# InternetCryptoLocker Ransomware (and backup reminder)

#### Keatah

##### Active member
A friendly reminder to evaluate, execute, and test your backup procedures. Now is as good a time as any especially if you hadn't done so in a while.

Now for something more dark. This is James Bond and secret-agent material. This is about the CryptoLocker virus kit, or Ransomware. Arguably one of the most hated, feared, and respected malware packages ever made.

This malware arrives on your system when you click on an attachment. It scans your system for popular filetypes and proceeds to encrypt them with RSA-2048, and/or AES-256. This effectively prevents you from using those files. And it then demands you pay a fee to un-encrypt them. You are required to pay something anywhere from $100 USD to$2,000 USD depending on the variant you got infected with. You make payment anonymously through a MoneyPak card or Bitcoin.

You typically get a time limit of around 75 hours to come up with the funds. And if you don't the other half of the encryption key set is permanently deleted off the CnC and thus rendering even the malware decryptor incapable of effecting a restoration.

Ohh yes, it travels across network shares and USB jumpdrives and encrypts files there. The CnC server gets a new IP address every now and then based on time and date. All of the activity and communication between the virus and its home-base server is RSA encrypted. If you delete the virus with anti-malware scanners and similar, you also delete the data necessary to effect restoration. Recently and (sometimes now) anti-virus scanners don't alert you till after the hi-jacking processes has been started of is complete. It operates in safe mode too.

And there's more! But you'll need to read up on your own. But most importantly, if you do pay the ransom, currently averaging $300-600$ USD, this virus will undo the "damage" and restore your system to what it was.

There have been reports that the data is restored, and sometimes not. But mostly it is. Sometimes not because efforts to take down the constantly roaming CnC server interfere with the ability of an infected PC to get the necessary codes. This is malware that does exactly what it promises.

All my pro IT buddies and sysadmins are recommending to pay the fee and move on. That only encourages the authors to crank up the stakes and make better versions.

On the other hand they're scrambling to make sure proper and operating backups are in place. Which is a good thing.

The main infection vector is through social engineering and botnet. You get a fake legal notice or package delivery notice. You click on a .zip file, which either contains or is an executable. This starts the downloader and sometimes a bot net node. Then it downloads the encryptor program. Then when enough of your files are locked, it displays the notice. Sometimes this sits around and works slowly hoping you cycle through daily backups. Some newer variants delete VSS copies too (see #2 below).

So far there are 3 possible ways to recover from this.
1- Restore from an off-line backup. Off-line backups are King in this situation. Restore from image or file differences and away you go!

2- You can try and see what VSS Windows Service has done, it may have made recent copies of your files without you even knowing it - which earlier versions of the virus didn't affect. Simply roll them back. You can use Shadow Explorer to help you out with this.

3- Pay the fee.

What a nightmare, eh? And so far, it has been estimated the progenitors of this virus are going to bank with millions!

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/
[ame="http://en.wikipedia.org/wiki/Cryptolocker"]CryptoLocker - Wikipedia, the free encyclopedia[/ame]

#### boogabooga

##### Bug Crusher
I hope they bring back hanging, drawing, and quartering when they catch these worthless pieces of trash...:dry:

That they were clearly intelligent enough to have done something positive makes their crime that much worse.

#### Zatnikitelman

I'd like to ask the Systems Admins and those more knowledgeable about such issues than I: I use Areca backup to a mapped network drive through Windows 7. It runs a scheduled backup every night to the drive which is normally accessible like any other file. Is a viable defense to configure my batch file to map, then unmap the network drive each time rather than keep it open all the time? So it would be like:
Code:
net use Z:\\BackupPlaceThingyNameSomethingHere
areca-cl.exe -h -a -i -l -p -r -o -b -e /myfiles
net use Z: delete

#### Artlav

##### Aperiodic traveller
Beta Tester
Also, thinking "bah, i'm too smart to open random e-mail attachments!" is not a valid replacement for having good backups.

#### Linguofreak

##### Well-known member
I'd like to ask the Systems Admins and those more knowledgeable about such issues than I: I use Areca backup to a mapped network drive through Windows 7. It runs a scheduled backup every night to the drive which is normally accessible like any other file. Is a viable defense to configure my batch file to map, then unmap the network drive each time rather than keep it open all the time? So it would be like:
Code:
net use Z:\\BackupPlaceThingyNameSomethingHere
areca-cl.exe -h -a -i -l -p -r -o -b -e /myfiles
net use Z: delete

Well, I'm not horribly knowledgeable about such issues, but just thinking through the potential outcomes, I'd say it's at least a good first line of defense. However, if your system is doing a backup when you get infected, files in the backup will get encrypted.

In light of this, it might be a good idea to have the backup server (which is to say, the machine with the backup drive) pull the backup rather than have the client (the machine with the data to be backed up) push it. The server would have the client's hard drive mounted as a read only network drive to pull backups, and the client would have the server's backup drive mounted as a read-only network drive for restoration. That way an infection on the client can't encrypt the backup on the server, and an infection on the server can't encrypt the original on the client.

Another interesting thing to try, if your backup software can handle it and you absolutely *must* have the backup drive mounted read-write on the client, is to take advantage of the fact that Cryptolocker needs to leave system files unencrypted, and thus only encrypts certain file types. If your backup software can algorithmically rename files (though this is probably a rather unlikely feature), you could have it rename every file to something with an exe extension, along the lines of SchoolPaper.docx -> SchoolPaperPerioddocx.exe. That way Cryptolocker won't find anything to encrypt on the backup drive even if it is mounted read-write. This, ironically enough, is doing to Cryptolocker what it does to trick users into running it: It makes use of Window's "Hide extensions for known file types" option to masquerade as [filename].pdf, when it's actually [filename].pdf.exe.

Which brings me to one last thing: Make sure that you and everyone on your network has "hide known extensions" turned *off*.

#### Keatah

##### Active member
If you're in the process of backup and Cryptolocker comes alive, it's going to blast files in the backup cue.

Some variants of Cryptolocker will detect a newly mapped or freshly connected device and add them to its cue. In some cases it will drop what its doing and pay full attention to the new volume. Depends on the exact infection and system configuration you got.

I'm typically recommending offline pull, and versioning or round-robin rotating backups for my clients. All depends on their budget and usage patterns.

Renaming file extensions is a temporary measure at masking files from Cryptolocker. It's only a matter of time before they re-write the virus to look at the file headers.

Last edited:

#### Ghostrider

##### Donator
Donator
Heard about it. Somebody needs to go all Liam Neeson on their asses.

#### streb2001

Donator
Thanks for this heads up. Are you saying that it only gets in via an email attachment? I am afraid to Google it in case I click on a bad link!

#### Quick_Nick

##### Passed the Turing Test
Donator
http://www.symantec.com/connect/blogs/cryptolocker-qa-menace-year

"Symantec telemetry for this threat shows that the threat is not very prevalent in the wild at present. While the numbers being reported are low, the severity of the attack is still considerable for victims."

I'm not too worried for myself, and have no intentions of opening random email attachments.
And good backup practice should make this virus no more than an annoyance, besides likely saving you time and money whether or not you get infected.

#### Matias Saibene

##### Well-known member
Intelligence to create new viruses (increasingly harmful), seem endless. That intelligence could be used to create cures for diseases, eradicate hunger, etc.
The worst problem that can cause this type of virus is to attack any government agency (see image).
Fortunately, you can also use Orbiter 2010 in Linux.

Greetings to all.

#### Attachments

• vcxkr9yartqexn46g.jpg
120 KB · Views: 21

#### Artlav

##### Aperiodic traveller
Beta Tester
Intelligence to create new viruses (increasingly harmful), seem endless. That intelligence could be used to create cures for diseases, eradicate hunger, etc.
Not exactly.
It's very rare to see a well-written virus.
A lot of them are crapjobs by kids, compiled with regular tools or using various generator programs.
And it's been like that since forever - the days when computer viruses were mostly works of art are long gone.

#### Urwumpe

##### Not funny anymore
Donator
A lot of them are crapjobs by kids, compiled with regular tools or using various generator programs.

That is also, why we have many different kinds of malwares, but only few virus families there. A few people really do research and develop the basic toolkit for a family, and then things are sold. And that for real big money. Its sometimes cheaper to get a guided missile, than to get a good new virus toolkit.

(And the really expensive viruses are not seen on the usual consumer PC. Those are specialized for attacking a selected company and penetrate the company intranet)

#### PennyBlack

##### Altea Development Team
Two friends of mine were hit by software that locked them out of there machines completely, demanding money to unlock them and both used two differing options to gain access to their PCs.

The first took it to a shop and they charged £30 to remove the software virus and clean the system.

The other, had my spare HDD and fitted it, formatted and installed his OS. Then using an external HDD with his old drive, transferred the files he needed back onto the system. He retained the old HDD just in case he gets hit again.

Both, as it appeared, used film sites that allowed them to watch free films online.

Never pay money, it only endorses such behaviour in the future. There are ways around certain lockouts. It's unfortunate that there are people out there who do this.

#### Andy44

##### owner: Oil Creek Astronautix
I have to wonder, if there is transfer of money involved, surely these criminals can be tracked down, right?

#### BruceJohnJennerLawso

##### Dread Lord of the Idiots
I have to wonder, if there is transfer of money involved, surely these criminals can be tracked down, right?

Bitcoin is supposed to be rather hard to track, no?

#### Quick_Nick

##### Passed the Turing Test
Donator
Bitcoin is supposed to be rather hard to track, no?

It depends how you handle your transactions. Bitcoin is secure; companies that deal in Bitcoins are not secure in the same way. Same for anonymity. Receiving bitcoins is straightforward though. Basically no way to track that if you keep it simple. And then selling thousands of dollars worth of coins is not uncommon either so may not arouse suspicion at all. A lot of people like to deal in bitcoins in person; if you trade online, most companies are either regulated and require ID, or shady and will lose your money.

Replies
0
Views
137
Replies
0
Views
798
Replies
1
Views
408
Replies
19
Views
820
Replies
13
Views
2K