• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Cryptolocker: new malware encrypts your files, demands ransom within 96 hours

Status
Not open for further replies.
J

j_k_redtail

Member
I'm posting this mostly as a Public Service Announcement. Did a search, saw nothing.

CryptoLocker-thmb.jpg


CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.
Click to expand...

Here is a video demonstrating an infection on a test machine.

And here are some user experiences:
Here's my situation: Client has 4 computers connected to a Synology NAS (uses Linux I believe) to share files. One of the clients got the Cryptolocker virus through an email attachment. Files on both the one client computer and the shared files on the NAS were encrypted. Backups were no good, so the $300 ransom was paid. The payment happened just before closing time and the computer was left on overnight.

Returning in the morning, found that all the files on the infected client were decrypted but none on the NAS. Curiously, a file named "PrivatKey.bin" was left on the desktop.

I am seeking information on how to re-start the decryption or maybe to use that PrivatKey.bin file for decryption if anyone has ideas.

....

PS we paid. $300 for 14,400 files returned, 11 years of (then) non-backed up data. It took two hours for the decryption process to begin, and another 3 or so for it to finish. Client and staff grateful and overjoyed. Very Stockholm Syndrome. Not mad at attacker at all, just grateful the beating had stopped.

...

Cryptolocker hit us 2 days ago and we have been fighting it since. Just wanted to run through what we have tried in hopes that it might help others. I know paying these guys is a tough call to make but when you are faced with losing 40,000 files you do what you have to. We ran malwarebytes and removed cryptolocker before we realized we needed it to pay these guys off for the data to be decrypted so we spent all day yesterday trying to reinfect using the original email that was clicked on to infect the PC in the first place....
Click to expand...

This thing has been around for a little over a month but it has exploded in the last few days. This is not your average ransomware: it will encrypt files on network shares and external drives, so keep that in mind if that's your backup strategy. Yes, you will lose the files if you don't pay. The family IT guy will not be able to break the encryption and recover them.

These things are only going to get more sophisticated. You can have the best security software in the world, but remember: the user is usually the weakest link. Remind people in your life who use technology to watch what they click.

Edit:

Keyouta said:
http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/

Yeah, Reddit, but that's a good link to read about the malware. Lots of useful information.
Click to expand...

antonz said:
something for the OP
•We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own, AV Comparatives is a wonderful resource.
Click to expand...
Click to expand...

Edit 2: Virus scanners which will detect cryptolocker:

SPDIF said:
I've just uploaded a sample of this malware to Virustotal (it scans the file with a bunch of different AV engines and tells you if they detect the file). The results are here:

https://www.virustotal.com/en/file/...0a3c34fc2008e210ccfe6dae/analysis/1382805599/

Pretty much every AV, provided you have the latest updates, will detect it.
Click to expand...
 
N

No Love

Banned
God damn, that is brutal.

Always back up your stuff onto disks that aren't connected to a network, and also on the cloud somewhere I suppose. So sad that people are going around screwing others over like this.
 
O

Omni

Member
I guess it's good that they give you four days...but still. External hard drives that are only used to backup are a necessity these days.
 
J

Juice

Member
Phew @ my all Mac ecosystem of machines

Sympathy for folks affected. Brutal, malevolent software design.
 
Coreda

Coreda

Member
Heard about this on a podcast a few days ago. Seriously people, don't let yourself get taken down by this.

It will encrypt every known document type it can on both your own system, and any network/shared folders. It's a beast.
 
A

antonz

Member
Blacksafs said:
thats hardcore I didn't even know "ransomware" existed
Click to expand...

Much of it tries to present itself as if they are the FBI or another agency who has caught you doing bad things and you must pay or they will come after you. Its all been based on fear stuff until this new encryption stuff
 
J

j_k_redtail

Member
Keyouta said:
http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/

Yeah, Reddit, but that's a good link to read about the malware. Lots of useful information.
Click to expand...

Added to OP. Also, more info on how it works here:

http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/

What CryptoLocker does

When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

2. It produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your "CryptoLocker ID."

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

→ Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

→ Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a "pay page," giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.)
Click to expand...

GAF, you are not prepared for this. Watch what you click.
 
J

Jedi2016

Member
Does it make me a bad person if I feel the creators of, and people who profit from, this sort of thing should all be killed?
 
A

antonz

Member
something for the OP

•We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own, AV Comparatives is a wonderful resource.
Click to expand...
 
D

daw840

Member
j_k_redtail said:
Windows, all the way through 8.


Mostly email attachments. Zombie computers on the Zeus botnet already have it, apparently.
Click to expand...

Good....all of my pics are on my MBP. Though I do need to back them up....not sure really how other than just straight up burning to disc. That would take FOREVER though.
 
S

Stet

Banned
daw840 said:
Good....all of my pics are on my MBP. Though I do need to back them up....not sure really how other than just straight up burning to disc. That would take FOREVER though.
Click to expand...

Back up onto an external hard drive, disconnect the external hard drive until the next back up.
 
Coreda

Coreda

Member
There are many juicy security exploits and news I hear about, but for some reason I never hear anything about them in the general media.

This one will at least get people to pay attention to security advice.

luoapp said:
Where is the Fxxking NSA when you need them!?
Click to expand...

IIRC the FBI had tracked down one server containing the private keys (that are used to decrypt victims drives) but upon shutting down the server they inadvertently made it impossible for victims to connect to get the private keys they were paying the ransom for. Remember to backup people...
 
E

Effnine

Member
I'm sure this may be answered in the Reddit thread, but how is it NOT possible to track where the money goes and take down the people demanding the money? It seems like that would be a fairly easy thing to do ...
 
L

luoapp

Member
Effnine said:
I'm sure this may be answered in the Reddit thread, but how is it NOT possible to track where the money goes and take down the people demanding the money?
Click to expand...

They can be tracked down, but you need someone with state authority involved, not some AV companies.
 
Coreda

Coreda

Member
Effnine said:
I'm sure this may be answered in the Reddit thread, but how is it NOT possible to track where the money goes and take down the people demanding the money? It seems like that would be a fairly easy thing to do ...
Click to expand...

Except they're using Bitcoin for payment. It's completely anonymous.
 
M

MThanded

I Was There! Official L Receiver 2/12/2016
Effnine said:
I'm sure this may be answered in the Reddit thread, but how is it NOT possible to track where the money goes and take down the people demanding the money? It seems like that would be a fairly easy thing to do ...
Click to expand...
bitcoin
 
N

Nilaul

Member
I'm surprised how many people don't back up their important files on a large usb or harddrive (since their so cheap now).
 
F

firehawk12

Subete no aware
lastplayed said:
Surprised more people don't back up on the cloud, especially how cheap it is now.
Click to expand...

I wonder, if this thing gets into your Dropbox folder and Dropbox syncs all those files, are all your files on Dropbox fucked as well?
(Or any other cloud service, for that matter).
 
P

PotionBleue

Member
Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.
Click to expand...

Not sure if that means non-listed anti-virus programs haven't blocked it yet, but anyway, funny to see the good old free avast still going strong.
 
A

Amikami

Banned
Damn. Thats terrifying. So what sort of stuff should one look out for? What might be the main sources of such a malware. At this point I'm afraid to google.
 
S

Sophia

Member
Blacksafs said:
this is probably a stupid question but other than entering info on a shady website, is there a way for a tablet to be comprised by any sort of malware
Click to expand...

Depends on what tablet you're using. This specific piece of malware might/would run if you were using a Windows 8 tablet, but if it's Android/iOS/Windows RT then no.
 
L

Learn2read

Member
We had an email at work about this today.

Apparently somebody in the company lost all files for a project. I actually don't quite understand how that would happen, but that's what it said
 
J

j_k_redtail

Member
BlackJace said:
The computer equivalent of being robbed at gunpoint. Incredible how much these things have evolved.

Be careful folks.
Click to expand...

I have anti-theft software installed on my computer which tells the PC to phone home every now and then. The software is actually installed in a special part of motherboard - on the firmware itself. The software can reinstall itself even if the hard drive is removed and replaced. Many major brands have such an ability.

Can you imagine the digital carnage if someone was able to break into that, and put a virus in there? This is out of control.
 
Status
Not open for further replies.

Similar threads

Introducing Steam Families
Platform 2 3
144
6K
Robot Carnival replied
New: Tell Steam If Your Game Supports DualShock or DualSense Controllers
Game Dev
24
1K
Skifi28 replied
Zuckerberg announces Meta's paid verification program goes live in the US today
11
940
Eddie-Griffin replied
AI: THE SOMNIUM FILES – nirvanA Initiative |OT| Exploring Uchikoshi's Somnium
|OT| 2 3
123
10K
reksveks replied
Verge: HTC to release a new VR headset at CES 2023, to compete with Quest 2 in price and features.
13
1K
Eddie-Griffin replied
Top Bottom