CryptoLocker is Bad News

Ransomware in general is not exactly the nastiest malware out there, but a new variant – called CryptoLocker – is particularly worrisome because it actually does what most ransomware merely claims to do: it encrypts the contents of your computer using strong cryptography.

locker_title

If you are unfamiliar, ransomware is a variety of malware that, once it infects its host-machine, at least says it’s encrypted the data on or locked its victim’s machine in some other way. The malware then informs the infected user that he or she must pay a ransom in order to unlock their files. Of course, there is never any guarantee whatsoever that paying the ransom will unlock anything. More likely than not, paying the ransom won’t accomplish anything other than fattening the pockets of the jerk or jerks that developed or deployed the malware.

There are a lot of lofty threats we write about here because they are interesting and because you may have heard scary things about them on the news. We like to come along and explain the threat, how it works, what it is, and, generally, why you don’t really need to worry about it. This is not one of those cases. CryptoLocker is the sort of threat that can seriously ruin your week, month, or year depending on how important the data on your computer is (and backup frequency), so you should worry about it at least a little.

It comes as no surprise that a few infected users that paid the ransom are saying that they never received the decryption key in return, though some reports indicate that the group behind the attack started distributing decryption keys late last week.

There appear to be a few different attack groups utilizing CryptoLocker at the moment. I wrote about one such implementation of it last month for Threatpost.com. The malware encrypted photos, videos, documents, and more, even providing victims with a link to a full list of encrypted file-types. The malware was using RSA-2048 encryption protected by a private key. The ransomware-interface displayed a countdown clock of three days, warning users that if time elapses, the private decryption key would be deleted forever and there would be no way to recover the encrypted files.

cryptolocker-wp

The attackers are demanding a ransom-payment of roughly $300 in a number of different payment methods, including Bitcoin.

So potent is this threat that it warranted an advisory from the United States Computer Emergency readiness Team (US-CERT). US-CERT is a branch of the Department of Homeland Security that is essentially tasked with analyzing and reducing the risk posed by online threats. Their advisory noted that CryptoLocker infections were on the rise, but it’s primary purpose was to urge those infected not to pay the ransom associated with the malware.

For the most part, CryptoLocker is spreading via various phishing campaigns, including some from legitimate businesses, or through phony Federal Express or UPS tracking notifications. Some victims said CryptoLocker has appeared after a separate botnet infection as well. According to Kaspersky’s Costin Raiu, this malware primarily targets users from US and UK, with India, Canada, Australia and France being second-tier targets.

CryptoLocker is the sort of threat that can seriously ruin your week, month, or year depending on how important the data on your computer is, so you should worry about it at least a little.

Some versions of CryptoLocker are reportedly capable of affecting not only local files but also files stored in removable media such as USB sticks, external hard drives, network file shares and some cloud storage services that are able to sync local folders with online storage. The US-CERT notification also warns that the malware can jump from machine to machine within a network and advises that infected users remove affected machines from their networks immediately.

Respected security journalist Brian Krebs reported earlier this week that the crew behind CryptoLocker has softened their 72-hour deadline, likely because they were losing money on users that would pay, but could not figure out how to pay with Bitcoin or MoneyPak in the time allotted. The countdown clock remains, but the decrypt-key doesn’t get deleted after that window of time is over. In stead, the attackers merely ratchet the price up to ten times the original price.

Lawrence Abrams, a malware expert from BleepingComputer.com who is cited in Krebs’s article, says that a number of businesses and individuals will have no choice but to pay the ransom. I disagree, mostly on principle. If you pay these guys it will only encourage them. Back up your machine now and regularly and don’t leave your external backup drive plugged into your machine. If you become infected, just roll it back to one of your backups.

Certain anti-virus product-features may help you, but according to Krebs’s report, some AV products are removing the infection after it has encrypted the files, meaning that it would be impossible for those users to pay the ransom even if they wanted to. Quite interestingly, CryptoLocker authors utilize system wallpapers to address this scenario. If victim is willing to pay, but antivirus has removed the infection (this doesn’t decrypt files), it is possible to voluntarily download malware executable using the link written on the wallpaper.

Users of Kaspersky Internet Security are protected against all current modifications of CryptoLocker, preventing it from executing on their systems.

  • Share
  • Pin It

Comments

  1. Joseph says:

    Another simple solution is to use a operating system that isn’t virus/Trojan friendly. Linux! I know.. It’s free, therefore can’t be any good.
    Good luck with that CryptoLocker thing.

    1. Serge Malenkovich says:

      Linux is totally virus-friendly. The only reason why Linux viruses aren’t popular is that user-base is smaller and smarter, thus it’s just economically ineffective.

    2. LauraH says:

      I’ve been using Linux (currently using Xubuntu Linux) exclusively for years and have no complaints whatesoever. No virus, no trojans, easy to use, free, and it does everything I need it to.

  2. Peter Smith says:

    Are there any more detailed infos about how Cryptolocker is installed in the system ?
    E.g. what Registry keys are modified or where the malware files typically are located

    1. Kaspersky Team says:

      Hi Peter,

      Yes there are. You can find a lot of detailed information here: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.

  3. herbert007@mailinator.com says:

    Advice: Use USB-sticks with read/write switch. If you lock them to read only, no virus can delete your data. Well, I would like to have USB-HDDs with such switch !

  4. Chris says:

    We use Kaspersky and are now dealing with a major infection. So I call BS on your claim that “Users of Kaspersky Internet Security are protected against all current modifications of CryptoLocker”

  5. mdr says:

    I have just had a callout to clients using Kasperskyand have just had their network shared datas encrypted from a PC via an email attachment. Kaspersky had a couple of occasions to pick it up but would only dlelete it when a scan is run. Now busily restoring backups
    ( which will take a long time )

    1. Kaspersky Team says:

      Hello,

      We’re very sorry to hear this happened. You can try to use our ‘Decryptor’ found here http://support.kaspersky.com/viruses/utility to decrypt the files. Please let us know if you need further assistance.

  6. petec says:

    Which Utility you recommend to decrypt the infected files?

    Thank you.

    1. Kaspersky Team says:

      Hello Pete,

      It depends on the virus-encryptor. Each utility is aimed at a specific algorithm of encryption, so without samples of the encrypted files it’s hard to recommend a specific utility. If after trying those offered you are still having trouble, we recommend sending samples to newvirus@kaspersky.com. Please let us know if we can assist you further.

      1. hertzel says:

        do you have any Decryptor to decrypt the files infected by cryptolocker?

        1. Kaspersky Team says:

          Hi Hertzel,

          There are numerous different types of cryptolockers, so we suggest trying to use one of these tools: http://support.kaspersky.com/viruses/utility. Please let us know if any of these help you.

  7. mdr says:

    Whilst I was able to restore all the data to the networks shares – one machine had some data that wasn’t backed up! I will send you a sample – thanks.

  8. J Edwards says:

    I also recommend Linux. And it ISN’T virus/trojan friendly, unless you do everything as the root user– which you wouldn’t do. The worst you can do is mess up your desktop a little. In Windows, a user can totally destroy their system, which makes it a great target for trojan/virus writers.

  9. Sam says:

    I did a service call to a client’s office today, their PC was “cryptolocked” (.jpg files).

    Scanned with Avast 2014 and Malwarebytes. Cleared PC of core infection. All .jpg’s remained unable to be opened.

    Installed Google Picasa… Viola! All files are viewable / editable.

    Not sure if this means that the encryption is a bogus ruse or not…? I mean, it’s not like Picasa has a dynamic decrypted built-in.

    As such, I suspect that the Ransomware is merely playing with some registry keys here.

    Andrew

  10. Mark Hoffman says:

    Well, we use Kaspersky and are in the process of cleaning up after being infected with this virus. So how can Kaspersky state that they are immune to this virus?

    1. Kaspersky Team says:

      Hi Mark,

      We’re very sorry to hear your system was infected. There are a lot of file-encryptors and more and more new modifications that are being created daily. Cryptolocker is just a one of a wide range of cryptors. If Kaspersky didn’t block it, it was not Cryptolocker, but one of the new encryptors. Please let us know if there anything we can do to help you with this though.

  11. Mari says:

    Only KIS users are protected?

    1. Kaspersky Team says:

      Hi Mari,

      Kaspersky Internet Security is our premium product that offers protection against Internet threats, which is why we recommend using it when it comes to conducting any online activity.

  12. client site and server got infected with the virus even though we are on v10 of kaspersky
    what can you do ?

    1. Kaspersky Team says:

      Hi Nehraaz,

      We’re very sorry to hear your system was infected. There are a lot of file-encryptors and more and more new modifications that are being created daily. Cryptolocker is just a one of a wide range of cryptors. If Kaspersky didn’t block it, it was not Cryptolocker, but one of the new encryptors. We recommend sending samples to http://support.kaspersky.com/viruses/utility.

  13. Tidak Diketahui says:

    how to i fix crytolocker virus

    1. Kaspersky Team says:

      Hi Tidak,

      There are numerous different types of cryptolockers. We suggest trying to use one of these tools: http://support.kaspersky.com/viruses/utility. Please let us know if any of these help you.