Jump to content

Cryptolocker crooks offer victims a second chance


Recommended Posts


Cryptolocker crooks offer victims a second chance
Posted on 04.11.2013

The criminals behind Cryptolocker, the destructive ransomware that has lately been targeting mostly US and UK PC users, are trying to earn more money by offering users who have initially decided not to pay to have their files decrypted a chance to change their mind.

As you might remember, Cryptolocker is aimed at organisations instead of home users, as it encrypts files most likely to be crucial for organisations such as office files, digital certificate files, AutoCAD files, etc, and the email campaigns delivering it support that theory.

"For each file matching one of these patterns, the malware will generate a new 256 bit AES key. This key will then be used to encrypt the content of the file using the AES algorithm," the researchers explained when the malware was first discovered.


"The AES key is then encrypted using the unique RSA public key obtained earlier. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption."



Unfortunately for the users, the RSA public key created for their system is only known to the attackers, as it’s stored on the C&C server the malware uploaded it to, and the users are asked to pay 300 dollars/euros (or 2 Bitcoins) in order to receive it. The offer usually stands for 72 hours, after which, the crooks claim, the key is deleted forever.



But, according to Paul Ducklin, that might have been an empty threat, as the crooks have now set up a CryptoLocker Decryption Service where the victims can upload one of its encrypted files and wait for the criminals to notify them if their key can be found. If it can, the user will have to pay an even greater price: 10 Bitcoins (currently around $2,220).

Whether this “service” actually works, and whether the crooks will send the key in case the victim decided to pays is unknown. The best mitigation against the adverse effects Cryptolocker and ransomware in general can have on your computer is still to regularly update your critical files.



SOURCE: https://www.net-security.org/malware_news.php?id=2616



Link to post
Share on other sites


How To Avoid CryptoLocker Ransomware


Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.



A CryptoLocker prompt and countdown clock.

Image: Malwarebytes.org


According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.


The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).


File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.


Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.


Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.


Continue reading →



Link to post
Share on other sites

heh ...

i just sent the two links to an acquaintance (i used his personal and business email accounts) .

about two years ago he had a employee with an "i'll do anything i want to on a business owned computer" attitude (had been warned a couple of times) ...

on the last go-around i got called in to remove some "stuff" and prove where it came from ... about a week later the above mentioned employee got the ax .


as i see it one step in avoiding this type of infection (or at least help to minimize such) is to not allow employees to use company machines and/or time for personal use ... period .

Link to post
Share on other sites

Unfortunately for the users, the RSA public key created for their system is only known to the attackers, as it’s stored on the C&C server the malware uploaded it to

I just want to point out an error in the article.

The public key is stored in a registry entry on the infected computer. The private key is stored on the server, and is never transmitted to the infected computer. The public key is used to encrypt the files, and only the private key can be used to decrypt them. This is why CryptoLocker is a huge pain in the neck, and the reason why people without proper data backups are pretty much out of luck (unless something had enabled the Volume Shadow Copy Service to make backups, which does not run automatically).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.