Alert (TA13-309A) CryptoLocker Ransomware
CryptoLocker, a new and nasty piece of malicious software is
infecting computers around the world – encrypting important files and
demanding a ransom to unlock them.
According to Sophos, the worldwide digital security company, it’s been hitting pretty hard for the past six weeks or so.
“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” said Chester Wisniewski, a senior security advisor at Sophos.
Even though it’s infected, your computer keeps working normally; you just can’t access any of your personal files. It’s scary, especially if you haven’t backed-up your data.
“Cybercrime is evolving, as the bad guys get smarter and use newer technologies,” noted Michael Kaiser, executive director of the National Cyber Security Alliance. “They’re always looking for new ways to steal your money.”
CyrptoLocker is different from other types of “ransomware” that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.
Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says” “After that, nobody and never will be able to restore files…”
The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed.
One victim
described his anguish in an online post: “The virus cleverly targeted
…all of our family photos, including all photos of my children growing
up over the last 8 years. I have a distraught wife who blames me!”
This sophisticated malware is delivered the old-fashioned way – an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.
Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.
“The author or this (malware) is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”
Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.
“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”
Victims large and small
The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.
The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:
“It encourages them to continue this bad behavior,” said Howard Schmidt, former White House Cyber Security Advisor and a co-founder of Ridge-Schmidt Cyber. “As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection.”
How to protect yourself
Go on the Internet and there’s no way to guarantee malware won’t make it onto your computer – even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.
“Backup, back, up, back up,” said Schmidt. “That’s the only way to reduce the risk of losing your files forever.”
If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.
With these synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the
According to Sophos, the worldwide digital security company, it’s been hitting pretty hard for the past six weeks or so.
“It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it,” said Chester Wisniewski, a senior security advisor at Sophos.
Even though it’s infected, your computer keeps working normally; you just can’t access any of your personal files. It’s scary, especially if you haven’t backed-up your data.
“Cybercrime is evolving, as the bad guys get smarter and use newer technologies,” noted Michael Kaiser, executive director of the National Cyber Security Alliance. “They’re always looking for new ways to steal your money.”
CyrptoLocker is different from other types of “ransomware” that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.
Not CryptoLocker – it encrypts your files. There’s only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says” “After that, nobody and never will be able to restore files…”
The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed.
Sophos
This sophisticated malware is delivered the old-fashioned way – an executable file hidden inside an attachment that looks like an ordinary ZIP file or PDF. One small business reports being compromised after clicking on an email attachment that was designed to look like a shipping invoice from the U.S. Postal Service.
Open that file and bad things start to happen, although it may take several days for the ransom demand to pop up on your screen after the machine is infected.
“The author or this (malware) is a genius. Evil genius, but genius none the less,” an IT professional commented in an online tech forum. Another wrote, “This thing is nasty and has the potential to do enormous amounts of damage worldwide.”
Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.
“It’s the same type of encryption used in the commercial sector that’s approved by the federal government,” Wisniewski told me. “If the crooks delete that encryption key, your files are gone forever – even the NSA can’t bring them back.”
Victims large and small
The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.
The CryptoLocker forum on BleepingComputer.com is filled with page after page of horror stories. Here is a small sample:
“When we discovered the infection from a user’s workstation on the network, this program had encrypted over 180,000 files through the network shares in a period of 6 days. I pretty much shut down the business for 2 days after we realized what was happening.”Of course, there’s no guarantee there will be a happy ending if you pay the ransom. And then there’s the bigger issue – by doing this, you’re helping fund a criminal operation.
“Our company was infected this morning. The virus hit a machine 4 days ago and today we got the pop up about the ransom. All files on the network drive the user had access to are now encrypted.”
“We had a workstation get infected yesterday that encrypted everything on our network share drive. We had backups, although they weren’t recent enough, so despite all feelings against it, we paid the ransom and everything started to decrypt overnight.”
“It encourages them to continue this bad behavior,” said Howard Schmidt, former White House Cyber Security Advisor and a co-founder of Ridge-Schmidt Cyber. “As people pay the ransom, the bad guys have the money to reinvest in create research that are more virulent and hide better from detection.”
How to protect yourself
Go on the Internet and there’s no way to guarantee malware won’t make it onto your computer – even if you follow all the rules of safe computing. So you need to act defensively, and that means regular backups.
“Backup, back, up, back up,” said Schmidt. “That’s the only way to reduce the risk of losing your files forever.”
If you have a recent backup, you can recover from CryptoLocker and other malware with no serious consequences. That backup should be a snapshot of everything on the system and not a simple synchronization, as happens with most automated external hard drives and many cloud-based services.
With these synchronized backups, stored files that have changed on the master drive are overwritten with the new ones. If a malicious program encrypts your master files, those backups would also be encrypted – and useless. Your backup should be disconnected from your computer until the next time you need to access it.
Systems Affected
Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems
Overview
US-CERT
is aware of a malware campaign that surfaced in 2013 and is associated
with an increasing number of ransomware infections. CryptoLocker is a
new variant of ransomware that restricts access to infected computers
and demands the victim provide a payment to the attackers in order to
decrypt and recover their files. As of this time, the primary means of
infection appears to be phishing emails containing malicious
attachments.
Description
CryptoLocker
appears to have been spreading through fake emails designed to mimic
the look of legitimate businesses and through phony FedEx and UPS
tracking notices. In addition, there have been reports that some
victims saw the malware appear following after a previous infection from
one of several botnets frequently leveraged in the cyber-criminal
underground.
Impact
The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the
No comments
Post a Comment