cancel
Showing results for 
Search instead for 
Did you mean: 

CryptoLocker - Prevention, Recovery, and FAQ

CryptoLocker - Prevention, Recovery, and FAQ

CryptoLocker-thmb.jpg

Now that the malware authors have found a new way to extract money from computer users, the incidence of Fake AV software has declined. This as a class of malware was relatively easy to remove from infected systems, and relied on the inexperience of those infected to persuade them to hand over money in return for the removal of often non-existent threats.

Encryption of files on an infected system is a different matter. The encryption method may be known but if the key used is unknown then decryption is, if not actually impossible (the NSA could probably do it), then not feasible for almost everyone who is affected. CryptoLocker is the most recent and most widespread of this class of ransomware, and someone somewhere is raking in the cash as a result. Note that payment for decryption cannot be done using credit cards : you have to make payments using MoneyPak vouchers or BitCoins.

In combatting ransomware, bear in mind that the initial infection can be removed quite easily - but the encrypted files remain and cannot be decrypted.

Cryptolocker1.PNG

In this case prevention is better than cure; if CryptoLocker strikes then having a recent backup of the infected files is the only easy way to restore the file system.

"Prevention is better than cure" - there is apparently a way to prevent CryptoLocker from encrypting those files : by preventing it from running in the first place. This works best in a business environment, but can be adapted to work also on some (perhaps all) home PCs.

How to prevent your computer from becoming infected by CryptoLocker

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

This was noted in a blog post by Graham Cluley - http://grahamcluley.com/2013/11/cryptolocker-protect/

The above blog draws heavily on a FAQ document from BleepingComputer -

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Table of Contents

1. The purpose of this guide

2. What is CryptoLocker

3. What should you do when you discover your computer is infected with CryptoLocker

4. Is it possible to decrypt files encrypted by CryptoLocker?

5. Will paying the ransom actually decrypt your files?

6. Known Bitcoin Payment addresses for CryptoLocker

7. CryptoLocker and Network Shares

8. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!

9. How to increase the time you have to pay the ransom

10. Messages from the ransomware author and information about the CryptoLocker Decryption Service

11. How to restore files encrypted by CryptoLocker using Shadow Volume Copies

12. How to restore files that have been encrypted on DropBox folders

13. How do you become infected with CryptoLocker

14. How to find files that have been encrypted by CryptoLocker

15. How to determine which computer is infected with CryptoLocker on a network

16. How to prevent your computer from becoming infected by CryptoLocker

17. How to allow specific applications to run when using Software Restriction Policies

18. How to be notified by email when a Software Restriction Policy is triggered

19. CryptoLocker Timeline

The highlighted sections answer the most important questions.

As the BleepingComputer document notes, there is a very active (and very long) discussion thread about CryptoLocker -

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

If there any breakthroughs in dealing with this class of infection, or if CryptoLocker is modified to behave differently, that thread is probably the best place to find out about it.

Edit, 27 December

Dell SecureWorks have issued two reports, about CryptoLocker and the means by which it arrives on a PC and is allowed to execute. These papers should be read by everyone before they encounter CryptoLocker, since it is still not possible to decrypt files encrypted by CryptoLocker without paying the ransom. The whole CryptoLocker saga is still evolving, and the latest variant is said to be able to spread like a worm, in other words without any user action being required (the usual infection method, like all Trojans, requires some user action to enable it to be downloaded and activated). The payment demands too are being continuously modified, with the authors having to downplay the BitCoin ransom because of that virtual currency's extreme fluctuations in value.

The first Dell SecureWorks report deals with the infection methods. The Cutwail botnet is used to send spam emails containing a link which, if clicked, will download the first stage of the infection - a small downloader program which contacts a remote server to get the malware payload.

This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.

After connecting to an attacker-controlled C2 server, CryptoLocker sends a phone-home message encrypted with an RSA public key embedded within the malware (see Figure 2). Only servers with the corresponding RSA private key can decrypt this message and successfully communicate with an infected system.

Organisations with enterprise-level anti-virus program suites are better-placed to counter this threat than are home users, whose A-V solutions have fewer features. Some home users can take advantage of Windows' built-in Software Policy Restrictions to prevent current versions of CryptoLocker from being installed, but there is no guarantee that this will remain effective - the authors will attempt to find a way to counter or work around these restrictions. Users will also find that other, legitimate, programs and applications will no longer work properly, or at all, with Policy Restrictions in place. Nevertheless, this does appear to offer some protection and should be considered by anyone who has a good understanding of the operating system and is comfortable with setting group policies.

Mitigation

By incorporating the following components in a defense-in-depth strategy, organizations may be able to mitigate the CryptoLocker threat:

  • Block executable files and compressed archives containing executable files before they reach a victim's inbox. Email remains a top infection vector for malware in general and this threat in particular.
  • Consider aggressively blocking known indicators (see Table 6) from communicating with your network to temporarily neuter the malware until it can be discovered and removed. CryptoLocker does not encrypt files until it has successfully contacted an active C2 server.
  • Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files.
  • Regularly back up data with so-called "cold," offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because CryptoLocker encrypts these files in the same manner as those found on the system drive.
  • Implement Software Restriction Policies (SRPs) to prevent programs like CryptoLocker from executing in common directories such as %AppData% or%LocalAppData%.
  • Use Group Policy Objects (GPOs) to create and restrict permissions on registry keys used by CryptoLocker, such as HKCU\SOFTWARE\CryptoLocker (and variants). If the malware cannot open and write to these keys, it terminates before encrypting any files.

A fuller discussion is in these two Dell Secureworks papers, which I strongly recommend you to read.

http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/

http://www.secureworks.com/cyber-threat-intelligence/threats/analyzing-upatre-downloader/

There is a third paper, published in the middle of 2013, about Peer-to-Peer (GameOver) Zeus, which is still relevant. This paper was published before the eclipse of the Blackhole Exploit Kit, which was extensively used to spread malware up until the arrest of "Paunch", the alleged author and controller of this exploit kit.

http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_...


Comments
jonathansc

Is there a version of this that applies to Windows 8.1?

Hayton

Windows 8 and 8.1 Software Restriction Policies -

http://technet.microsoft.com/en-us/library/hh831534.aspx

Hayton

A solution has been found to the problem of files encrypted by Cryptolocker. See my reply to one of the Cryptolocker threads -

vinod_r2

This article if of high quality and is always a recommended read before you start thinking on course of actions.. Must read

Version history
Revision #:
1 of 1
Last update:
‎11-21-2013 03:48 AM
Updated by: