,e0,f8,c9,91,c6,e5,c4,84,6c,20,e9,4b,08,d9,13,f8,f6,6b,bd,3a,29,69,\
  16,2a,e0,74,98,87,de,7a,c6,45,d9,23,05,72,9e,81,bd,80,a8,57,dd,07,20,96,aa,\
  88,8f,91,2f,84,cb,fc,52,f5,cb,e7,74,08,42,cd,2b,2b,1a,52,fa,62,30,6d,f4,a6,\
  72,76,62,35,b1,63,1c,03,a1,98,86,57,1e,78,f3,94,ec,9a,3e,f5,4b,40,93,53,eb,\
  18,a8,d7,b8,d8,d0,a3,b1,24,21,de,8b,5e,9f,e8,95,be,ab,d3,dd,8e,5c,1c,b4,6f,\
  c3,76,31,62,45,68,93,c8,6f,8c,22,f0,49,f2,46,64,7c,14,ac,17,c2,2f,0f,25,3a,\
  12,88,dd,b1,75,8f,13,95,96,06,98,e6,a1,69,90,01,1f,17,c8,a4,84,6e,ee,cc,2b,\
  9a,36,cf,28,3e,9b,81,ca,4a,e1,3d,ee,a1,ba,1f,49,6e,4f,68,5e,de,a4,13,0f,c1,\
  88,7a,74,3f,91,cb,e8,e5,a1,39,96,01,84,22,c2,3e,86,ac,4e,ee,6c,53,ec,2b,d8,\
  04,c4,ae,e7,a4,85,b3,69,7e,2b,ea,14,ef,54,20,e8,3f,44,ce,b5,0b,9c,17,a6,2a,\
  bd,4f,b3,23,39,a2,92,9e,4d,cb,08,a8,44,e1,6f,c3,a0,f3,48,eb,ba,30,71,13,56,\
  c4,ed,66,27,af,0b,da,a9,83,60,4a,f6,28,bf,9d,10,53,f0,f5,46,42,4c,68,8f,8c,\
  0c,c7,18,3b,c0,80,85,e6,a4,39,68,53,30,f3,32,ef,8f,96,d3,b7,d3,59,09,24,6b,\
  fd,8f,a6,81,2d,be,51,10,3a,e7,64,d7,e7,e6,b7,d2,c3,cb,8d,26,e4,0c,a1,fa,d1,\
  4d,aa,6c,33,da,f2,4e,eb,ae,9a,69,fa,e7,84,c4,7a,62,27,0c,84,12,12,bf,1d,ab,\
  04,f6,27,27,d1,ae,58,3a,7a,85,2b,c1,bc,ad,a1,bf,bc,76,47,1c,ca,88,a6,10,c6,\
  c7,6d,ab,d5,70,df,18,72,11,8e,b7,07,b6,01,5e,ec,55,ab,36,af,b9,be,05,6d,2c,\
  55,4a,99,90,e0,7e,21,97,8f,86,ea,a0,4b,ad,68,90,34,06,a9,2d,7c,46,a5,04,6b,\
  58,02,d9,0c,a6,22,74,58,b7,ec,c5,f4,9b,9d,5e,1d,33,ba,65,a2,e2,52,41,92,9a,\
  04,1a,65,57,8d,a8,8c,ac,93,43,1e,47,09,27,69,31,d2,f1,5d,8d,93,36,da,28,7a,\
  47,79,46,92,df,80,fe,28,29,05,7a,9d,b8,35,68,8b,13,81,00,73,9c,b0,22,04,4a,\
  c0,e6,db,49,7e,05,dd,df,99,73,c4,a3,b5,50,b2,34,5c,bb,32,d9,81,7d,8d,06,91,\
  e1,a0,0c,54,b5,98,e9,13,5c,15,9f,7f,f4,b0,80,5c,df,c9,af,f5,7f,81,3b,1c,36,\
  b7,16,fd,7d,73,12,35,06,0c,72,2c,ea,73,fd,db,be,2e,11,61,85,b3,b6,59,83,ff,\
  31,b5,e9,48,11,94,97,3e,16,be,cb,f1,00,10,3f,71,aa,a9,fb,f0,35,1c,3c,aa,56,\
  33,4a,72,79,c3,a9,7c,64,d9,1c,dc,86,51,a1,91,97,72,15,fc,3e,c7,56,c2,04,bc,\
  33,27,34,16,44,5f,6f,f0,51,e6,74,fc,bd,84,79,4b,a1,c8,56,5e,29,12,75,94,01,\
  0e,59,a5,ac,b6,c0,bb,78,70,e2,22,73,d0,d9,e9,33,0c,b9,c3,d4,c4,86,db,ee,a4,\
  e4,f9,f0,71,c3,c1,e6,15,6b,d1,74,90,3f,47,b7,ba,c4,1d,57,20,63,f0,ae,3a,aa,\
  47,c3,56,c7,d7,87,7a,bb,65,4d,a0,1b,39,bd,f1,74,7a,af,7f,a0,1f,67,00,60,4d,\
  ae,5f,51,2a,68,dc,c9,fa,2f,35,09,aa,28,48,95,b4,b6,af,2e,e2,6d,f6,d0,c8,72,\
  7e,07,ea,0d,7b,04,b1,81,d3,12,c3,b7,c1,f1,e9,52,3e,9e,96,00,6e,85,1f,23,6e,\
  ff,16,db,32,28,db,ef,03,8f,79,19,42,0e,31,4d,09,36,4e,d0,8b,1a,b8,05,66,df,\
  48,6e

 


More information from INFOSECURITY, Posted October 14th 2013.

A ransomware threat known as CryptoLocker is making the rounds, scrambling files in the process. And once it’s triggered, there is no way to recover them.

 

Ransomware has adapted over the years, becoming more difficult to thwart. “Malware that encrypts your data and tries to sell it back to you, or else, is not new,” noted Paul Ducklin, a researcher at Sophos Labs, in a blog. “In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.”

That bug used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available, Ducklin noted. Not so with the CryptoLocker next-gen ransomware, which uses a public key to encrypt a variety of file types such as images, documents and spreadsheets. The malware searches for files to encrypt on all drives and in all folders it can access from the compromised computer, including workgroup files shared by colleagues and resources on company servers.

“The more privileged your account, the worse the overall damage will be,” Ducklin said.

CryptoLocker installs itself in the Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically when the user logs on. It then produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru – and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds. Once it has found a server that it can reach, the server generates a unique public-private key pair and sends the public key part back to the computer.

“Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them,” said Ducklin. “You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.”

The malware offers to trade money for the private key to unlock the encrypted files. “It pops up a pay page, giving you a limited time, typically 100 hours, to buy back the private key for your data, typically for $300,” Ducklin said. Then a warning comes that the server will destroy the key after a time specified, meaning that the files will never be able to be recovered.

The picture doesn’t get better. “SophosLabs has received a large number of scrambled documents via the Sophos sample submission system,” he said. “These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back. But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.” In other words, unlike other ransomware, there is no remediation.

Worse, the infection vectors make it difficult for consumers to avoid. CryptoLocker arrives via email attachments and botnet – the former is easy to avoid by being wary of unsolicited attachments. Botnets though are a different story.

“Most bots, or zombies, once active on your computer, include a general purpose ‘upgrade’ command that allows the crooks to update, replace, or add to the malware already on your PC,” said Ducklin. “So take our advice: make it your task today to search out and destroy any malware already on your computer, lest it dig you in deeper still.”

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed

 
NON-MANAGED=REACTIVE
MANAGED=PROACTIVE
 
 

ourprivacy.org

US-CERT Latest Warnings

Latest US-CERT Released Warnings