• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

Video: A Very Scary Virus: CryptoLocker Is Here

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

Replies

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

floatingred,   i've been following this and the dirtydecrypt thread. i have xpsp3,nis2012,ff23.o.1,sandboxie3.76. would sandboxie prevent this since it does not allow any changes to be made to system? thanks

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

floating_red,     looks like a possible breakthrough has been made in retrieving files. xp users are still out of luck i think?  this virus is a real nasty. seems like microsoft and av vendors needs to alert users with a prompt that a program wants to encrypt their files. the bad guys are only going to refine this and i'm afraid we are going to see a lot more of this. thanks

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Not a Virus,  I wish people who reported info, would get the simple things correct.

The malware targets files using the following search masks:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals

Decryption without paying the ransom is not feasible Goodbye Files. To recover the AES keys used to encrypt the files, you will require the private half of the RSA key that was generated by the server. Without access to the server, decryption is impossible.

 

 

Symantec = Trojan.Ransomcrypt.F

 

 

Quads

 

 

 

 

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here


Topopurim47 wrote:

floatingred,   i've been following this and the dirtydecrypt thread. i have xpsp3,nis2012,ff23.o.1,sandboxie3.76. would sandboxie prevent this since it does not allow any changes to be made to system? thanks


If you don't know what you are doing then don't touch Malware

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

quads,     i don't know what i'm doing and i have no desire to even think about touching malware. that is why i asked the question.  i admire your expertise in dealing with these nasties.  so i ask again, would sandboxie prevent the files from being encrypted?   thanks

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

I have given a program a go.

For the files that are encrypted, they cannot be decrypted,  Say good bye to them.

But with systems that have the Volume Shadow Copy Service running on their system  from XP up to and including Windows 8,  You can find backups of your personal files from the last date the copy service made copies of your files before you were infected and had your files encrypted. 

This means that for XP and Windows 8 systems the Volume Shadow Copy Service  (In Windows 8 it's called File History for the user)  needs to have to be turned on by the user and set to automatic well in advance of the system being infected.   Windows Vista and Windows 7 has the service set to Automatic by default.   But not in XP and Windows 8.

Once the Ransomware is broken and removed another program allows the user to manually look though dates in the Volume Shadow Copy to find each file and to then copy them.   

The user may still loose files due any gap between the last Volume Shadow Copy date and the infection time, meaning some files were not backed up in the Volume Shadow Copy,  So they are gone.

Quads

Kudos2

Re: Video: A Very Scary Virus: CryptoLocker Is Here

The last message said I tried a program for the Shadow Copy etc.

 

Part of the Bleeping instructions which gives the program below which gives you the ability to find the backups of just the encrypted files.,

 

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.


Are there any tools that can be used to decrypt the encrypted files?

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.


How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

hxxp://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.


How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.



To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.


Information about other malware that are being installed with Cryptolocker.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:


 

HKCU\Software\Microsoft\<random>

Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.


How to determine which computer is infected with CryptoLocker on a network

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.


Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

You can also use Shadow Explorer to look for indivual persoanl files inside the folders like in the screenshot above.  So if you know the file(s) one by one that you are looking for you can then  go about finding each file to restore instead of the whole folder.  Takes longer, but that way you can just target the files wanted to retreive, whether a document, video, music, picture etc.

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Thanks for the very helpful guide.

It's a valuable reminder of the importance of backups and that the File History/Shadow Explorer supplements that or may help those who don't practice backing up their data files .... if only because your hard drive will fail .... it's not a question of IF !

Hugh
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

While Ransomlock Trojans have plagued the Threat Landscape over the last few years, we are now seeing Cyber-Criminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally Lock computer screens while Ransomcrypt Trojans Encrypt (and Locks) individual files. Both threats are motivated by monetary gains that Cyber-Criminals make from extorting money from victims.

- Blog: Ransomcrypt: A Thriving Menace

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Note this encouraging statement on ISC

https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871 

<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help. >>

Hugh
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here


huwyngr wrote:

Note this encouraging statement on ISC

https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871 

<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help. >>


Hey, Hugh,

Thanks for Posting.

I'm curious to know that, when Anti-Virus Software, e.g. Norton Internet Security, Detects and Removes this Threat, does it/should it also Remove the Encryption that this Threat uses?

-----------

Edit:

I know it says that it doesn't but it'd be nice to know what products they tested to come to the conclusion.  The encryption is linked to this Threat, so I'm also curious  to know if any Anti-Virus Products also Remove the Encryption; I know it is probably extremely un-likely...

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here


Floating_Red wrote:

huwyngr wrote:

Note this encouraging statement on ISC

https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871 

<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help. >>


Hey, Hugh,

Thanks for Posting.

I'm curious to know that, when Anti-Virus Software, e.g. Norton Internet Security, Detects and Removes this Threat, does it/should it also Remove the Encryption that this Threat uses?

-----------

Edit:

I know it says that it doesn't but it'd be nice to know what products they tested to come to the conclusion.  The encryption is linked to this Threat, so I'm also curious  to know if any Anti-Virus Products also Remove the Encryption; I know it is probably extremely un-likely...


The answer is already in this thread and other "Cryptolocker" threads so no point in re stating what is already stated about the encryption.

ADDED:  Even the Symantec article states simply what I and others are saying, " Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key."

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

There has been a renaming  in the definitions from Trojan.Ransomcrtpt.F   to

Trojan.Cryptolocker

and heuristics detections like  Trojan.Cryptolocker!g*  (* = a number)

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

The newest dropper I have is still detected by Norton,  Symantec is keeping up will the droppers I get.   Detected as it's new detection name (last message above).

But this time less AV's detect the dropper.

Quads

Kudos1

Re: Video: A Very Scary Virus: CryptoLocker Is Here

The latest beta version of HMP Alert is now Norton compatible.

Message Number #946


Finally we've added compatibility with Norton 360 and Norton Internet Security (a restart might be needed after installing Alert).

Checkout the full list of changes in the changelog below:

Changelog

  • ADDED: CryptoGuard for Windows File Sharing (SMB).
    Protect your file shares against rogue endpoints by simply installing Alert on the file server. Requires Windows Server 2008 R2 or newer.
  • ADDED: Alert writes remote crypto-ransomware attacks to Windows Event Log. The event data contains remote IP, local share name and the filenames under attack.
  • ADDED: CryptoGuard minifilter driver now supports oplocks (64-bit only).
  • ADDED: CryptoGuard minifilter driver now supports process and IP clustering (64-bit only).
  • ADDED: Command line switch /flyout to configure flyout during command line based installations.
  • IMPROVED: Fine-tuned CryptoGuard algorithm.
  • IMPROVED: Installer and updater write to the Windows Event Log.
  • IMPROVED: User interface now shows tiles representing Alert’s features.
  • FIXED: CryptoGuard handling JPG files.
  • FIXED: CryptoGuard working folder is cleaned up when computer shuts down.
  • FIXED: Small kernel memory leak.
  • FIXED: Alert is now compatible with Norton 360 and Norton Internet Security.
Windows 7 x64 SP1 | NSwB 22.1 | MBAM Premium | MBAE Free | HMP.A 2 | SpywareBlaster
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

<< FIXED: Alert is now compatible with Norton 360 and Norton Internet Security. >>

Nice to know it wasn't us <g>

Hugh
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Zeroaccess and Cryptolocker together YUM

Working on the theory of a hole to get Cryptolocker in to machines.

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here


Quads wrote:

Zeroaccess and Cryptolocker together YUM

Working on the theory of a hole to get Cryptolocker in to machines.

Quads


Not YUM for the rest of us.

"Working on the theory of a hole to get Cryptolocker in to machines."

Windows 7 x64 SP1 | NSwB 22.1 | MBAM Premium | MBAE Free | HMP.A 2 | SpywareBlaster
Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

In 2009, computer scientists using classical methods were able to discover the primes within a 768-bit number, but it took almost two years and hundreds of computers to factor it. The scientists estimated that it would take 1,000 times longer to break a 1,024-bit encryption key, which is commonly used for online transactions.

Cryptolocker (original ) uses RSA 2,048 bit   so that is why it is infeasable to break .

Quads

Kudos0

Re: Video: A Very Scary Virus: CryptoLocker Is Here

New pretty UI for Cryptolocker 

and

Quads