New Site Recovers Files Locked by Cryptolocker Ransomware
By Brian Krebs
Until today, Microsoft Windows users who’ve been unfortunate enough to have the personal files on their computer encrypted and held for ransom by a nasty strain of malware called CryptoLocker have been faced with a tough choice: Pay cybercrooks a ransom of a few hundred to several thousand dollars to unlock the files, or kiss those files goodbye forever. That changed this morning, when two security firms teamed up to launch a free new online service that can help victims unlock and recover files scrambled by the malware.
First spotted in September 2013, CryptoLocker is a prolific and very damaging strain of malware that uses very strong encryption to lock files that are likely to be the most valued by victim users, including Microsoft Office documents, photos, and MP3 files.
Infected machines typically display a warning that the victim’s files have been locked and can only be decrypted by sending a certain fraction or number of Bitcoins to a decryption service run by the perpetrators. Victims are given 72 hours to pay the ransom — typically a few hundred dollars worth of Bitcoins — after which time the ransom demand increases fivefold or more.
But early Wednesday morning, two security firms – Milpitas, Calf. based FireEye and Fox-IT in the Netherlands — launched decryptcryptolocker.com, a site that victims can use to recover their files. Victims need to provide an email address and upload just one of the encrypted files from their computer, and the service will email a link that victims can use to download a recovery program to decrypt all of their scrambled files.
The free decryption service was made possible because Fox-IT was somehow able to recover the private keys that the cybercriminals who were running the CryptoLocker scam used on their own (not free) decryption service. Neither company is disclosing much about how exactly those keys were recovered other than to say that the opportunity arose as the crooks were attempting to recover from Operation Tovar, an international effort in June that sought to dismantle the infrastructure that CryptoLocker used to infect PC's.
That effort culminated in the takeover of the GameOver Zeus botnet, a huge crime machine that infected an estimated 500,000 to 1 million PC's and that was being used as a distribution platform for CryptoLocker.
“After Operation Tovar, a significant blow was dealt to criminals infrastructure and we stopped seeing new Cryptolocker infections being spread”,” said Uttang Dawda, a malware researcher with FireEye. “They tried to recover that infrastructure, but in the process copied over the private encryption keys to a part of Fox-IT’s infrastructure.”
Dawda said it’s important to note that this service only unlocks files encrypted by CryptoLocker. Although there are several copycat strains of malware — including CryptoWall, CryptoDefense and OnionLocker — CryptoLocker has by far the largest “market share” among them.
It’s not clear how many systems are infected with CryptoLocker, but it is likely to be in the six figures. According to Fox-It, when CryptoLocker infections first started in September 2013, the largest number of infections in one month occurred during October 2013, with over 155000 systems affected worldwide. The company said this accounts for nearly 29% of all infections between September and May 2014.
After October 2013 the rates dropped, but still steadily pacing at around 50,000 infections per month.
Sadly, most of those victims probably lost all of their most treasured files. Fox-It says that only 1.3% of victims paid a CryptoLocker ransom.
“Therefore, a large amount of victims likely permanently lost files due to this attack,” the company wrote in a blog post about the new service.
CryptoLocker infections by country. Source: Fox-IT
Announcement
Collapse
No announcement yet.
How To Avoid CryptoLocker Ransomware
Collapse
X
-
How To Avoid CryptoLocker Ransomware
By Brian Krebs
Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,” the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.
A CryptoLocker prompt and countdown clock. Image: Malwarebytes.org
According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.
The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).
File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.
Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.
Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.
Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Shaw said he created the tool to mimic the actions of the CryptoLocker Prevention Kit, but for home users. So far, he said, the CryptoPrevent installer and its portable version have seen tens of thousands of downloads.
CryptoPrevent user interface
He notes that some antivirus tools have occasionally detected his kit as malicious or suspicious, and that McAfee SiteAdvisor currently lists his domain as potentially dangerous without explaining why (I know how he feels: KrebsOnSecurity.com was at one time flagged as potentially dangerous by this service). In addition, some folks have been thrown by the apparent expletive in his company’s domain name — foolishit.net.
“When I started Foolish IT [back in 2008], I went for the domain foolishtech.com but it wasn’t available and this was one of the suggestions that GoDaddy gave me,” Shaw said. “I thought it was funny and decided to go with it.”
CryptoLocker might be the best advertisement yet for cloud data storage systems. Johnny Kessel, a computer repair consultant with San Diego-based KitRx, has been urging clients to move more of their data to cloud services offered by Google and others. Kessel said one of his clients got hit with CryptoLocker a few weeks ago — losing access to not only the files on the local machine but also the network file server.
“This thing hit like pretty much all the file extensions that are usable, from Mp3s to [Microsoft] Word docs,” Kessel said. “About the only thing it didn’t touch were system files and .exe’s, encrypting most everything else with 2048-bit RSA keys that would take like a quadrillion years to decrypt. Once the infection happens, it can even [spread] from someone on a home PC [using a VPN] to access their work network, and for me that’s the most scary part.”
For further reading on CryptoLocker, please see:
BleepingComputer discussion thread.
Malwarebytes: Cryptolocker Ransomware: What you need to know.
Naked Security (Sophos): Destructive malware Cryptolocker on the loose.
http://www.symantec.com/connect/foru...d-adc-policies
Reddit thread: Proper care and feeding of your Cryptolocker
Makeuseof.com: Cryptolocker is the nastiest malware ever and here’s what you can do
Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins
Leave a comment: