Crypolocker! – BAD ransomware! You better hope you have a backup!

Posted on 09/27/13 in News, Small Business, Support, No Comments

Truly, I have never come across such a nasty virus in my entire IT career! Just sayin’… BACKUP!

Malware making its rounds and even though you may be able to remove, it encrypts your files and by removing you lose the ability to unlock them.

FOR REAL!

So hope that you do not get infected, otherwise plan on paying to get access to your files.

BACKUP!!!

http://www.bleepingcomputer.com/forums/t/507240/crypto-locker-malware-removed-files-still-encrypted

http://www.geek.com/apps/disk-encryptiing-cryptolocker-malware-demands-300-to-decrypt-your-files-1570402

Had a user have this happen to them just today, We were able to restore the server from a backup, but they lost one day of data! The backup from the “infection night” was encrypted as well.

Good luck .

________________________________________

 

CryptoLocker, the ransomware is cleverly delivered to employees of various organization via emails purportedly sent by disgruntled customers complaining about a service or product.

reference: net-security.org/malware_news.php?id=2594

Once installed, the downloader downloads and runs the ransomware, then immediately ensures that it will start automatically every time the computer is rebooted by making changes in the OS’s registry.

The ransomware then tries to connect to its C&C server – either on a static, hardcoded domain (which has already been taken down) or by using a domain generation algorithm to create random domains each day.

When it succeeds, it sends out information about the system (language, network’s name, etc.) and receives a unique RSA public key that it can then use to encrypt the files to be held for ransom.

It’s obvious by the files it targets that the ransomware is interested only in those that are crucial for organizations: Open Office files, Outlook Express, MS Office, Adobe Suite (Photoshop, Illustrator, etc.), AutoCAD, server response files, digital certificate files, digital image files specific to certain camera types, etc.

“For each file matching one of these patterns, the malware will generate a new 256 bit AES key. This key will then be used to encrypt the content of the file using the AES algorithm,” the researchers explained.

“The AES key is then encrypted using the unique RSA public key obtained earlier. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption.”

Unfortunately for those who fall for the trick and get their computer infected, there is no feasible way to decrypt the files without the help of the cyber crooks operating the C&C server – the only place where the RSA public key generated for the victim’s system can be found.

As you can see in the screenshot above, the crooks demand the victim hand over “300 USD / 300 EUR / similar amount in another currency” in order to get the files decrypted but, unfortunately, there is no guarantee that they will hold up their part of the bargain once they get the money.

In cases such as these, the only thing that remains to be done is to wipe the computer and restore the files from backup.

You do back up regularly, don’t you?

 

______________________________________________________