Feeds

Fiendish CryptoLocker ransomware: Whatever you do, don't PAY

Create remote backups before infection, advise infosec bods

5 things you didn’t know about cloud backup

Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

The malware initially spreads through botnets or as an infected attachment of phishing messages. For example, CryptoLocker appeared in attachments to supposed customer complaint emails sent to firms last month, as an advisory note from security firm Emsisoft explains in greater depth.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

The malware encrypts a wide variety of file types on compromised Windows PCs before displaying a ransom message demanding payment within by a fixed deadline, that typically falls within three or four days from the date of infection. Payment is demanded in the form of anonymous prepaid cash services such as MoneyPak, Ukash, cashU or through the Bitcoin digital currency.

Jonathan, a Reg reader who runs a remote IT support business, described the ransomware as the most destructive virus he'd come across in more than 10 years in the business.

"One of my clients has been infected with a new ransomware virus called CryptoLocker," he told El Reg. "This is the most destructive virus that I have seen in 13 years because it encrypts .doc, .xls, .jpg, and .dwg files, even via network shares."

"The virus appears to be spread in the UK via emails purporting to come from Companies House. There is no known decryption as yet, other than paying the $300 ransom," he added.

Decryption is difficult, if not impossible, unless a victim has access to the private key stored on the cybercriminals' server. Victims are told they need to hand over $300 to cybercrooks to obtain access to the private key within three or four days. Failure to act means the files are locked up in a vault that is fiendishly difficult to break into, perhaps meaning the scrambled files will be lost forever.

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.