- “CryptoLocker” ransomware in the wild encrypts personal files and demands payment of $300 to decrypt
- Encrypts files on local drives AND mapped network drives
- Does not alert user until after files are encrypted
- Encrypts files using asymmetric encryption with RSA 2048 bit keys
- Gives a 72 hour countdown until private key is destroyed
- Without private key files are unreadable and cannot be opened
- Transmitted in an email as a zip file attachment with the subject “Statement of Account” (and possibly others)
- Potentially very damaging malware
Prevention & Recovery:
- Don’t open suspicious emails or attachments
- Malware still not recognised by many security programs but relatively easy to remove
- Recent “cold-storage” backup essential for recovery of files
- Reports suggest that payment of ransom does decrypt files (no guarantee that this will continue to be the case in the future, however)
I came across a particularly nasty piece of malware today called ‘CryptoLocker’. It began with a somewhat anxious MMS from a client with this fuzzy screenshot attached:
“Your personal files are encrypted!” and a countdown timer were the only parts I could read. Past “ransomware” infections I had encountered had variously claimed to have encrypted, deleted or otherwise locked access to files, but none had actually done so. So, while concerned, I was also quietly confident that this would be little more than your average malware removal scenario.
Alarmingly, however, I was wrong.
The sinister message appeared on just one computer in the office, and read:
“Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.
Click «Next» to select the method of payment.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.”
On the left was the text “Private key will be destroyed on 14/10/2013 9:04am” and under that “Time left 68:04:38” – and counting.
The client ran me through the events leading up to the appearance of the ransom message. The Excel spreadsheet he had been working on earlier that day would no longer open; instead Excel displayed an error message about a corrupt file. Other files wouldn’t open either.
Any hopes I had that the malware might at least limit its nastiness to the one infected machine were dashed when it was revealed the corrupted files in question were located on the office server. CryptoLocker had encrypted almost every file on the network drive (as well as in the user folders on the local machine), making them unreadable. This thing was the real deal. No trace of the original, unencrypted files could be found. Everything had been completely overwritten.
The first thing to do was disconnect the infected machine from the network to limit further damage. This was done using the most effective method available – pull the plug!
The second task was to check the backup. The server backs up to an external drive that is rotated weekly with another drive. Each drive remains connected to the server the entire week. Windows’ built-in Backup & Restore runs nightly backups and, thankfully, a backup had been successfully completed the previous night. In this case the backup drive was spared from attack because it is not shared on the network, therefore the infected workstation could not see it. Had the server itself been infected however, the scenario may have been very different. As it was, a morning’s worth of work was lost. Had the attached backup drive been compromised, it may instead have been a week’s worth (or more, had the drive not been swapped when it was supposed to be – a common scenario where human intervention is required!)
Once the files on the server were successfully restored, removal of the malware infection from the workstation PC was fairly trivial. Using a bootdisk I deleted the CryptoLocker executable files. The files were named using random strings of about 15 characters and were located in the Users/[USERNAME]/AppData/Roaming folder. I also removed a number of startup entries and a search in the registry for “CryptoLocker” found two keys which were also removed. A full scan using Malwarebytes updated with the latest definitions located and removed several other files, including the original payload.
The file carrying the malware was sent in an email claiming to be from “St George Automotive Finance”, with the subject line “Statement of Account”. Attached was a zip file with the filename “10082013_Statement.zip”. Presumably there will be many different variations of this email out there, as well as other attack vectors.
While I have seen other malware hide files, delete shortcuts, corrupt system files and even threaten prosecution by the AFP for alleged possession of child pornography, the CryptoLocker ransomware trumps them all for the amount of damage it inflicts. In this case the client was fortunate – only a single PC was infected and a current, clean backup was available. For many businesses however, an infection like this would be devastating. The RSA-2048 asymmetric encryption used to encrypt the files, if done properly (which it appears to be in this case), is absolutely bullet-proof. There is no magic trick that can unlock the encrypted files. Without the private key, the files are unreadable (unless you happen to have a supercomputer and a few million years – give or take – up your sleeve).
1. First and foremost – DO NOT OPEN ANY UNEXPECTED OR UNSOLICITED ATTACHMENTS FROM ANY SOURCE, even trusted ones. The infection occurred in this case because the client opened an infected attachment. Your bank, loan provider, utilities company etc. are very unlikely to ever send you a zip file (or any attachment for that matter). If you are ever unsure whether an email is legitimate or not, contact the company directly (not using contact details or links from the email itself). If you are unsure about any email or attachment, DELETE IT! (And then empty your Deleted Items folder)
2. Make sure you have a robust backup plan. A detailed definition of a “robust” backup plan is beyond the scope of this article. However, at a minimum your plan should involve multiple backup destinations, including one or more that are “cold”. That is, not only offsite but also offline – disconnected from any machines or networks. Also, versioning should be used wherever possible.
3. Keep your operating system up-to-date with the latest security patches. It is unclear yet whether CryptoLocker exploits any security vulnerabilities in Windows in order carry out its attack. My suspicion is it probably does not need to if it is run by a user with administrator privileges.
4. Make sure security software is installed and kept up-to-date. Having said that, it is worth noting that in this case a well-known security software package was running and up-to-date, but failed to identify or prevent the infection (reportedly other well-known security software has failed too). Often there is a delay between the release of new malware and updates to security software that will detect it. This is why being careful what you view, download, open and run on your computer (see point 1) is extremely important. While essential and usually fairly effective, you cannot rely solely on your security software to protect you!
The are other things you can do to increase your protection against malware threats such as CryptoLocker. Logging in to your computer using standard user (rather than administrator) accounts and configuring software restriction policies (where possible) are just two examples. Consider speaking to your IT support provider about a full security audit and hardening for your office.
A few extra notes:
- People are reporting that paying the “ransom” has resulted in their files being successfully decrypted, though this could cease to be the case at any time.
- Accessible network locations that are not mapped to a drive letter appear to be safe for the moment. Again, this could change with any new version of the malware.
- The countdown timer appears to be real – if it runs out, the malware uninstalls itself and payment of the ransom appears to no longer be possible. Turning the system’s BIOS clock back will add a proportionate amount of time to the countdown, but whether or not this still allows payment of the ransom and decryption of your files after the original expiry time has passed is unknown.
Reddit user bluesoul has created this informative page about the current version of CryptoLocker (also linked above):
Malwarebytes CryptoLocker information and removal guide:
An article on Ars Technica notes: “Several [victims] also said they had paid the ransom and received a key that worked as promised … The outcome hasn’t been as happy for other CryptoLocker victims. Whitehats who tracked the ransomware eventually took down some of the command and control servers that the operators relied on. As a result, people on reddit reported, some victims who paid the ransom were unable to receive the unique key needed to unlock files on their computer. The inability to undo the damage hit some victims particularly hard…”