Video: A Very Scary Virus: CryptoLocker Is Here
- BLEEPINGCOMPUTER.COM: CryptoLocker Hijack Program
floating_red, looks like a possible breakthrough has been made in retrieving files. xp users are still out of luck i think? this virus is a real nasty. seems like microsoft and av vendors needs to alert users with a prompt that a program wants to encrypt their files. the bad guys are only going to refine this and i'm afraid we are going to see a lot more of this. thanks
Not a Virus, I wish people who reported info, would get the simple things correct.
The malware targets files using the following search masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals
Decryption without paying the ransom is not feasible Goodbye Files. To recover the AES keys used to encrypt the files, you will require the private half of the RSA key that was generated by the server. Without access to the server, decryption is impossible.
Symantec = Trojan.Ransomcrypt.F
Quads
Topopurim47 wrote:floatingred, i've been following this and the dirtydecrypt thread. i have xpsp3,nis2012,ff23.o.1,sandboxie3.76. would sandboxie prevent this since it does not allow any changes to be made to system? thanks
If you don't know what you are doing then don't touch Malware
Quads
quads, i don't know what i'm doing and i have no desire to even think about touching malware. that is why i asked the question. i admire your expertise in dealing with these nasties. so i ask again, would sandboxie prevent the files from being encrypted? thanks
I have given a program a go.
For the files that are encrypted, they cannot be decrypted, Say good bye to them.
But with systems that have the Volume Shadow Copy Service running on their system from XP up to and including Windows 8, You can find backups of your personal files from the last date the copy service made copies of your files before you were infected and had your files encrypted.
This means that for XP and Windows 8 systems the Volume Shadow Copy Service (In Windows 8 it's called File History for the user) needs to have to be turned on by the user and set to automatic well in advance of the system being infected. Windows Vista and Windows 7 has the service set to Automatic by default. But not in XP and Windows 8.
Once the Ransomware is broken and removed another program allows the user to manually look though dates in the Volume Shadow Copy to find each file and to then copy them.
The user may still loose files due any gap between the last Volume Shadow Copy date and the infection time, meaning some files were not backed up in the Volume Shadow Copy, So they are gone.
Quads
The last message said I tried a program for the Shadow Copy etc.
Part of the Bleeping instructions which gives the program below which gives you the ability to find the backups of just the encrypted files.,
Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe
For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files
After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.
Are there any tools that can be used to decrypt the encrypted files?
Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.
How to generate a list of files that have been encrypted
If you wish to generate a list of files that have been encrypted, you can download this tool:
hxxp://download.bleepingcomputer.com/grinler/ListCrilock.exe
When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.
How to restore your encrypted files from Shadow Volume Copies
If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.
Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
Information about other malware that are being installed with Cryptolocker.
When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:
HKCU\Software\Microsoft\<random>
Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.
How to determine which computer is infected with CryptoLocker on a network
On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.
You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.
Quads
You can also use Shadow Explorer to look for indivual persoanl files inside the folders like in the screenshot above. So if you know the file(s) one by one that you are looking for you can then go about finding each file to restore instead of the whole folder. Takes longer, but that way you can just target the files wanted to retreive, whether a document, video, music, picture etc.
Quads
Thanks for the very helpful guide.
It's a valuable reminder of the importance of backups and that the File History/Shadow Explorer supplements that or may help those who don't practice backing up their data files .... if only because your hard drive will fail .... it's not a question of IF !
While Ransomlock Trojans have plagued the Threat Landscape over the last few years, we are now seeing Cyber-Criminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally Lock computer screens while Ransomcrypt Trojans Encrypt (and Locks) individual files. Both threats are motivated by monetary gains that Cyber-Criminals make from extorting money from victims.
- Blog: Ransomcrypt: A Thriving Menace
Note this encouraging statement on ISC
https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871
<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools. At this point anti-virus has decent detection so keeping that up to date is a significant help. >>
huwyngr wrote:Note this encouraging statement on ISC
https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871
<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools. At this point anti-virus has decent detection so keeping that up to date is a significant help. >>
Hey, Hugh,
Thanks for Posting.
I'm curious to know that, when Anti-Virus Software, e.g. Norton Internet Security, Detects and Removes this Threat, does it/should it also Remove the Encryption that this Threat uses?
-----------
Edit:
I know it says that it doesn't but it'd be nice to know what products they tested to come to the conclusion. The encryption is linked to this Threat, so I'm also curious to know if any Anti-Virus Products also Remove the Encryption; I know it is probably extremely un-likely...
Floating_Red wrote:
huwyngr wrote:Note this encouraging statement on ISC
https://isc.sans.edu/forums/diary/Cryptolocker+Update+Request+for+Info/16871
<< There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools. At this point anti-virus has decent detection so keeping that up to date is a significant help. >>
Hey, Hugh,
Thanks for Posting.
I'm curious to know that, when Anti-Virus Software, e.g. Norton Internet Security, Detects and Removes this Threat, does it/should it also Remove the Encryption that this Threat uses?
-----------
Edit:
I know it says that it doesn't but it'd be nice to know what products they tested to come to the conclusion. The encryption is linked to this Threat, so I'm also curious to know if any Anti-Virus Products also Remove the Encryption; I know it is probably extremely un-likely...
The answer is already in this thread and other "Cryptolocker" threads so no point in re stating what is already stated about the encryption.
ADDED: Even the Symantec article states simply what I and others are saying, " Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key."
Quads
There has been a renaming in the definitions from Trojan.Ransomcrtpt.F to
Trojan.Cryptolocker
and heuristics detections like Trojan.Cryptolocker!g* (* = a number)
Quads
The newest dropper I have is still detected by Norton, Symantec is keeping up will the droppers I get. Detected as it's new detection name (last message above).
But this time less AV's detect the dropper.
Quads
The latest beta version of HMP Alert is now Norton compatible.
Finally we've added compatibility with Norton 360 and Norton Internet Security (a restart might be needed after installing Alert).
Checkout the full list of changes in the changelog below:
Changelog
<< FIXED: Alert is now compatible with Norton 360 and Norton Internet Security. >>
Nice to know it wasn't us <g>
Zeroaccess and Cryptolocker together YUM
Working on the theory of a hole to get Cryptolocker in to machines.
Quads