CryptoLocker - Prevention, Recovery, and FAQ

Version 8

    CryptoLocker-thmb.jpg

     

    Now that the malware authors have found a new way to extract money from computer users, the incidence of Fake AV software has declined. This as a class of malware was relatively easy to remove from infected systems, and relied on the inexperience of those infected to persuade them to hand over money in return for the removal of often non-existent threats.

     

    Encryption of files on an infected system is a different matter. The encryption method may be known but if the key used is unknown then decryption is, if not actually impossible (the NSA could probably do it), then not feasible for almost everyone who is affected. CryptoLocker is the most recent and most widespread of this class of ransomware, and someone somewhere is raking in the cash as a result. Note that payment for decryption cannot be done using credit cards : you have to make payments using MoneyPak vouchers or BitCoins.

     

    In combatting ransomware, bear in mind that the initial infection can be removed quite easily - but the encrypted files remain and cannot be decrypted.

     

    Cryptolocker1.PNG

     

     

    In this case prevention is better than cure; if CryptoLocker strikes then having a recent backup of the infected files is the only easy way to restore the file system.

     

    "Prevention is better than cure" - there is apparently a way to prevent CryptoLocker from encrypting those files : by preventing it from running in the first place. This works best in a business environment, but can be adapted to work also on some (perhaps all) home PCs.

     

    How to prevent your computer from becoming infected by CryptoLocker

    You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

    http://support.microsoft.com/kb/310791
    http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

     

     

    This was noted in a blog post by Graham Cluley - http://grahamcluley.com/2013/11/cryptolocker-protect/

     

    The above blog draws heavily on a FAQ document from BleepingComputer -

    http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-informatio n

     

    Table of Contents

     

    1. The purpose of this guide

    2. What is CryptoLocker

    3. What should you do when you discover your computer is infected with CryptoLocker

    4. Is it possible to decrypt files encrypted by CryptoLocker?

    5. Will paying the ransom actually decrypt your files?

    6. Known Bitcoin Payment addresses for CryptoLocker

    7. CryptoLocker and Network Shares

    8. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!

    9. How to increase the time you have to pay the ransom

    10. Messages from the ransomware author and information about the CryptoLocker Decryption Service

    11. How to restore files encrypted by CryptoLocker using Shadow Volume Copies

    12. How to restore files that have been encrypted on DropBox folders

    13. How do you become infected with CryptoLocker

    14. How to find files that have been encrypted by CryptoLocker

    15. How to determine which computer is infected with CryptoLocker on a network

    16. How to prevent your computer from becoming infected by CryptoLocker

    17. How to allow specific applications to run when using Software Restriction Policies

    18. How to be notified by email when a Software Restriction Policy is triggered

    19. CryptoLocker Timeline

     

    The highlighted sections answer the most important questions.

     

    As the BleepingComputer document notes, there is a very active (and very long) discussion thread about CryptoLocker -

    http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

     

    If there any breakthroughs in dealing with this class of infection, or if CryptoLocker is modified to behave differently, that thread is probably the best place to find out about it.

     

     

    Edit, 27 December

     

    Dell SecureWorks have issued two reports, about CryptoLocker and the means by which it arrives on a PC and is allowed to execute. These papers should be read by everyone before they encounter CryptoLocker, since it is still not possible to decrypt files encrypted by CryptoLocker without paying the ransom. The whole CryptoLocker saga is still evolving, and the latest variant is said to be able to spread like a worm, in other words without any user action being required (the usual infection method, like all Trojans, requires some user action to enable it to be downloaded and activated). The payment demands too are being continuously modified, with the authors having to downplay the BitCoin ransom because of that virtual currency's extreme fluctuations in value.

     

    The first Dell SecureWorks report deals with the infection methods. The Cutwail botnet is used to send spam emails containing a link which, if clicked, will download the first stage of the infection - a small downloader program which contacts a remote server to get the malware payload.

     

    This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.

     

    After connecting to an attacker-controlled C2 server, CryptoLocker sends a phone-home message encrypted with an RSA public key embedded within the malware (see Figure 2). Only servers with the corresponding RSA private key can decrypt this message and successfully communicate with an infected system.

     

    Organisations with enterprise-level anti-virus program suites are better-placed to counter this threat than are home users, whose A-V solutions have fewer features. Some home users can take advantage of Windows' built-in Software Policy Restrictions to prevent current versions of CryptoLocker from being installed, but there is no guarantee that this will remain effective - the authors will attempt to find a way to counter or work around these restrictions. Users will also find that other, legitimate, programs and applications will no longer work properly, or at all, with Policy Restrictions in place. Nevertheless, this does appear to offer some protection and should be considered by anyone who has a good understanding of the operating system and is comfortable with setting group policies.

     

    Mitigation

    By incorporating the following components in a defense-in-depth strategy, organizations may be able to mitigate the CryptoLocker threat:

    • Block executable files and compressed archives containing executable files before they reach a victim's inbox. Email remains a top infection vector for malware in general and this threat in particular.
    • Consider aggressively blocking known indicators (see Table 6) from communicating with your network to temporarily neuter the malware until it can be discovered and removed. CryptoLocker does not encrypt files until it has successfully contacted an active C2 server.
    • Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files.
    • Regularly back up data with so-called "cold," offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because CryptoLocker encrypts these files in the same manner as those found on the system drive.
    • Implement Software Restriction Policies (SRPs) to prevent programs like CryptoLocker from executing in common directories such as %AppData% or%LocalAppData%.
    • Use Group Policy Objects (GPOs) to create and restrict permissions on registry keys used by CryptoLocker, such as HKCU\SOFTWARE\CryptoLocker (and variants). If the malware cannot open and write to these keys, it terminates before encrypting any files.

     

    A fuller discussion is in these two Dell Secureworks papers, which I strongly recommend you to read.

     

    http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransom ware/

    http://www.secureworks.com/cyber-threat-intelligence/threats/analyzing-upatre-do wnloader/

     

     

    There is a third paper, published in the middle of 2013, about Peer-to-Peer (GameOver) Zeus, which is still relevant. This paper was published before the eclipse of the Blackhole Exploit Kit, which was extensively used to spread malware up until the arrest of "Paunch", the alleged author and controller of this exploit kit.

     

    http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Pe er_to_Peer_Gameover_ZeuS