Ransomware in the wild: the CryptoLocker malware

The Cryptolocker is a new variant of ransomware malware that encrypts various files on user’s computer and demands the owner of the computer to pay the malware authors in order to decrypt the files. The affected files are documents, images, databases and many others.

 

How to recognize it

The CryptoLocker malware files are mostly spreading through fake emails designed to impersonate the look of legitimate businesses and through fake FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground [CERT US].

It is quite obvious to see that you have the malware. After some time you see the following window on your screen. In the window it is written the date and time when the private key will be destroyed and the time left until destruction. The time given is around 3 days after infection (between 70-80 hours).

cryptolocker

The cyber criminals pretend to keep the only copy of the decryption key on their server(s), meaning that it is not saved on your computer, so that you can’t decrypt your files without their help – help which costs 300 EUR/USD or 2 Bitcoins.

cryptolock1 cryptolock2 cryptolock3 cryptolock4

 

What it does

The malware searches for all hard drives, network drives, USB drives and even cloud storage drives and identifies files that it can encrypt.

Here is the complete list of file extensions that the malware searches in order to encrypt: 3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.

Once the files are encrypted, Cryptolocker contacts the command servers and stores the asymmetric private key used to encrypt the files.

To connect to the servers, Cryptolocker uses a domain generation algorithm that produces unique domain names every day. This is why it is very hard to see the malware in action. It has first to connect to a server and only then it starts encrypting files.

The files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

In order to maximize the success rate, the malware writes some registry keys which allow the computer to execute the malicious files on each reboot.

 KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker”

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker_<version_number>”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker_<version_number”

 

Detection

The good news is that Cryptolocker is not a virus (self-replicating malware), it is a trojan which means that it can’t spread uncontrollable in your network. Its purpose is to encrypt files and demand payment for the decryption. Each user has to receive and activate the malware individually.

The bad news is, that it performs its malicious actions silently (encrypts your files) and only afterwards it communicates that it is present on the affected machine.

 

All Avira products detect this malware as „TR/Fraud.Gen2″.

 

Mitigation techniques

  • Always run an up to date antivirus software. As mentioned above, all Avira products detect and remove it. Unfortunately, it is not possible to decrypt the files that the malware encrypted.
  • Do not open suspicious or unsolicited web links.
  • Do not open emails that you didn’t request
  • Do not execute attachments from emails, even if the emails come from known persons
  • Keep a backup. If you have a real-time backup software (e.g.: Avira Secure Backup, Dropbox, etc.) then make sure that you first clean the computer and then restore the unencrypted version of the files.

 

What to do if you are infected?

We strongly recommend to run a system scan using the Avira Rescue System which prevents any malware to actively affect the scan results.

Here are additional steps you can take when your computer has a malware infection.

One last thing which we keep repeating: Never, ever pay the ransom. You would be just encouraging other criminals to go this way.

Unfortunately, it is not possible to decrypt the files that the malware decrypted by yourself. The asymmetric cryptography makes this task quasi impossible. Only restoring from backup might help you to get your files back.

 

 Sorin Mustaca

IT Security Expert