Cryptolocker Malware

4_lom · October 2013

Anyone have to deal with this yet? We've had one client get infected with this so far. A user clicked on a link in an email from "Fedex". It encrypted all of the files on her computer, plus all files in mapped drives she had. By the time it was finished, most of the files on their file server had been encrypted. Luckily, we had some offline backups of their data. We removed the malware from her computer (then reloaded Windows just to be sure), and restored the files. Needless to say, this was not a fun one

veritas_libertas · October 2013

No, but this was an interesting read: Destructive malware “CryptoLocker” on the loose – here’s what to do | Naked Security

YFZblu · October 2013

Ah, ransomeware - The bridge trohl of malware. +1 for the nakedsecurity article, it's a good one.

4_lom · October 2013

Great article Veritas. Here's another one from BC: Cryptolocker Ransomware

4_lom · October 2013

I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.

veritas_libertas · October 2013

Depends on how important the files are (as you said...). If you didn't back them up and were a small business it might be worth it. I would advise some one in that situation to pay up and them contact their bank and ask for them to get you're money back after the fact. Also cancel the card.... :P

YFZblu · October 2013

4_lom wrote: »

I've read that some have actually paid and had their files decrypted. This is really crossing a line of right/wrong in my head. I couldn't see ever giving in and paying the fee, it's basically encouraging malware writers everywhere. But if you have no backups and not being able to recover the files could cripple your business, I guess paying is the only option as of right now.

Besides the obvious pitfalls of giving money / payment information to a criminal, many would just assume the files were decrypted and all is well; however malware payload is still on the box and it's unlikely the criminals aren't leaving backdoors behind.

Orgs need to have backups, and they need to reimage on confirmed malware hits. It's the only way IMO.

cyberguypr · October 2013

Some people never back stuff up and rather pay any price to bring their data back from the dead. When I was doing consulting I had a client decline a backup proposal worth a few hundred bucks just to end up a year later paying Ontrack 2 grand to recover data.

Takeaway from that article:

The endgame is the same in all cases: if you have a reliable and recent backup, you'll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

- Stay patched. Keep your operating system and software up to date.
- Make sure your anti-virus is active and up to date.
- Avoid opening attachments you weren't expecting, or from people you don't know well.
- Make regular backups, and store them somewhere safe, preferably offline.

Don't forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don't count as backup.

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

To the synchroniser, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that's that.

exampasser · October 2013

This is a good reason to have backups on devices that are not connected to the network (I'd image that the malware would have no problems encrypting backup files on shares that the infected PC is connected to.)

devils_haircut · October 2013

I've seen a couple of these in the shop where I work. The virus itself is relatively easy to remove, but if you don't have backups or the ability to restore previous versions of important files, you're probably screwed. The encryption is ridiculously strong (2048-bit RSA followed by 256-bit AES with the RSA private key encrypted during the second encryption along with the file). I've heard people paying the fee and having their data decrypted, but I don't know that I'd go that route myself.

tecjohnson · October 2013

Weird. I have had this virus on my company's computers but nothing was ever encrypted.

It was just a big old scary program that stopped other programs from working. But it was account specific so when I logged in with another account it was easy to remove.

Balantine · October 2013

The %AppData\*.exe is amusing. Such a case in point for why SRP was developed into AppLocker. You have to add more subdirectories manually inside a path... \*\*\*\*.exe etc. I'm surprised it can't be matched with a regular expression.

MrAgent · October 2013

I believe you have to pay the fee with bit coins to get the files decrypted, so paying with a credit card and then calling them will not work

MCITBound · October 2013

We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...

Everyone · October 2013

"They claim"? You actually believe them?

I haven't had to deal with this first hand yet, but several co-workers have had customers get it. It's over a month old now. Trojan:Win32/Crilock.A

MCITBound · October 2013

Lol - No, I don't believe them...which is why I'm looking at their email, firewall, and web history to really see what's going on. Also on the phone with Trend Micro, our Anti-Virus provider, to find out how that got through the client.

Everyone · October 2013

Trend has been able to detect it since September 10th... TROJ_RANSOM.NS | Low Risk | Trend Micro Threat Encyclopedia If you only recently got infected and your virus definitions were up to date, I'd be on the phone wanting to know why too. It is possible there is a new variant they don't detect and that's what you got hit with.

YFZblu · October 2013

MCITBound wrote: »

We are currently battling this one on our network... what a pain! We aren't totally sure how the users are getting it. They claim that the haven't opened any emails or done anything out of the ordinary on the web...

Regarding the web browsing piece of this, I think the biggest kick to the gut about malware is that it no longer hides in the deep dark corners of the interwebs. This year alone I have seen the following sites compromised and redirecting to exploit kit / malware servers:

-YouTube - their ad rotator was serving malicious content (the users didn't have to click the ad to get infected, btw)
-WaffleHouse.com
-SpeedTest.net
-CBSsports.com
-Bible.org
-Glassdoor.com

...and the list goes on. Now, those are just well-known and potentially high traffic destinations. Imagine how many legitimate local / small business sites are owned every day. I read recently that 70% of WordPress sites are vulnerable to attack. My larger point here is that legitimate run-of-the-mill sites get owned every day. A lot of them. The type of sites our Users won't think about when considering where malware compromise may have stemmed from.

As far as the AV issue is concerned, you might want to use a 3rd party vendor to detect the malware, and send the .bup file to Trend for analysis and to get a signature written. Other than that, there are simply too many new malware specimins and variants being developed for them to keep up. It's literally an impossible task.

I have found that one of the best ways of detecting the commodity malware is by detecting Java connections to uncategorized sites on the internet. Of course for this to be successful you'll need an enterprise grade proxy and IDS - and they must be logging everything.

MCITBound · October 2013

According to Trend, we have gotten a new variant of the virus and they are analyzing it now. This one runs multiple processes of it at the same time, so they end up protecting each other in the event that you end one of the processes.

Java is being updated on all of our systems. STILL a huge pain!! Lol! I had better things to do today: like setup a second vCenter!

Everyone · October 2013

You should consider deploying AppLocker (built into Windows 7 and later). AppLocker Documentation for Windows 7 and Windows Server 2008 R2 It would help prevent this type of malware from running when it makes it past all your other layers of protection (including your AV).

tpatt100 · October 2013

Man didn't people learn that the only reason the Battlestar Galactica survived the Cylon attack was that Adama refused to network his ship?

We are going to get so networked some day that a virus is going to take us back to the dark ages. Then Bill Cosby with his TI-99/4A will take over the world.

the_Grinch · October 2013

At my old job someone just got hit with this and the main company network drive was encrypted. My boss found the user, wiped their machine, and they were able to restore all but about 20% of the files on the drive. We had been asking people to clean up the files on the drive prior to my leaving and oddly enough it's been two weeks with no complaints about anything missing that was needed.

ratbuddy · October 2013

My mom got hit with this today. I was on the phone with her, I heard her say 'my files are encrypted? huh?' and knew right away what had happened. My idiot brother was using her computer yesterday, nuff said.

It's acting unlike other variants I have seen described online. When she attempts to run any program, a UAC window comes up with a generic looking message. The details show that it's actually trying to run vssadmin in quiet mode to erase all shadow copies on the C drive. I don't have physical access to the machine yet, and I told her to keep the wireless off in case there are other infections still active. MSE said it got rid of Cryptolocker. I don't know the mechanism behind the vssadmin attempts - did the trojan rewrite or modify the .exe files individually, is it hooking something on a more general level, etc. I'm sure the real sec-dudes will write about this variant soon enough.

In the meantime, it's enough to know that there's definitely a new variant out there, and it's getting nastier.

Disgruntled3lf · November 2013

I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.

YFZblu · November 2013

Disgruntled3lf wrote: »

I was reading about this over on THN. The virus will create a bitcoin wallet for you and if you're a US resident you can pay with some cards that are cash only. Supposedly they are honoring the payment agreement and decrypting the files so that is good news at least for those infected.

That's assuming no other malware was dropped during the compromise. Sure, the file system will be decrypted - I'd venture a guess that the system remains backdoor'd however.

Nuke and pave gents, nuke and pave.

RomBUS · November 2013

I actually ran into this on a user's desktop earlier this week (had no idea what they were doing prior to contracting it).

I simply took a note of the .exe that was running in Task Manager which pointed to random character .exe process.logged off the user's profile, ran Malwarebytes and anti-virus scan. Looked up directories and registry entries that were linked to CryptoLocker and that random character .exe file. Cleaned out temp files. Rebooted once directories, scans and necessary registry keys were cleaned out. Did another scan...once it completed I logged back onto the user's profile and all traces of the virus was gone and user was able to get back to work. This took me roughly 40 mins to complete...luckily the user was able to work without the PC for a while

YFZblu · November 2013

Massachusetts police department pays Cryptolocker ransom: US local police department pays CryptoLocker ransom | Naked Security

Talk about unprepared to handle a cybercrime incident! Besides the obvious downfalls of desktop techs "cleaning" machines of malware, the police department is so desperate they are willing to decrypt and place compromised data back on the network.

Of course, the next place my mind takes me is to Zeus. Cryptolocker isn't being dropped alone - people, stop cleaning verified malware hits. Cleaning the obvious malware does not a clean system make. Additionally, after malware compromise, a clean A/V scan does not a clean system make.

My favorite piece of the article is a quote from the police department's spokesperson: "We were never compromised"

Ref: http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-its-spam-and-zeuszbot-connection/

JockVSJock · November 2013

F-Secure Labs Blog has been following this issue for the last few days.

Cryptolocker Malware

Comments