Feeds

Fiendish CryptoLocker ransomware: Whatever you do, don't PAY

Create remote backups before infection, advise infosec bods

Internet Security Threat Report 2014

Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

The malware initially spreads through botnets or as an infected attachment of phishing messages. For example, CryptoLocker appeared in attachments to supposed customer complaint emails sent to firms last month, as an advisory note from security firm Emsisoft explains in greater depth.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

The malware encrypts a wide variety of file types on compromised Windows PCs before displaying a ransom message demanding payment within by a fixed deadline, that typically falls within three or four days from the date of infection. Payment is demanded in the form of anonymous prepaid cash services such as MoneyPak, Ukash, cashU or through the Bitcoin digital currency.

Jonathan, a Reg reader who runs a remote IT support business, described the ransomware as the most destructive virus he'd come across in more than 10 years in the business.

"One of my clients has been infected with a new ransomware virus called CryptoLocker," he told El Reg. "This is the most destructive virus that I have seen in 13 years because it encrypts .doc, .xls, .jpg, and .dwg files, even via network shares."

"The virus appears to be spread in the UK via emails purporting to come from Companies House. There is no known decryption as yet, other than paying the $300 ransom," he added.

Decryption is difficult, if not impossible, unless a victim has access to the private key stored on the cybercriminals' server. Victims are told they need to hand over $300 to cybercrooks to obtain access to the private key within three or four days. Failure to act means the files are locked up in a vault that is fiendishly difficult to break into, perhaps meaning the scrambled files will be lost forever.

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.