Beware of CryptoLocker
October 25, 2013 by Larry D. Lawrence II
A new version of malware is wildly spreading around the Internet for the past few months holding every file on a computer for ransom. There is a growing trend in this type of malware, known as ransomware, but CryptoLocker is the most dangerous one to pop up so far. Normally the threats are empty or the malware does something completely fixable, such as locking the computer. CryptoLocker is different it installs itself in the “Documents and Settings” folder, scans the hard drive and actually encrypts certain data file types, including documents associated with Microsoft Word, Excel, SQL, Power Point, Access Databases and Adobe Photoshop. CryptoLocker then launches a pop-up window with the 100-hour countdown and provides details on how to pay the ransom. The hackers are covering their tracks by using Bitcoins, a digital currency designed to be as anonymous as cash. Payments are made with a Green Dot MoneyPak, a reloadable debit card available from a number of local stores. Unless the user pays $300.00 to the hacker responsible for the infection within 100 hours, the hacker threatens to forever deny the user access to his or her files.
CryptoLocker, is not just an empty threat. What happens is the computer files get cryptographically locked, making it almost impossible to access them. It will access mapped network drives to servers or other workstations that the current user has write access to and encrypt those as well. So every file the computer has access to will become unusable if the demands of the attacker are not met. If the ransom is paid before the deadline, a key is given to decrypt the files. If not, the key is destroyed and the files are effectively lost forever. Even antivirus companies don’t have ways to restore the encrypted files.
Due to the nature of the encryption, brute-forcing a decrypt is essentially impossible for now. There are only a handful of options for recovering encrypted files, and they all rely on either having System Restore or volume shadow copy turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good against this as they will commit the encrypted files to the cloud. Symantec Backup Executive and other versioning-based backup solutions should work fine provided the backups are running normally and the drives are not mapped to the infected computer.
Undelete software doesn't work as CryptoLocker encrypts the files in place on the hard drive, there is no copying going on. The big plus is that disconnected, offsite, or tape backups made before infection are good, and they will make this whole process laughably easy to resolve. Antivirus manufactures are working on solutions, but there isn’t a foolproof one yet. You should remain vigilant about their security online, double-checking the legitimacy of links received in emails and social media messages.
The good news (if there is any) is that paying the ransom does actually decrypt the files, and the hackers behind CryptoLocker so far have been honest and not infected computers after the ransom is paid. What's unique about this virus is that paying them to decrypt the files actually does work, so long as their server is up. They verify the money transfer manually and then push a notification for the infected machine to call home for the private key again, which it uses to decrypt. It takes a long time to decrypt, at the rate of roughly 5GB per hour based on reports. The malware uses the registry to maintain a list of files and paths, so not moving or altering the files around is vital to decryption if you are paying the ransom. Also notable is that the timer it gives you to pay them does appear to be legitimate however once the timer runs out the program uninstalls itself. Even infecting the machine a second time does not bring a new timer. However entering incorrect information in an attempt to fool the system into thinking you have paid will further reduce the amount of time on the timer, and setting the bios clock back has no affect.