CryptoLocker: Difference between revisions
4 of those IC have nothing to do with the sentence. |
|||
Line 32: | Line 32: | ||
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.<ref>[http://www.yumasun.com/articles/windows-90682-yuma-cryptolocker.html The Yuma Sun, on a CryptoLocker attack]: "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"</ref> If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.<ref name=register/><ref name=malwarebytes>{{cite web|last=Cannell|first=Joshua|title=Cryptolocker Ransomware: What You Need To Know|url=http://blog.malwarebytes.org/intelligence/2013/10/CryptoLocker-ransomware-what-you-need-to-know/|work=Malwarebytes Unpacked|accessdate=19 October 2013}}</ref> Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.<ref name=details/><ref name=cw-cryptolocker/><ref name=ars-cryptolocker>{{cite web|title=You’re infected—if you want to see your data again, pay us $300 in Bitcoins|url=http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/|work=Ars Technica|accessdate=23 October 2013}}</ref><ref name=guardian-cryptolocker>{{cite web|title=CryptoLocker attacks that hold your computer to ransom|url=http://www.theguardian.com/money/2013/oct/19/cryptolocker-attacks-computer-ransomeware|work=The Guardian|accessdate=23 October 2013}}</ref><ref name=register>{{cite web|last=Leyden|first=Josh|title=Fiendish CryptoLocker ransomware: Whatever you do, don't PAY|url=http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware|work=The Register|accessdate=18 October 2013}}</ref> |
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.<ref>[http://www.yumasun.com/articles/windows-90682-yuma-cryptolocker.html The Yuma Sun, on a CryptoLocker attack]: "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"</ref> If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.<ref name=register/><ref name=malwarebytes>{{cite web|last=Cannell|first=Joshua|title=Cryptolocker Ransomware: What You Need To Know|url=http://blog.malwarebytes.org/intelligence/2013/10/CryptoLocker-ransomware-what-you-need-to-know/|work=Malwarebytes Unpacked|accessdate=19 October 2013}}</ref> Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.<ref name=details/><ref name=cw-cryptolocker/><ref name=ars-cryptolocker>{{cite web|title=You’re infected—if you want to see your data again, pay us $300 in Bitcoins|url=http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/|work=Ars Technica|accessdate=23 October 2013}}</ref><ref name=guardian-cryptolocker>{{cite web|title=CryptoLocker attacks that hold your computer to ransom|url=http://www.theguardian.com/money/2013/oct/19/cryptolocker-attacks-computer-ransomeware|work=The Guardian|accessdate=23 October 2013}}</ref><ref name=register>{{cite web|last=Leyden|first=Josh|title=Fiendish CryptoLocker ransomware: Whatever you do, don't PAY|url=http://www.theregister.co.uk/2013/10/18/cryptolocker_ransmware|work=The Register|accessdate=18 October 2013}}</ref> |
||
Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, [[Off-line storage|offline]] backups that are inaccessible from the network;<ref name=securityweek131119/> CryptoLocker may encrypt backups accessible via a drive letter, and attempts to delete Windows [[Shadow Copy]] backups on the local hard drive or network before encrypting files). Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a [[brute-force attack]] to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted [[distributed computing|distributed]] effort, or the discovery of a flaw that could be used to break the encryption. [[Sophos]] security analyst Paul Ducklin even speculated that CryptoLocker's online decryption service involved the brute forcing of its own encryption.<ref name=pcw-moremoney/ |
Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, [[Off-line storage|offline]] backups that are inaccessible from the network;<ref name=securityweek131119/> CryptoLocker may encrypt backups accessible via a drive letter, and attempts to delete Windows [[Shadow Copy]] backups on the local hard drive or network before encrypting files). Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a [[brute-force attack]] to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted [[distributed computing|distributed]] effort, or the discovery of a flaw that could be used to break the encryption. [[Sophos]] security analyst Paul Ducklin even speculated that CryptoLocker's online decryption service involved the brute forcing of its own encryption.<ref name=pcw-moremoney/> |
||
In late October 2013, security vendor [[Kaspersky Labs]] reported that a [[DNS sinkhole]] had been created to block some of the domain names used by CryptoLocker.<ref name=securelist-cl>{{cite web|title=Cryptolocker Wants Your Money!|url=http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money|work=SecureList|publisher=Kapersky|accessdate=30 October 2013}}</ref> |
In late October 2013, security vendor [[Kaspersky Labs]] reported that a [[DNS sinkhole]] had been created to block some of the domain names used by CryptoLocker.<ref name=securelist-cl>{{cite web|title=Cryptolocker Wants Your Money!|url=http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money|work=SecureList|publisher=Kapersky|accessdate=30 October 2013}}</ref> |
Revision as of 04:33, 25 December 2013
CryptoLocker | |
---|---|
Type | Ransomware |
Subtype | Cryptovirus |
Classification | Trojan horse |
Technical details | |
Platform | Windows |
CryptoLocker is a ransomware trojan which targets computers running Microsoft Windows.[1] First surfacing in September 2013, a CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up. Payment often, but not always, has been followed by files being decrypted.
Operation
CryptoLocker typically propagates as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company; or, it is uploaded to a computer already recruited to a botnet[2] by a previous Trojan infection. A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. Some instances may actually contain the Zeus trojan instead, which in turn installs CryptoLocker.[3][4] When first run, the payload installs itself in the Documents and Settings folder with a random name, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server then generates a 2048-bit RSA key pair, and sends the public key back to the infected computer.[3][1] The server may be a local proxy and go through others, frequently relocated in different countries to make tracing difficult.[5][6]
The payload then proceeds to begin encrypting files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft Office, OpenDocument, and other documents, pictures, and AutoCAD files.[4] The payload then displays a message informing the user that files have been encrypted, and demands a payment of 300 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or an equivalent amount in Bitcoin within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted all the way down to 0.3 by the operators to reflect the fluctuating value of Bitcoin),[7] or else the private key on the server would be destroyed, and "nobody and never will be able to restore files."[3][1] Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key.[3] Symantec estimated that 3% of users infected by CryptoLocker chose to pay.[6] Some victims claimed that, even with payment, their files were not decrypted.[2]
In November 2013, the operators of CryptoLocker launched an online service which claims to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline expires; the process involves uploading an encrypted file to the site as a sample, and waiting for the service to find a match, which the site claims would occur within 24 hours. Once a match is found, the user can pay for the key online; if the 72-hour deadline has passed, the cost increases to 10 Bitcoin.[8][9]
Mitigation
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.[10] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.[11][12] Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.[3][4][1][6][11]
Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular, offline backups that are inaccessible from the network;[2] CryptoLocker may encrypt backups accessible via a drive letter, and attempts to delete Windows Shadow Copy backups on the local hard drive or network before encrypting files). Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a brute-force attack to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted distributed effort, or the discovery of a flaw that could be used to break the encryption. Sophos security analyst Paul Ducklin even speculated that CryptoLocker's online decryption service involved the brute forcing of its own encryption.[9]
In late October 2013, security vendor Kaspersky Labs reported that a DNS sinkhole had been created to block some of the domain names used by CryptoLocker.[13]
Earnings
In December 2013, ZDNet traced four Bitcoin addresses posted by users who had been infected by CryptoLocker, in an attempt to gauge the operators' earnings. The four addresses showed movement of 41,928 BTC between October 15 and December 18, a value of about $27,000,000 USD per the exchange rate at that point in time.[7]
See also
References
- ^ a b c d "You're infected—if you want to see your data again, pay us $300 in Bitcoins". Ars Technica. Retrieved 23 October 2013.
- ^ a b c Security Week: Cryptolocker Infections on the Rise; US-CERT Issues Warning, 19 November 2013
- ^ a b c d e Abrams, Lawrence. "CryptoLocker Ransomware Information Guide and FAQ". Bleeping Computer. Retrieved 25 October 2013.
- ^ a b c "Cryptolocker: How to avoid getting infected and what to do if you are". Computerworld. Retrieved 25 October 2013.
- ^ "Destructive malware "CryptoLocker" on the loose - here's what to do". Naked Security. Sophos. Retrieved 23 October 2013.
- ^ a b c "CryptoLocker attacks that hold your computer to ransom". The Guardian. Retrieved 23 October 2013.
- ^ a b Violet Blue (22 December 2013). "CryptoLocker's crimewave: A trail of millions in laundered Bitcoin". ZDNet. Retrieved 23 December 2013.
- ^ "CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service". NetworkWorld. Retrieved 5 November 2013.
- ^ a b "CryptoLocker creators try to extort even more money from victims with new service". PC World. Retrieved 5 November 2013.
- ^ The Yuma Sun, on a CryptoLocker attack: "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"
- ^ a b Leyden, Josh. "Fiendish CryptoLocker ransomware: Whatever you do, don't PAY". The Register. Retrieved 18 October 2013.
- ^ Cannell, Joshua. "Cryptolocker Ransomware: What You Need To Know". Malwarebytes Unpacked. Retrieved 19 October 2013.
- ^ "Cryptolocker Wants Your Money!". SecureList. Kapersky. Retrieved 30 October 2013.