CryptoLocker Update

Guest Contribution by Ken Dwight – The Virus Doctor:
In October of last year I wrote about what was then the newest and most widespread malware infecting computers worldwide, known as CryptoLocker. At the time I referred to it as “Game-Changing Malware.” You may read that blog post here: http://www.thevirusdoc.com/blog/cryptolocker-game-changing-malware.

There have been quite a few developments along these lines since then, and this type of malware has become one of the most destructive threats of all time. Most of these developments have been of what we would have to consider a negative variety, but there is also a ray of good news thrown in for some victims of a CryptoLocker infection. First, here is a review of the evolution of encrypting ransomware over the past 11 months.

Evolution of encrypting ransomware, September, 2013 – August, 2014

Just about the time the original CryptoLocker was starting to make a significant impact (and a lot of money for its authors), a variation appeared that looked very much like the original. The infection methods were the same, the encryption was apparently done in the same way, and the message that showed up on the infected computer was almost identical to the original. There were only two obvious differences.

The original CryptoLocker initially set a price of $100 for the decryption key; this imitator demanded $300. But by that time the original authors had also raised their price to the same $300. The original gave the victim two options for paying the ransom – either a MoneyPak non-refundable debit card or payment in Bitcoin; the imitator would only accept payment via Bitcoin.

But on further analysis, several anti-virus vendors determined that this imitator was most likely produced by a totally different programmer or, more likely, programming team. They discovered that it was written in a different programming language from the original, and many other differences became apparent upon disassembly of the program and comparison to the original.

Since then, at least 6 similar programs have been released into the wild with a CryptoLocker-type payload. These are known generically as encrypting ransomware, and they continue to spread and evolve into even more-sophisticated threats. Most of these variants are obviously different programs, produced by different programming groups, each with its own twist on the distribution, payment amount and payment mechanism, and the message that is displayed after the user’s data files have been encrypted.

These are the names that have surfaced to date:

• CryptoLocker
• CryptoLocker II (my name for the original imitator, referenced above)
• PrisonLocker, aka PowerLocker
• CryptoDefense
• CryptorBit
• CryptoWall
• CTB Locker, aka Critroni
• TorLocker

Infection vectors

Unfortunately, the way this category of malware spreads makes it difficult for traditional anti-virus and anti-spyware programs to detect and block them from successfully installing on computers running any version of Windows. At a minimum, a full Internet Security Suite is necessary in order to give most users even marginally adequate protection.

Most of these infections are contracted in the usual way, by the user opening an e-mail attachment that launches the malware. These attachments are most typically .pdf or .zip files, but they may be .exe or .com files, or some other file type that would normally be considered benign.

The subject of these e-mail messages may be a failed delivery notification that appears to come from the Post Office, UPS, DHL, or FedEx; some may claim that the attachment is a recorded voicemail message, or some other legitimate-sounding reason the user should open it. As always, user behavior frequently plays a pivotal role in the infection sequence; user training and security awareness may reduce the likelihood of infection.

As with so many other infections in the past few years, this malware sometimes comes in the form of a “drive-by download” that may be triggered by the user being sent to an infected web site or clicking on an infected link in an e-mail message. This method may take advantage of known vulnerabilities in ancillary programs such as Java, Adobe Reader, and Flash. Accordingly, it’s even more important than ever to make sure that these programs are kept up-to-date. And of course, it’s critical that Windows and all installed applications stay updated as well. We must assume that Windows XP is more vulnerable to these infections than the newer versions of Windows, since Microsoft no longer updates that Operating System.

Protection against these threats

As a direct response to these attacks, at least three software vendors have created products specifically designed to block infection by this type of malware. Some are offered free of charge, while others carry a nominal cost. None of these programs will conflict with installed anti-virus or Internet Security programs, but they may conflict with one another. So, choose one:

• The first entrant in this category was CryptoPrevent, from Foolish IT (www.foolishit.com), the creators of the D7 software suite. The original version is still free, but they now also offer a Premium Edition, with additional features and capabilities, for $15.00 U.S. for a permanent license.
• Another long-established, reputable vendor of anti-malware software, MalwareBytes (www.malwarebytes.org), has come out with a similar program called MalwareBytes Anti-Exploit. They also offer a free version and a Premium Edition, which provides additional protection and will protect up to three computers, for $24.95 U.S. per year.
• The other entrant in this arena is Surfright (www.surfright.nl), the producers of HitmanPro. Their free program, HitmanPro.Alert, was originally intended to block banking Trojans and similar attacks, and compromises of any Internet browsers on the targeted computer. This program has been updated to include CryptoGuard, specifically to protect against encrypting ransomware.

The latest variant of malware in this category, CTB Locker (or Critroni), was just released in mid-July, 2014. Although the end result is similar to the other variants discussed here, this infection is more sophisticated and different enough that it may not be detected or blocked by the products listed above. The author of CryptoPrevent tells me that Version 6.x (and later) does protect against the known variants of CTB Locker, but only through detection of its signature. At this point he cannot guarantee that future variants of CTB Locker will be detected, especially in the first few days after they are released. I have not received a response from either of the other listed vendors with regard to their handling of CTB Locker.

Encrypting ransomware on other (non-Windows) platforms

To wrap up the “bad news” aspect of this update, there is another recent development in the field of encrypting ransomware. That is the spread of these attacks to additional hardware platforms, beyond the Windows Operating Systems. A popular Network-Attached Storage (NAS) system is now being targeted, as are smartphones and tablets running the Android Operating System.

Apple users seem to be immune to this category of malware thus far. I have heard no reports of Macs, iPads or iPhones being targeted for CryptoLocker-type attacks. That’s not to say it couldn’t (or won’t) happen, but as far as I know it hasn’t been an issue yet.

The good news

Early in this article I promised a ray of good news, so here it is. In a recent development (August 6, 2014), two software vendors announced jointly that they have developed a program that may be able to decrypt files that were encrypted by the original CryptoLocker. They are offering this program free of charge to anyone who still has those encrypted files and wants to recover them.

The companies are FireEye (www.fireeye.com), of Milpitas, California, USA and Fox-IT (www.fox-it.com), of Delft, The Netherlands. It’s important to note that these companies do not claim to have “cracked the code” to decrypt these files; rather, they gained access to some of the servers that contained the private keys used by the original CryptoLocker infection.

Through some clever detective work and reverse-engineering, they developed a program (DecryptCryptoLocker) that may be used to decrypt these encrypted files. While there is a good chance this program will let you recover these files, it is not a “silver bullet.” Here are some possible obstacles that may prevent it from working in specific cases:

• The procedure is only known to work on the original CryptoLocker infections; it could apply to later variants and imitators, but I would consider that to be unlikely
• There is no guarantee that the servers accessed by FireEye and Fox-IT contained all of the private keys used by the CryptoLocker authors
• The original CryptoLocker was effectively brought down in late May, 2014; any infections since that date are unlikely to use the same set of private keys

Even so, this procedure is a welcome piece of good news and a significant win by the good guys! FireEye and Fox-IT deserve a lot of credit for the great work they devoted to this solution. And if you still have encrypted files you need to recover, it’s definitely worth the effort to try the procedure and see whether it works for you.

I’ll be very interested in hearing of your results and any further details you may be able to provide on the process. Good luck!

Copyright © 2014 by Ken Dwight, “The Virus Doctor” Houston, Texas. All rights reserved. Ken is a Computer Consultant, Speaker, and Trainer, and Author of the IPPY Award-winning book Bug-Free Computing: Stop Viruses, Squash Worms, and Smash Trojan Horses. For information about his one-day Virus Remediation Training workshops for IT support techs, you may contact us at www.thevirusdoc.com or phone (281) 537-0252.