Feeds

Fiendish CryptoLocker ransomware: Whatever you do, don't PAY

Create remote backups before infection, advise infosec bods

Choosing a cloud hosting partner with confidence

Vid A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds.

CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185).

The malware initially spreads through botnets or as an infected attachment of phishing messages. For example, CryptoLocker appeared in attachments to supposed customer complaint emails sent to firms last month, as an advisory note from security firm Emsisoft explains in greater depth.

More recently CryptoLocker has been spreading as a secondary infection through the infamous ZeuS botnet. If successful, CryptoLocker will encrypt users' files using asymmetric encryption, featuring a public and private key pair. The public key is used to encrypt and verify data, while the private key is used for decryption.

The malware encrypts a wide variety of file types on compromised Windows PCs before displaying a ransom message demanding payment within by a fixed deadline, that typically falls within three or four days from the date of infection. Payment is demanded in the form of anonymous prepaid cash services such as MoneyPak, Ukash, cashU or through the Bitcoin digital currency.

Jonathan, a Reg reader who runs a remote IT support business, described the ransomware as the most destructive virus he'd come across in more than 10 years in the business.

"One of my clients has been infected with a new ransomware virus called CryptoLocker," he told El Reg. "This is the most destructive virus that I have seen in 13 years because it encrypts .doc, .xls, .jpg, and .dwg files, even via network shares."

"The virus appears to be spread in the UK via emails purporting to come from Companies House. There is no known decryption as yet, other than paying the $300 ransom," he added.

Decryption is difficult, if not impossible, unless a victim has access to the private key stored on the cybercriminals' server. Victims are told they need to hand over $300 to cybercrooks to obtain access to the private key within three or four days. Failure to act means the files are locked up in a vault that is fiendishly difficult to break into, perhaps meaning the scrambled files will be lost forever.

CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police Trojan, but it's far more sophisticated in its construction and aggressive in its demands.

The necessary decryption key is never left lying around on host machines. CryptoLocker phones home to a command-and-control server to obtain a public RSA key before it begins the task of silently encrypting files on compromised machines. The same command server also hosts the private key.

Malware that encrypts your data and tries to sell it back to you is not new. As net security firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography for malign purposes.

"SophosLabs has received a large number of scrambled documents via the Sophos sample submission system," Sophos explains in a blog post.

"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

A video from SophosLab showing the malware in action can be found on the next page. Victims receive little or no indication of problems on an infected machine while the malware is encrypting files in the background.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.