It’s not often where something like this comes along and makes our ears perk up.
Long story short, the best defense to CryptoLocker is a good backup. Now, that being said, you’re probably saying, “I’ve got a good backup”. My question is; If you haven’t tested it in a while, how do you know?
Recently one of my customers said the exact same thing, but once checked it turned out their backup hadn’t been performed in Nine (9) years. So, just because you’ve got that tape drive or external hard drive installed on your system and had the backup setup to run, that doesn’t mean it’s actually working. I recommend at least a monthly check to make sure your backups are up to date (more often for businesses).
CryptoLocker is Trojan horse malware which surfaced in late 2013, a form of ransomware targeting computers running Microsoft Windows. CryptoLocker disguises itself as a legitimate attachment; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and says that the private key will be deleted and unavailable for recovery if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up.
CryptoLocker typically propagates as an attachment to a seemingly innocuous e-mail (usually taking the appearance of a legitimate company e-mail), or from a botnet. The attached ZIP file contains an executable file with filename and icon disguised as a PDF file, taking advantage of Windows’ default behaviour of hiding the extension from file names to disguise the real .EXE extension. Some instances may actually contain the Zeus trojan instead, which in turn installs CryptoLocker. When first run, the payload installs itself in the Documents and Settings folder with a random name, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server then generates a 2048-bit RSA key pair, and sends the public key back to the infected computer. The server may be a local proxy and go through others, frequently relocated in different countries to make tracing difficult.
The payload then proceeds to begin encrypting files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft Office, OpenDocument, and other documents, pictures, and AutoCAD files. The payload then displays a message informing the user that files have been encrypted, and demands a payment of 300 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or 2 Bitcoin in order to decrypt the files. The payment must be made within 72 or 100 hours, or else the private key on the server would be destroyed, and “nobody and never [sic] will be able to restore files.” Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user’s private key.
In November 2013, the operators of CryptoLocker launched an online service which claims to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline expires; the process involves uploading an encrypted file to the malware site as a sample, and waiting for the service to find a match, which the site claims would occur within 24 hours. Once a match is found, the user can pay for the key online; if the 72-hour deadline has passed, the cost increases to 10 Bitcoin (which, in early November 2013, was valued at over $3500 USD).
At A2Z Computer Services, we implement the latest in security technology and offer local and offsite backups to help protect our customers from threats such as these. For more information, please contact Todd Sanders at (270) 830-9590.