back to article Fiendish CryptoLocker ransomware: Whatever you do, don't PAY

A fiendishly nasty strain of Windows malware that uses advanced encryption to lock up user files before demanding a ransom is doing the rounds. CryptoLocker, which first surfaced early last month, leaves users in danger of losing important files forever unless they pay up. Typically the crooks relieve them of around $300 (£185 …

COMMENTS

This topic is closed for new posts.
  1. Tezfair

    Already seen this

    Customer on Tuesday was sending files over saying they were unreadable so I restored them from a backup and sent them back. Few hours later, more bad files so I looked at their shared drive. 25Gb of unreadable files. Ouch.

    At the time it didn't make sense, I could restore to an alternative location and they were readable, but as soon as they were put into the shared dirve they were corrupt.

    Few hours later I get a phone call from a staff member that 'had something on her screen the night before and ignored it'. Well, sh*t, you just wiped out all the data (yes, AV was everywhere, but it didn't see it)

    You can't kill this virus in normal ways. If you try and end task, it says 'ill be back', and there's other kernel errors, I was fortunate that she was using a VM'ed desktop so I was able to roll it back and then restore a previous 'previous' back up as the backups back'ed up the corrupt files.

    Very messy. Seriously changed my view on viruses and backup routines.

    1. Anonymous Coward
      Anonymous Coward

      Re: Already seen this

      "I was fortunate that she was using a VM'ed desktop so I was able to roll it back and then restore a previous 'previous' back up as the backups back'ed up the corrupt files."

      This person is at least doing things partly right. Good on them.

    2. LarsG

      Re: Already seen this

      I've had the HMRC emails, around 7 of them and it was only because of the spelling mistakes I realised they were dodgy.

      1. Ivan Headache

        Re: Already seen this

        Had them here too, and the Companies House ones. Haven't had one for about 2 weeks though.

        This weeks it's been mms messeages into several email accounts - purporting to be from T-Mobile.

        1. Peter2 Silver badge

          Re: Already seen this

          >"You can't kill this virus in normal ways."

          So, it manages to run despite having a software restriction policy in place preventing any vaguely executable code from running outside of program files or authorised network shares?

          I've been receiving the companies house emails regularly. I've had a few users run them with nothing more harmful than the standard SRP prohibited text since outlook opens attachments in a temp directory, which is not in program files, so it doesn't run and i'm safe despite the users.

          Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will vanish overnight because the users can't run the bloody things if they try.

          Secondly, get yourself a copy of sysinternals from the microsoft website and use process explorer instead of task manager and PSKILL to kill things instead of the "end task" button in task manager. If you want malware dead, don't allow it to gracefully close through a task manager request to close. That's just letting it run more instructions. Figure out where the file and all it's dependencies are from process explorer and then either suspend or terminate it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Already seen this

            "Anti virus software is not enough."

            Neither is running Windows. Seriously , this security swiss cheese of an operating system really has had its day. Its time for it to be booted out of the corporate world for good and leave it to muppets at home to update their facebook status with or vomit up some more banalities on twitter because frankly thats all its good for.

            1. Peter2 Silver badge

              Re: Already seen this

              Windows only has security like swiss cheese because most people don't secure it competently. Most people are in total ignorance of what you can do to secure windows, which is a lot when you break open the group policy editor and apply permissions sensibly through security groups.

              The problem is that people just don't use those features and use it out of the box, usually running everybody as a local admin just to make sure that no security things get in the way of them downloading stuff.

              Given that the same people doing this would be deploying any other solution I don't have any great degree of confidence that any of those competing solutions would fare better security wise with a bunch of morons running as root.

    3. Anonymous Coward
      Anonymous Coward

      Re: Already seen this

      Ah - but have you already seen the money-grabbing virus that will send you an unencrypted photo of Miley Cyrus' bare bum if you don't pay 50p to the author?

      Where will it all end?

  2. Anonymous Coward
    Anonymous Coward

    It encrypts .doc, .dwg etc

    So what? In the corporate world those files should be held in some kind of version control and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not be the master, they should be the published version of a document under proper control (also, users don't need write access to *everything*). As for local files that are being worked on; well, those are backed up as well aren't they?

    And why the HELL do people open an attachment without first scanning it? When coming in from outside, open it on a machine which has actual work files on it. Are they totally mentally deficient? Run Outlook in a separate VM. Problem solved.

    If you are following good procedures, CryptoLocker is minimal risk and the main annoyance will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone to blame, look in the mirror.

    Then call MS and ask them why their software is so shit.

    I can see this being a serious worry for home users. Top-tip: stop opening random files.

    1. TkH11

      Re: It encrypts .doc, .dwg etc

      How naeve can you get? ! Obviously never worked for a large corporation then. The idea that they do things properly always is just naivety. Release documents will (should) be in a document management system, but there are always many documents which are not.

      1. Anonymous Coward
        Anonymous Coward

        Re: It encrypts .doc, .dwg etc

        "Obviously never worked for a large corporation then."

        Wrong.

        "Release documents will (should) be in a document management system, but there are always many documents which are not."

        Then they breach compliance, fail audits and lose contracts. Simple. A version control system is a piece of piss to deploy. Back-ups are basic commons sense. There is no excuse, not a one.

        1. JLV

          Re: It encrypts .doc, .dwg etc

          >A version control system is a piece of piss to deploy.

          Is a version control system really the tech to use for a binary files, such as docs and xls?

          I seem to recall git gets binaries, but doesn't something like subversion just store an entire binary file every time there is a change? unlike text files?

          Honest question icon needed.

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: It encrypts .doc, .dwg etc

            "Is a version control system really the tech to use for a binary files, such as docs and xls?"

            Yes. There are products from the more code-orientated (e.g. GIT) which wouldn't be best, I grant you. Through to the middle-weights (e.g. Alfresco). Then the big boys (e.g. Documentum). If you are an SME, you won't be going to the latter. But one of the former may fit the bill.

        2. Anonymous Coward
          Anonymous Coward

          Re: It encrypts .doc, .dwg etc

          > Then they breach compliance, fail audits and lose contracts. Simple.

          Methinks you have a lot to learn, my dear fellow.

    2. Anonymous Coward
      Anonymous Coward

      Reality check

      And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?

      1. Anonymous Coward
        Anonymous Coward

        Re: Reality check

        "And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise level procedures?"

        It's not "enterprise level procedures" it's common sense. Off-site, redundant servers and mobile disaster servers are "enterprise level" but I never mentioned the like; did I?

        If the SMEs are running so close to the wire that they cannot provision for a HDD failure or a server blowing, then they are already running on borrowed time. This new virus has less impact that either of those and yet the exact same procedures mitigate against it.

    3. Anonymous Coward
      Anonymous Coward

      Re: It encrypts .doc, .dwg etc

      Sure, can we have a couple more petabytes of storage please, oh and back drives for those, oh lets not forget months worth of tapes, plus archives,oh a few hundred gig of extra bandwidth while we at it.

      thanks.

      1. Anonymous Coward
        Anonymous Coward

        Re: It encrypts .doc, .dwg etc

        "Sure, can we have a couple more petabytes of storage please, oh and back drives for those, oh lets not forget months worth of tapes, plus archives,oh a few hundred gig of extra bandwidth while we at it."

        Petabytes? Only if you are doing it wrong. The virus won't be able to attack files in the version control system, the users shouldn't have write access to the network shares (well, not many) and you don't need to back them up anyway as they are under version control. Local user files are still at risk, but they will be few.

        And the version control should *already* be getting backed up.

    4. Anonymous Coward
      Anonymous Coward

      Re: It encrypts .doc, .dwg etc

      I really hope your not an IT support guy, Users are .... users... they are not IT experts, the same way that IT Experts are not brain surgeons. Yes good practice is always good, but recovery is expensive in lost time and resources.

      1. Anonymous Coward
        Anonymous Coward

        Re: It encrypts .doc, .dwg etc

        "the same way that IT Experts are not brain surgeons."

        Which is why I don't do brain surgery.

        "Users are .... users..."

        Indeed, which is why there are system an procedures in place to protect them.

        "Yes good practice is always good, but recovery is expensive in lost time and resources."

        Never said it wasn't, but if the procedures are in place the risk from this virus (any virus!) is much lower than if everything is on one server, with public write access and no back-ups.

        1. Anonymous Coward
          Anonymous Coward

          Re: It encrypts .doc, .dwg etc. -- BOFH version

          "the same way that IT Experts are not brain surgeons."

          Which is why I don't do brain surgery.... Except on users

  3. Martin Summers Silver badge

    NSA PR Opportunity

    They could offer a public service to decrypt the data for everyone affected. But would you rather pay the money or let the NSA have your files, oh wait...

    1. knarf

      Re: NSA PR Opportunity

      Chances are they already have a back up of all your files.

      1. tfewster
        Thumb Up

        Re: NSA PR Opportunity

        Obligatory

        http://dilbert.com/strips/comic/2013-09-06/

        1. Stratman

          Re: NSA PR Opportunity

          Followed by

          http://dilbert.com/strips/comic/2013-09-07/

  4. Charles 9

    I suspect the next step(s) for crypto malware are:

    (1) hibernate first so as to increase the odds of getting INTO the backup, The idea being should one try to use a backup to restore the OS and files, it'll just wake up again.

    (2) stick around after the ransom so as to hit the victim again (what business doesn't want a repeat customer).

    (3) look for ways to invade the MBR, BIOS, and/or EFI to get around OS safeguards and try to gain nuke-resistant.

    1. Anonymous Coward
      Anonymous Coward

      " look for ways to invade the MBR, BIOS, and/or EFI to get around OS safeguards and try to gain nuke-resistant."

      Oh dear, when will evil M$ (and others) do *ANYTHING* to stop this happening to us! Oh if ONLY they could do something, you know make the boot secure, hell maybe even call it SecureBoot

      /sarcasmmodeoff

      1. Charles 9

        Because if Microsoft tried to do ANYTHING, someone would find a way around it. Think privilege escalation. And there's been a disturbing trend towards making malware capable of surviving even "nuking from orbit", such that even that isn't so sure anymore.

      2. uvavu

        Micro$oft, the US and UK governments WANT this to happen to us so that we will insist on a Trusted Computing platform controlled by the Vendors who seek to profit and Governments who seek to spy.

  5. Dan 55 Silver badge
    Stop

    Cloud backup

    If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?

    It'd be recoverable if you had a cloud locker with version control, but still annoying.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cloud backup

      DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cloud backup

        "DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop when she got this nasty last week."

        And that, people, is how bloody easy it is to have version control; even in an ad hoc manner (although handing potentially sensitive files to an external party is risky).

    2. Tezfair

      Re: Cloud backup

      "If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted, uploaded to e.g. DropBox, then synced with your other machines?"

      Thats exactly what happened too, they use BTSync to keep a live copy at an external location, but as soon as the files were modified those encrypted ones went out too. As there were too many to check we are resyncing from 0

    3. Anonymous Coward
      Anonymous Coward

      Re: Cloud backup

      A solution that I implemented years ago for an SME (when the Internet was still called the Internet, before the marketing guys with a weather fixation arrived in town), worked thusly:

      - Machine A is a file server where basically all the company's data is stored.

      - Machine B is an off-site computer with approx five times the storage capacity of machine A. It stores versioned backups of machine A's data directory.

      - A VPN server runs on machine B, to which machine A is permanently connected via ADSL (there was also the option of a radio connection--the machines are about 1 km apart at separate facilities).

      - At 20 minute intervals, machine B launches rsync over ssh over the VPN and synchronises any changes since last backup. Backups are versioned at irregular intervals; e.g., there are three backups for the last hour, one every hour for the past two days (I think), one every three hours for the last week, every twelve for the month, etc., etc., and finally something like one per month after two years or some such. Only files that have actually changed are stored multiple times. Whatever hasn't changed, there's only one copy of, with multiple hard links (the data is read-only), so storage is not that much of a problem (generally, files get added and only relatively small files change frequently).

      - The data directory on machine B is mounted read-only on machine A, so that access to backups is possible.

      - Note that the backup is triggered from the backup machine, which has read-only access to the file server. At the same time, the file server has read-only access to the backup machine, so remote data corruption is highly unlikely.

      - As machine B is a VPN host (so is machine A), backups can be accessed from any location by any client of machine B's VPN, not just from machine A.

      - No third-party storage (aka "le nuage" / "die Wolke") is involved, and all comms between hosts are encrypted, giving a reasonable expectation of privacy and protection against non-targeted attacks. Not to mention that it's actually cheaper to have your own machines than pay for online storage anyway.

      The cost of this solution was an inexpensive computer with a few big drives RAIDed together, plus the monthly charges for a normal ADSL connection, which copes well with the amounts of data involved. Over the years disks on both machines have failed, which was dealt with by replacing and rebuilding the RAID. Data corruption, accidental deletion of files, and machine A's location becoming inaccessible has been seen and the solution performed as expected, with complete success.

      I'm not so much bragging about this (for there is nothing to brag about), as using it as an example of how successful SMEs use a bit of ingenuity to keep their business running and their costs under control.

      1. DropBear
        Joke

        Re: Cloud backup

        ...was that before or after the Internet was called "Cyberspace"...? Can't really tell. Oh, and what about "Information Superhighway"...?

  6. TkH11

    It never ceases to amaze me how many people open and click on links in emails without knowing who they're from. Even my employer (who shall remain nameless) has become infected despite there being a fairly recent and high profile campaign targetting computer security and phishing emails. Some people are just dumb.

    1. Mike Bell

      To be fair, a bit of social engineering is involved here by making the file look like something that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs are normally harmless viewable documents. If they possess a little geekiness, they might know that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more and they'd know that executables can be camouflaged like this.

      I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need a life.

      1. DrXym

        I was talking to someone a week ago who got a popup in their browser warning they were downloading pirated software and to click to acknowledge this. The sad thing is that while they didn't click, they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which would just be malware of some kind.

        I assume the criminals wouldn't bother with these scams if people didn't fall for them.

  7. Wild Bill

    From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't take place until the virus is able to phone home to one of its many servers, which have their domains automatically created using a Domain Generation Algorithm.

    Is there not any software that can block all domains which are obviously gobbledygook and are therefore likely to have been automatically generated by a nasty? It appears DGAs are used by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line of defence for a multitude of arseholery (obviously not getting a virus in the first place is the ideal approach).

    1. Anonymous Coward
      Anonymous Coward

      Or maybe just blackhole all traffic to IP adresses associated with their C&C servers at major internet exchanges?

      1. Charles 9

        Until you find out they're clever enough to use IPs ALSO associated with legitimate sites. As for DGAs, they're ALSO used somewhat by some legit software houses, meaning blacklisting them, too.

        1. lglethal Silver badge
          Pint

          Im not doubting you Charles but...

          I'm not doubting you Charles, but I'm actually curious which programs would make use of DGA and why? I really cant think of a reason off the top of my head why you would need this from a legit program though.

          (that might be because its almost pub time though!)

          1. Charles 9

            Re: Im not doubting you Charles but...

            I've seen software repositories and media servers keep mirrors that have random-sounding names in the first part of their domain name. I believe these are generated on the fly for certain sessions and then terminated afterward to prevent backdooring.

    2. Anonymous Coward
      Anonymous Coward

      Wild Bill, I think you are looking for a firewall that stops all outgoing traffic until you OK it. I seem to remember there was ZoneAlarm for windows years ago that did that.

    3. jubtastic1
      Happy

      Blocking gobbledegook domains

      Yes but it would also block hp.com

      I can't be the only one that wonders if they've strayed off the path when downloading drivers from hp.

    4. Allan George Dyer

      Discrimination against goblins?

      So what have you got against gobbledygook speakers? [Thanks, JKR]

      Seriously, once you've considered every language, and acronyms in those languages, you'll find it a major challenge to differentiate between a legitimate domain name and a DGA generated one.

      You might have some success if you...

      1) Reverse engineer the malware, identify the DGA

      2) Predict all possible outputs of the DGA

      3) Make legal arrangements with appropriate registrars to screen or revoke domain applications by the predicted output

      But, as soon as the criminals realise their domain are being revoked, they'll change the algorithm.

  8. Pieh0

    "or pay the bad guys with a credit card to get the unlock code (assuming there even is one) to recover the locked data, then - one would assume - attempt to get the money back."

    Yea, thanks for that...

    Us people in the bitcoin world love to have our accounts frozen and police knocking on the door cause we used a business to steal money from people.

    Way to screw over small businesses.

  9. Anonymous Coward
    Anonymous Coward

    "These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back,” adds the firm. “But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."

    NSA could!

  10. Anonymous Coward
    Anonymous Coward

    Oldschool Extortion Virus - Got to love it - But I was left with more questions than answers

    Does the extortion-ware show up in Task Mangler as its cooking your files? Or does it obfuscate itself by running inside a legitimate service or driver or other windows subsystem's code?

    How does a machine become infected beyond the obvious i.e. opening an infected attachment? The article makes reference to a botnet style attack. This is an attack looking for weak backdoors? i.e. WinVNC, Remote Access? If yes, how does it first find its weak targets, random IP scanning?

    1. Anonymous Coward
      Anonymous Coward

      Re: Oldschool Extortion Virus - Got to love it - But I was left with more questions than answers

      http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/

      1. Anonymous Coward
        Anonymous Coward

        Re: Oldschool Extortion Virus - Got to love it - But I was left with more questions than answers

        #1. Thanks for the link AC14:42. As an example story It was a good read on how SME's can get badly burnt letting users have free access to files on shared network drives. I'd hate to be an employee who has to face the boss admitting he was the unwittingly mug who pulled the trigger! However, what the article and related linked articles failed to do was give 'details' on the various other ways SME's etc can get hit....

        #2. TrendMicro: "Based on our analysis, the threat starts with a dropper component".... So CryptoLocker isn't stealing active IP's from hacked websites and then going open port hunting... And it isn't initiating remote attacks using botnets that scan for open ports using random IP's. OK, that's a relief!

        #3. TrendMicro: "always observe best computing practices such as avoiding visiting unverified sites, clicking links from unknown sources, and avoiding executing/opening attachments from dubious email messages"....... We could use a little more info though than just "visiting unverified sites". How are the droppers working on unverified sites. Is JAVA or Flash or JavaScript a requirement?

        #4. BleepingComputer: "Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection... Through Trojans that pretend to be programs required to view online videos."....... Ok, but how widespread are these infected web sites and what client machine weaknesses are needed to spread the infection i.e. Java / Flash / JavaScript / other 3rd party plug-ins?

        #5. I think a lot of SME's have basic virus protection. But getting hit by drive-by' website attacks can be trickier to contain. Lets say its Friday afternoon, and a few workers hunt for xmas travel plans. They're busy checking photos & videos and not asking if a Mom & Pop or small scale travel site has been compromised or is 'verified', 'What browser warnings?!'

        #6. With the UK Govt pushing for filtered internet connections, I've been asking why ISP's don't offer automatic filtering at the pipe level, to block Virus / Malware / Spyware / Bank Trojan keyloggers? Wouldn't it be good business for ISP's?

        #7. Key unanswered question: For those who paid, did they receive a working key?

  11. Piro Silver badge

    Title is basically incorrect

    If you pay, which is your ONLY OPTION unless you have offline backups, then you do actually get your data back.

    If you don't, that data is lost forever.

    1. lglethal Silver badge
      Thumb Down

      Re: Title is basically incorrect

      How do you know this exactly? You actually paid these scum?

      Why would the virus writers bother to even provide the fix. Its much simpler to have the encryption happen, demand money, get paid, and disappear. If you have a fix on the internet somewhere, some smart White Hat will probably track it down eventually, obtain the key, and then spread it around and you've just lost your revenue source.

      Sure you have to spread at least some rumours that paying gets your files back, to give people some incentive to pay, but its hardly in your interest to actually HAVE the key available online somewhere.

      1. Darren Barratt

        Re: Title is basically incorrect

        Secondary payload. Fix the data, tell the dozy user it's fixed, then leave the software in place. User will institute a backup regime until they get bored, so after 6 - 9 months, run and update on the malware, shiny new front end and key and go through the process again.

        1. Charles 9

          Re: Title is basically incorrect

          Plus by hibernating like this, the malware has a chance of getting INTO the backup, tainting it so that trying to restore it could result in immediate re-infection.

          1. lglethal Silver badge
            Go

            @ JAK

            You seem to be forgetting how easy it is to salt the internet with false reviews, false twitter comments, false facebook posts, etc. There are companies out there that will happily do thousands of the things for you for the price of a cuppa. So just because there are "comments" out there saying people got their stuff back, you would be a fool to believe that 100%!

            Darren's comment about the secondary payload in the decryption is about the only reason I can think of for them to provide any sort of file decryption. So if there are REAL comments about them actually decrypting the files, I would almost bet on it that those PC's are now owned in one way or another by the pricks who created this virus.

            So once again, why would you pay?

      2. JAK 1

        Re: Title is basically incorrect

        Actually it is in their interest to provide the key, if people do a cursory search and see that no one ever got their files back then they won't bother paying, but if they see lots of posts from (un)happy customers with their data unencrypted they are far more likely to have a punt for $300

        from what I've read it seems that the key that they would provide to you is unique to your machine, so there wouldn't be the worry about a white-hat being able to crack it

      3. Derpity

        Re: Title is basically incorrect

        They will decrypt your files if you pay and apparently they're very cordial when you call them. Second hand information from a trusted source but still second hand.

        1. Destroy All Monsters Silver badge
          Trollface

          Re: Title is basically incorrect

          Excellent service, 10/10.

          Would decrypt again.

          1. ecofeco Silver badge
            Trollface

            Re: Title is basically incorrect

            "Excellent service, 10/10.

            Would decrypt again."

            *SNERK*

  12. Tromos

    Online backups

    It's either online or it's a backup. It can't be both at the same time.

    1. chris lively

      Re: Online backups

      You must be new to computers.

      Do some research and educate yourself.

      1. the spectacularly refined chap

        Re: Online backups

        You must be new to computers.

        Do some research and educate yourself.

        No, he probably knows more about backups than you do. Too many people take short cuts with backups e.g. "You don't need dedicated backup with RAID - it IS the backup" and all that baloney. If your backup are online, mounted volumes then they are just as susceptible to fat finger syndrome as your live data. Potentially a single clanger could take out both.

        In other words, not a backup.

      2. Anonymous Coward
        Anonymous Coward

        Re: Online backups

        @Chris - It can be nearline and be a backup, but if it's online it's a copy. It may be versioned, but it's not a backup if it's on the same hardware as the thing it's a backup of.

        A backup needs to be offline or nearline, remote from the system it's backing up and versioned. If it doesn't have one of these things, it's not a backup, it's just a copy or an archive.

      3. Tromos

        Re: Online backups

        Not that new to computers. I remember making backups 44 years ago. The spools of magnetic tape had a plastic ring placed on the back to enable writing otherwise the tape drives could only read them. It was a running job until the tape was dismounted and the ring taken out, and only then was it regarded as a backup.

  13. MJI Silver badge

    Where do I send the bill to?

    One of our customers was attacked by this.

    Luckily a lot of their system was in use but enough got infected.

    We had assumed it was a hardware failure!

  14. MJI Silver badge

    Perhaps good target for intelligence services

    Find them, send in special forces, eliminate them.

    Earn back some trust.

    1. veti Silver badge

      Re: Perhaps good target for intelligence services

      You're assuming the whole scam isn't being run by the NSA.

      Gotta do something to claw back that money being sequestered out of their budget...

  15. CheesyTheClown

    Kinda lame

    If they're using DH (likely) and they're using the same keypairs to encrypt and decrypt all the files, pause the machine, backup and copy a crap load of small word files to the machine and let it run its course. Once you have enough sample data with both source and scrambled and you have the local keypair and you have the remote public key, tree search the key bits and factor to a brute forceable length. Then GPU farm the remaining bits of the missing private key. Then decrypt.

    what's the issue?

    1. Frumious Bandersnatch

      Re: Kinda lame

      If they're using DH (likely) and they're using the same keypairs to encrypt and decrypt all the files, ...

      I was going to contradict you (and had a nice summary of how RSA worked all written up and everything) until I realised you're not saying what I thought you were. If I'm understanding you correctly, you're actually implying a chosen-plaintext attack. A quick search suggests that you might be on to something (pdf)

      1. Frumious Bandersnatch

        Re: Kinda lame

        Oops.. my mistake. That paper I linked to is about a chosen cyphertext attack, not a chosen plaintext attack. I did plenty of comments saying that RSA is vulnerable to chosen plain-text attacks, but I wasn't able to dredge up a paper to that effect.

      2. CheesyTheClown

        An alternative hack... but in the spirit

        If you take 10,000 files (or less, I'd need a proper sample set to work with) and make them sequential patterns, the given that you have g sub x and intend to recover g sub y when in possession of G sub X and G sub Y, then you encrypt the large data set using g sub x and G sub XY and factor characteristics of the common exponent the logarithms... I'm not conveying this right. I see it mentally, but am not good at wording. I read part of the paper you linked which takes a similar approach and might actually even shorted the brute force attack remaining.

        Using my method, you construct a tree of common traits of possible key values based on the fact that you're actually in possession a single private key and both public keys. It's something I came up with when Diffie identified another weakness in the keys.

        The main idea is that the Diffie Hellman Problem is called a "hard problem" not an "impossible problem". We already have more information available if we have the client's private key than the algorithm accounts for. We also have the ability to encode known sequential or patternistic data sets. This means we should be able to attack the algorithm by identifying common traits of the cipher when comparing the algorithm, the data sets and the outputs produced. This of course would be infeasible without the private key used for encoding.

        I've always had issues coping with the DHP when the encrypting private key is included in the algorithm. After all, it should be theoretically possible to reverse much of it. After all, unless you actually specifically drop data making it useless to begin with then you should be able to work backwards through it.

        I'm guessing someone smarter than I can probably hack more of it algorithmically, I have major limitations in that field, but I am pretty damn good at factoring based on producing tweaked data sets to build search trees or sets to brute force.

        Let's face it, there's a reason we key cycle 3072 bit keys... it's because they should be recoverable by someone somewhere as their sample sets grow... in fact Diffie makes direct reference to this in the original paper and later articles. We're simply expanding the known sample set and exploiting the inherent weaknesses.

  16. Anonymous Coward
    Anonymous Coward

    Another good reason to move to Windows RT

    Just sayin'...

    1. handle

      Re: Another good reason to move to Windows RT

      Another good reason? What's the first one?

  17. PLAzmA

    Shame

    Its ok, but in honesty a lack of variable zoom or mouse pointer sucks, i will stick to Remote RDP Enterprise on android, with the mouse in trackpad mode its by far the best system ive used on a small screen.

  18. Nigel 11
    Flame

    Nuke the perps from orbit?

    If the USG spent a bit less on exterminating terrorists and a bit more on exterminating slime like this, the NSA might get better publicity. (And I do mean exterminate. How many many-years of human enterprise do these sub-humans waste in order to make a few bucks? I rest my case.)

    1. Vais

      Re: Nuke the perps from orbit?

      I find it disturbing that you can even compare taking hundreds of lives with destroying data - however large it might be. And if you are really concerned in wasted human achievements, better look at the huge corporations that do everything they can to slow the progress of technology and science in order to keep their financial control over the population...

      1. This post has been deleted by its author

        1. Charles 9

          Re: Nuke the perps from orbit?

          "If it was possible to identify a command and control server and take it down in seconds, a lot of this crime would get a lot more difficult.

          Also, a simple point, computers need a clearly labelled physical button called something like "Disconnect from Network" which would stop all network activity without the need go go through any menus. The second someone thinks they've clicked on a bad link, being able to hit that button would stop a lot of infections."

          1) Even if you could ID a C&C server, what if it turns out to be in a country hostile to you? That's why there are a lot of Chinese-, Russian-, and Eastern-Europe-based servers. They may not be as inclined to cooperate with you, and matters of state can keep you from applying pressure.

          2) If it's that bad, PCs probably need something more drastic: a return of the Reset button. Forget disconnecting from the network. You'll probably need a full memory flush and more than likely a new IP address and set of rules. And that's assume the malware didn't manage to report intel back in the split second it was in your machine. Not so much nuking from orbit, but still on the level of "dump out and start over".

    2. Lars Silver badge
      Flame

      Re: Nuke the perps from orbit?

      Indeed. And if you can send money I would hope it's also possible to get the guys, but is anybody seriously interested in such things.

  19. sisk

    It seems to me that getting the key and then disseminating it through the internet would be a simple matter for a serious security firm. Infect a honeypot, pay the ransom (in a way that you could either trace or recover your money later, of course....no sense giving the crooks money for real), then capture the private key when it phones hope with a man in the middle attack. If it uses HTTP (yes, yes, very unlikely, I know) this could be a very trivial way to get the key and build it into a cleanup utility. Even if it uses a more secure protocol it shouldn't be too difficult a task for security experts.

    1. handle

      Am I missing something, is more than one person here missing something: why on earth would the same private key be used for every attack?

      1. Vais

        Someone above said that it WAS different for every infected computer. Things are rarely that easy to fix as sisk implies. In security attacking is almost always easier than defending. Or at least the attacker can defeat the defense in almost every scenario given enough resources and motivation on his part.

  20. Anonymous Coward
    Anonymous Coward

    Re: It encrypts .doc, .dwg etc

    You must work for our IT Security department, they're good at talking out of their collective corporate a**e as well.

  21. Anonymous Coward
    Anonymous Coward

    Will it work for me?

    What about my files?

    My files seem to eschew this funky modern .xxx thing and rely on some magic bytes to distinguish themselves.

    Will this thing encrypt them? Perhaps I should try and get it to work in Wine ...

    On a more serious note - get yourself an OwnCloud running on an old machine or something if ordinary backups are not compelling for you. OC does versioning. Why not run up one for your small firm or family?

    As for the bigger firms - check your backup regimes and then your web n email proxies. Your staff should not be even seeing these emails in the first place and obviously you've warned them countless times on what to look out for in a dodgy email. You'll be using at least three AV solutions plus various firewall and SMTP blocklists and all the other stuff so it wont be a problem ...

    Cheers

    Jon

  22. Anonymous Coward
    Anonymous Coward

    One of the IP's that the ransomers used was 184.164.136.134. According to ARIN, it is owned by SECURED SERVERS LLC. Their servers were obviously not secured.

    With this malware needing to phone home, their compromised network of machines is always influx and there is a good chance that once one is shutdown, the private key is also gone.

    Most of their payment methods means it won't be long before those providers find a way to recoup the money. Some of them, you should be able to pay with a credit card and then file a claim with your credit card company. This leaves the likes of these payment companies holding the bag and they won't like that. Eventually the ransomers will be tracked down. Chances are they are in Russia or the like and they are not targeting locally so they won't face the consequences of their actions.

  23. psychonaut

    seen 3 of these now

    Its very nasty. Ive done a tonne of research on this.

    To clear up some misconceptions

    1) every decrypt key is different so theres no point in trying to use a honeypot

    2) apparently you do get your files back if you pay (havent done this personally though)

    3) its also trivial to remove although I wipe every machine I see with it anyway

    4) if you do remove it before paying you cant then pay them unless you have the strain that changes your wallpaper to give you the ip address to pay with (cute huh??). If you (deliberately) reinfect in order to get the pay screen you double encrypt

    5) if you use offsite backup like carbonite it will backup the encypted file over the top of the good file as soon as it changes. However carbonite have a dedicated team to help with this as its tedious to manually restore versions of 1000000 files. They can spot when the infection happened and roll back your files to before any of them were encrypted so you can then restore all. You get back every file in the latest version before that file was encypted.

    Im seriously impressed with carbonite. All 3 of my customers that got hit had carbonite (cos they accepted my advice to get it) and all 3 are fine. Just rebuild the machibe and we are good to go

    Fortunately my customers nearly all have carbonite so this wont be effecting my customers much. The ones that dont have it were warned...

    1. 9Rune5

      Re: seen 3 of these now

      Thanks for the tip psychonaut. I've contemplated online backup for my personal files before, but this is the first affordable service I've come across.

      1. psychonaut

        Re: seen 3 of these now

        You are welcome. They also do unlimited pcs and nas for 155 quid per year per 250gb in addition to the other home plan of 42 per year for unlimited. They also have server backup including sql for about 400 per year. Also become a reseller and get 30% discount.

  24. jason 7

    Had this a few times too.

    Customers lost all their docs.

    However, most were just using the lapsed McAfee AV that was installed on the laptop when they bought it 4 years ago.....

  25. Sime

    The video here shows Sophos detecting this virus, but I've got a copy of CryptoLocker obtained from a clients site a couple of weeks ago and it's not picking it up here. Nor is AVG/MSE/Symantec. Unless my customer is (un)lucky enough to have been hit by a different strain :-\

    1. Tezfair

      The customer who had this had AV scanning at the ISP, Symantec / Brightmail on their exchange server and eset on the desktops. Yes, paranoid, but apparently a waste of time.

      I'm aware that new versions come out all the time, so i'm guessing my clients are at the top of the email list

  26. John Smith 19 Gold badge
    Unhappy

    So what AV's *do* detect it?

    Obvious question really.

    1. jason 7

      Re: So what AV's *do* detect it?

      This is the big rub with AV software. They are always 24 hours behind. The code for the malware it re written and tweaked daily almost hourly and then released in the wild.

      The AV companies make it easier as they allow 30 day trials of their software to test against.

      I have seen every type of mainstream AV beaten. I tell my customers getting a virus is like getting a cracked windscreen. You can go years without one and then get two in as many weeks.

      I do recommend adding EMET 4.0 as a bolster to your security. It's designed to enforce all the memory protection techniques to prevent zero day stuff. Really only works with Vista and above.

      If you run modern software you shouldn't have a problem.

      http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx

      http://krebsonsecurity.com/2013/06/windows-security-101-emet-4-0/

  27. RobotGuy

    Nasty evil thing

    I spent last Tuesday dealing with an infection from this thing. Luckily, I'd set up rsnapshot on our main network drives and it was extraordinarily easy to roll them back 4 hours to before the encryption was done. The rest of the time was spent trying to actually find the damn thing on the infected PC. I assume that our AV got it, but too late, as I couldn't find any of the files or registry entries that were supposed to be there. Eventually I gave up and just nuked the whole machine just to be on the safe side.

    1. jason 7

      Re: Nasty evil thing

      I've found its dead simple to remove. It doesn't really hide itself all that much because...it doesn't have to. The damage is done.

      Combofix cleaned it up pretty quick. Worth checking out. Further scans with two other products found nothing more. Okay so the docs are hosed but that's too bad.

      However, I'm sure it will mutate.

  28. ecofeco Silver badge
    Facepalm

    $300?

    Let's see... if they managed to scam 10,000 people in one month that's...

    Holy crap I am in the wrong business.

    1. Anonymous Coward
      Anonymous Coward

      Re: $300?

      > Holy crap I am in the wrong business.

      And, according to comments above, they provide excellent customer service too. :-)

  29. Anonymous Coward
    Anonymous Coward

    A weakness?

    Apparently it doesn't encrypt files until it gets the individual private key from a control server. So if all outgoing connections are blocked by default for whatever the executable happens to be (e.g. by Windows 7 Firewall Control), the filesystem will be left untouched. Is this correct?

    1. Charles 9

      Re: A weakness?

      That's assuming the malware connects directly instead of hijacking an existing program like a web browser that already has outgoing permission. And this would only work on a whitelist system that defaults to deny. This would likely only be in highly-restricted workstations. More common would be a blacklist system which would default to allow.

  30. Alexander Caplan
    Headmaster

    Offline Backups

    The behaviour of this malware should be a reminder of the continued relevance of offline backups mediums, such as magnetic tape.

    It's not too difficult to imagine mechanisms by which malware could infiltrate online copies of data, or whereby a limited number of recovery points are also rendered ineffective. And malware's not the only threat: consider rogue or incompetent IT resources, malicious competitors, etc.

    Offline media remains the only solution which provides fully-immutable copies of data to recover from, if the worst happens.

    1. Anonymous Coward
      Anonymous Coward

      Re: Offline Backups

      No, the worst woould be a malware with a lengthy hibernation such that it gets INTO your backups. With bad luck, it stays in your backups past the rotation limit before going off, and the next thing you realize, ALL your backups are tainted.

  31. hoola Silver badge

    IT Professionals?

    There are a lot of posts on the forum slagging off the user and impying that they are idiots. This misses the key point, they are "Users" and as such should not be required to have advanced knowledge of every virus and attack vector that is out there. That is the job of the IT Professional. It is also the job of the IT Professional to provide appropriate training. In large enterprises there will be training and comms teams to deploy this. The more detailed and arduous the training, the less likely it will be to have an effect.

    Shared drives/network share:-

    In order to do there job, employees will need access to shared data. This will also require a significant portion of ot to be writable. The alternative is a nightmare of an administrative overhead with huge, unmanageble ACLs. I am not saying "Open everything up", just that the posts stating the network shares should be read only" have not been written by anyone who has worked in the real world. As for backing up to a remote or cloud service such as Skydrive or GoogleDrive, if thiat is done via a mapped drive then you are still at risk. The way I see it only a true backup service such as Carbonite will protect you. For that you need to spend money, something the average home user is not prepared to do untill it it too late.

    Opening attachemnts:-

    This is the single, biggest quick win and should be the number one training point. These sorts of attacks rely an email that looks authentic. People then open the attachemnt because they do not think and are robo-clicking.

    Advertising on web pages:-

    How many times do you go to a website to download something legitimate and the largest "Download" button isfor an unrelated "product". For product, insert whatever junk you like. Even reputable site like CNET Downloads suffer from this click bait.

    I counted 5 easily accessible download buttons on the top download for "Avast". On less reputable sites the click bait pop-ups are a complete nightmare for the unwary.

    You cannot blame the user for icompetance when they are bombarded with this sort of junk from reputable websites.

    1. Anonymous Coward
      Anonymous Coward

      Re: IT Professionals?

      "I counted 5 easily accessible download buttons on the top download for "Avast". On less reputable sites the click bait pop-ups are a complete nightmare for the unwary. You cannot blame the user for icompetance when they are bombarded with this sort of junk from reputable websites."

      You raise a critical and understated point! As a pro I completely agree. Businesses shouldn't be doing this, and download pages shouldn't have competing rogue links. Its deceptive! But of course all that matters, especially to US businesses is the bottom line! Even when the unwitting user has clicked on the correct download link, then loader app itself sometimes acts like a Malware 'dropper', by changing the search engine or installing a toolbar unless those nasty checkboxes are spotted. WTF?

      So what's the best solution? I don't know! Researching beforehand on online forums can sometimes help novices out.... But of course there are rogue links on there also. I struggle as a veteran too. I often check 2 or 3 sources for a website or a download link that I don't know beforehand. For instance, I'll see what the official website Wikipedia lists for a company or product, see what site google returns, and see what the forums are saying. So in short do an informal 'whitelist' type search. But its a pain! I've gotten sick of having to maintain plug-ins, never mind flash, java, JavaScript vulnerabilities, Ironically, the only thing I completely trust are bit torrents, but of course I'd never recommend going that route if I was talking to a novice!

  32. phil dude
    Pint

    pretty sneaky...

    an interesting line of comments regarding DH and RSA....

    I would have thought it would be possible to have a collection of "special" files with numeric values that may help to find the private key. The only way I could think of doing this in a reasonable amount of time would be to use residue arithmetic and work on the fields in parallel and hope you hit the sub-solutions in time....

    On the :"how to avoid this" score, I know this would not work at our lab. We have the "filers" that let you delete files and recover them right away for months... You know proper snapshoting...

    Here's an open question. When Linux finally gets BTRFS properly implemented, will normal linux users be protected against this?

    I agree with the general sentiment that the whole point of a system is to protect itself...

    OK back to my beer....

    P.

    1. Charles 9

      Re: pretty sneaky...

      "Here's an open question. When Linux finally gets BTRFS properly implemented, will normal linux users be protected against this?"

      If set up correctly and the malware doesn't get past the snapshot threshold, then a backtrack may be possible, though I don't know about about btrfs to learn if this is an exploited feature. Most of the work seems to be concentrated in the realm of snapshots, which are advantageous for VM hosts.

      1. phil dude
        Linux

        Re: pretty sneaky...

        thank you that was what i was wondering.

        The reason is my old lab had Netapp or equiv NFS filers that were bulletproof, data wise. Users couldn't accidentally wipe data even if they tried.

        So on the desktop system I was wondering if ZFS/BTRFS or somesuch that has "copy on write" would make this sort of malicious damage pointless on a normal desktop i.e. normal for linux, I don't know about other flavours...

        Of course running a windoze VM on linux would guard against this, if only because you roll back the FS or as you mentioned get the last snapshot!

        P.

  33. bchurby

    Scan for Cryptolocker encrypted files

    Here is a free scan tool that finds files that have been encrypted by CryptoLocker:

    http://omnispear.com/tools/cryptolocker-scan-tool

  34. JamesTQuirk

    Lots of useful Posts

    I really like Register, so much info in posts ....

    Maybe it just me but, Shouldn't a Macro/rexx script copied the Excel data from 1 file to another and scanned it on way thru ...? AUTOMATICALLY, on a isolated system or a sandboxed VM ?...

    My defenses are Backup, BackUP, BACKUP, and my HOME PC, Media Centre/ Game system Have no internet connection..... Only my laptops network can hook to net, luckly in linux its easy to offline update other systems in background, when & hopefully with what I choose ...

    If a bug eats my laptop, (or use another one while), I format reinstall, all my docs or Downloads on usb stick/drive are safe, maybe, if they are, then scanned, preened and polished they make to home net...

  35. Anonymous Coward
    Anonymous Coward

    Re, Lots of useful posts

    Someone should hack together a quantum computer from spare parts and brute force the swine.

This topic is closed for new posts.

Other stories you might like