CryptoLocker
It was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remained encrypted in a way which researchers considered infeasible to break. Many said that the
ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been
backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
Operation
CryptoLocker typically propagated as an
attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company.
[4] A
ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a
PDF file, taking advantage of Windows' default behaviour of hiding the
extension from file names to disguise the real .EXE extension. CryptoLocker was also propagated using the
Gameover ZeuS trojan and botnet.
When first run, the
payload installs itself in the
user profile folder, and adds a key to the
registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server generates a
2048-bit RSA key pair, and sends the
public key back to the infected computer.
[1][6] The server may be a local
proxy and go through others, frequently relocated in different countries to make tracing them more difficult.
[8][9]
The payload then encrypts files across local hard drives and
mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain
extensions, including
Microsoft Office,
OpenDocument, and other documents, pictures, and
AutoCAD files.
[7] The payload displays a message informing the user that files have been encrypted, and demands a payment of 400
USD or
Euro through an anonymous pre-paid cash voucher (i.e.
MoneyPak or
Ukash), or an equivalent amount in
Bitcoin (BTC) within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted down to 0.3 BTC by the operators to reflect the fluctuating value of Bitcoin),
[10] or else the private key on the server would be destroyed, and "nobody and never [
sic] will be able to restore files."
[1][6] Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key.
[6] Some infected victims claim that they paid the attackers but their files were not decrypted.
[4]
In November 2013, the operators of CryptoLocker launched an online service which claims to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline expires; the process involves uploading an encrypted file to the site as a sample, and waiting for the service to find a match, which the site claims would occur within 24 hours. Once a match is found, the user can pay for the key online; if the 72 hour deadline has passed, the cost increases to 10 Bitcoin.
[11][12]
The success of CryptoLocker spawned a number of unrelated and similarly named worms working in essentially the same way,
[13][14][15] such as CryptoLocker 2.0—which was originally thought to be a variant of CryptoLocker, but was ultimately considered by security researchers to be a
copycat due to notable differences in its internal architecture (such as being written in a completely different
programming language, and using a different type of encryption).
[16][15]
Takedown and recovery of files
On June 2, 2014, the
United States Department of Justice officially announced that over the previous weekend,
Operation Tovar—a consortium constituting a group of law enforcement agencies (including the
FBI and
Interpol), security software vendors, and several universities, had disrupted the
Gameover ZeuS botnet which had been used to distribute CryptoLocker and other malware. The Department of Justice also publicly issued an
indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.
[5][17][18]
As part of the operation, the Dutch security firm Fox-IT was able to procure the database of private keys used by CryptoLocker; in August 2014, Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool.
[19][20]
Mitigation
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed.
[21] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.
[22][23] Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.
[1][6][7][9][23] Symantec estimated that 3% of users infected by CryptoLocker chose to pay.
[9]
Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of backups (in particular,
offline backups made before the infection that are inaccessible from the network, and thus cannot be infected by CryptoLocker).
[4] Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a
brute-force attack to obtain the key needed to decrypt files without paying; the similar 2008 worm Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted
distributed effort, or the discovery of a flaw that could be used to break the encryption.
[6][12][24][25] Sophos security analyst Paul Ducklin even speculated that CryptoLocker's online decryption service involved the brute forcing of its own encryption.
[12]
Solution to Cryptolocker:
All 500,000 victims of Cryptolocker can now recover files encrypted by the malware without paying a ransom.
The malicious program encrypted files on Windows computers and demanded a substantial fee before handing over the key to the scrambled files.
Thanks to security experts, an online portal (www.decryptcryptolocker.com) has been created where victims can get the key for free.
Source:
http://en.wikipedia.org/wiki/CryptoLocker
http://en.wikipedia.org/wiki/Ransomware
http://en.wikipedia.org/wiki/Bitcoin
This is also worth seeing - Security Report from Symantec:
http://www.symantec.com/security_response/publications/threatreport.jsp
For Beginners, link below from Kaspersky is also worth seeing:
http://www.kaspersky.com/au/internet-security-center/threats
http://technet.microsoft.com/en-us/library/cc723507.aspx#XSLTsection124121120120