Jump to content

CryptoLocker, another ransomware...


Recommended Posts

I'm subscribed to a mailing list for a backup software and there was this strange question asked: "Is this software safe against ransomware?"

I replied that ransomware that could destroy remote backups, or even ransomware in general, was pretty rare if you browsed safely. But the same person made another thread called "restore backup after CryptoLocker 3.0." It's been a long time since I've heard about ransomware being developed and used against present-day systems. And to be honest, that's pretty scary.

Since the MS-DOS times, ransomware has done the same thing pretty much: encrypt all of your data and make you desperate to have it decrypted. But imagine that with modern technology: 2048-bit RSA plus Tor/Bitcoin to keep the payment process completely anonymous.

CryptoLocker was supposed to have been shut down a few years ago, but variants like this one seem to have popped up.

My questions, since I can't find anything about this variant:

  1. How is it being propagated? The original one was through a botnet, and the whole operation got shut down spectacularly by the police.
  2. Does it actually destroy backups such as those in UNC shares? What about shadow volumes?
  3. Is it possible to pay the ransom through credit card and then do a chargeback? If you speak with the credit card company first you might be able to come up with a plan so that they don't shut down your card for illegal activity.

I haven't been infected by malware for quite a long time, but this one poses a real threat to my home server or desktop if it ever gets to either one of them, as my home server has limited storage and I must move my old backups offsite before I can begin a new set of "real" backups.

Link to post
Share on other sites

3. Is it possible to pay the ransom through credit card and then do a chargeback? If you speak with the credit card company first you might be able to come up with a plan so that they don't shut down your card for illegal activity.

I can't speak for this one on particular, but there's an assumption in this question that paying the ransom will actually solve your issue. In most cases, these pieces of software don't actually have a mechanism to properly decrypt or frequently even encrypt the affected data; it takes a lot less effort for the same gain on the attacker's side to produce something that just irreversibly scrambles the data, as long as the victim doesn't realise this until after they've paid.

Link to post
Share on other sites
I can't speak for this one on particular, but there's an assumption in this question that paying the ransom will actually solve your issue. In most cases, these pieces of software don't actually have a mechanism to properly decrypt or frequently even encrypt the affected data; it takes a lot less effort for the same gain on the attacker's side to produce something that just irreversibly scrambles the data, as long as the victim doesn't realise this until after they've paid.

Honestly this makes more sense to me. Anything that is encrypted can still get cracked given sufficient time. Even if the attacker do want to return the file to the victim after ransom is paid (why though?) it would be much easier if they just make a copy of the file and destroy what you have - an actual ransom.

Encrypted a file and demand ransom for the key is like locking a person's things in a safe and gave them the whole safe while just keeping the key. They can still bring that safe somewhere else to get it opened by other means instead of using that key.

And if you have a complex enough safe that can only be opened by a very complex key that you design, or in this case, an uncrackable encryption system, you can make a buttload more money selling secured storage services rather than ransom random people for their stuff.

Edited by RainDreamer
Link to post
Share on other sites
Honestly this makes more sense to me. Anything that is encrypted can still get cracked given sufficient time. Even if the attacker do want to return the file to the victim after ransom is paid (why though?) it would be much easier if they just make a copy of the file and destroy what you have - an actual ransom.

Encrypted a file and demand ransom for the key is like locking a person's things in a safe and gave them the whole safe while just keeping the key. They can still bring that safe somewhere else to get it opened by other means instead of using that key.

And if you have a complex enough safe that can only be opened by a very complex key that you design, or in this case, an uncrackable encryption system, you can make a buttload more money selling secured storage services rather than ransom random people for their stuff.

Actually, paying the ransom does give you a key to decrypt the files, given that you didn't get infected with CryptoLocker from another malware that downloaded it and put another layer of encryption.

The man who created CryptoLocker did not devise this method of encrypting files. People all over the world use RSA-2048 public/private keys knowing that it is extremely difficult, if not virtually impossible, to crack such a system. "Sufficient time" would be in dozens of years given a present day supercomputer and a research team devoted to breaking it. The only way to decrypt, then, would be to find the hard drive that contains all of the private keys and try to fit each one into a file and see if it works. Cloud companies already use encryption in their services by default.

But yes you are right, people should not depend on having to pay terrorists ransom money to get their data back.

Link to post
Share on other sites
Actually, paying the ransom does give you a key to decrypt the files, given that you didn't get infected with CryptoLocker from another malware that downloaded it and put another layer of encryption.

Apparently it really depends on the software and perpetrator. If no one would even get their files decrypted, people would soon stop paying. There seems to be a reasonable chance to get your files back, though there seems an almost equal chance you do not.

Though if you depend on paying ransom money to get your files back, you made a couple of mistakes before that point, since it means you omitted making proper backups.

I haven't been infected by malware for quite a long time, but this one poses a real threat to my home server or desktop if it ever gets to either one of them, as my home server has limited storage and I must move my old backups offsite before I can begin a new set of "real" backups.

Make backups. It is the only real cure. Making proper backups means off-site, and either off-line or in a completely different system. Physically separating your main system from your backup system is good practice anyway, since fires, lightning strikes, theft, cryptomalware, defects and more could all mess up your backups at the same time they mess up your original. Separating them is the only option that really mitigates them all.

Of course, there is a small chance that both systems could be hit at the same time, but making backups is a statistics game.

Link to post
Share on other sites

Couldn't you get your hands on a dormant copy of cryptolocker and then analyze and edit its code so it becomes a unlocker? This depends on how the decryption works, if it's external-server based, this would be hard.

Link to post
Share on other sites
You assume there is a viable unlocking mechanism.

If they used some kind of randomly generated key which discarded after encryption, it's pretty hard.

Yes, I am aware of that. The problem is the lack of documentation on the code.

Link to post
Share on other sites
Couldn't you get your hands on a dormant copy of cryptolocker and then analyze and edit its code so it becomes a unlocker? This depends on how the decryption works, if it's external-server based, this would be hard.

The private key is stored on the criminal's server. When you pay, CL will give you a key. This does work; cybercriminals are cunning and quite honest as well. When the police shut down the original CryptoLocker operation, the hard drive containing all of the private keys was found, and a service was set up to retrieve them at no cost.

You can find some CL archives on Gibson Research Corporation's website.

Obviously you can hardly reverse engineer it without IDA or OllyDbg. Packet capture will of course show some periodic HTTP requests like getting a public key from the server and checking if the private key is available from the server for decryption.

Link to post
Share on other sites
Couldn't you get your hands on a dormant copy of cryptolocker and then analyze and edit its code so it becomes a unlocker?

No. Keeping a local key is a huge security flaw and the criminals that make this type of software are smarter than that.

Link to post
Share on other sites
Couldn't you get your hands on a dormant copy of cryptolocker and then analyze and edit its code so it becomes a unlocker? This depends on how the decryption works, if it's external-server based, this would be hard.

Not with RSA encryption. These keys are specifically designed so that you cannot reverse engineer a decryption key from an encryption key, and the malware comes with encryption key only.

Otherwise, yes, the actual code to decrypt is identical to encryption code. You just need to know the key.

Link to post
Share on other sites
You assume there is a viable unlocking mechanism.

If they used some kind of randomly generated key which discarded after encryption, it's pretty hard.

Why even encoding it in the first place when you throw away the key¿ You could as well just write random data.

- - - Updated - - -

Not with RSA encryption.

Or any other public key encryption scheme, i.e. asymmetric cryptography.

Link to post
Share on other sites
Couldn't you get your hands on a dormant copy of cryptolocker and then analyze and edit its code so it becomes a unlocker? This depends on how the decryption works, if it's external-server based, this would be hard.

The original cryptolocker simply used the Windows encryption library

Link to post
Share on other sites

We recently had a computer in our office infected by such a piece of "ransomware", specifically "Cryptowall 3.0", and I now need to thoroughly check our network to ensure no other computers are affected and to take protective measures.

To answer a few questions:

Distribution is by the usual methods. Phishing emails, drive by downloads from compromised websites, perhaps USB sticks. I suspect emails that were spoofed as being sent from an employee in our case. Installation by other botnets is possible too, though I would speculate most botnet operators don't want to be so overt.

The latest versions are known to attack all mapped drives, which includes USB drives and mapped network shares, and will to sabotage the Windows Volume Shadow Service. They may also be able to attack non-mapped shares that they can get write access to. I am as yet unsure if it makes particular efforts to thwart data recovery software.

The criminals behind the malware only accept payment in Bitcoin, precisely because there is no way to reverse those payments. You are unlikely to have any legal grounds to chargeback the Bitcoin purchase, and if you did that would only hurt the Bitcoin exchange, the criminals would still have their funds.

Paying the ransom may or may not enable you to get your data back. The software and decryption key do typically exist, but these are organised criminal gangs we are talking about, they're perfectly capable of taking your money and running. Or of letting you decrypt your files then promptly re-infecting your PC.

The encryption claimed to be used is a public algorithm known to be essentially impossible to crack with publicly known and available technologies. The only plausible way of decrypting the files is if law enforcement agencies get hold of the keys.

As far as backups go, any system that allows the clients unrestricted access to the backup storage location is vulnerable to this sort of malware. It can be defended against by the backup location - be it a server, NAS, cloud service, or even theoretically drive - taking responsibility for keeping previous versions of files that are modified or deleted and not accepting any instruction to change that behaviour from the clients. The backup infrastructure itself could be directly attacked, and the defence against that is offline (and preferably offsite) backups.

The infection has been something of a wake-up call to me, making me realise how much important business data is being saved on workstations and how few employees handle their own backups. I intend to implement BackupPC, http://backuppc.sourceforge.net/ , which uses a "pull" approach where the backup server does all the work so the backups will naturally be resistant to tampering.

There are some resources and tools that are designed to protect against Cryptolocker and similar malware. My understanding is they work by enabling security features included in Windows to restrict what programs can be run, an approach usually overlooked by regular antivirus which instead focuses on scanning files for malware.

http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/

Cryptoprevent: http://bit.ly/1KszbbR (Sorry for Bitly link, the forum regards the original web address as containing a swear word and censors it out)

Edited by cantab
dumb censor
Link to post
Share on other sites

Many thanks for the info, cantab.

After one of your workstations got infected, did you ever find out later which executable carried the payload or how the user got it? I read from one victim that he opened what looked like a PDF file but actually was .exe format (but common suffixes are hidden by Windows Explorer).

Another precaution to take is to disable hiding extensions in files to make sure they are not in fact executables. I wonder if these executables that carry the payload are Authenticode signed, so that the warning before opening an unknown file never shows...

My planned response to when I am very certain that a virus has begun its work destroying my computer (and the AV didn't pick it up) is to first pull the plug on the Ethernet. If there is still hard drive activity, try to open Task Manager, but if the virus is killing Task Manager, shut the computer down immediately (hold the power button or just unplug it!) and run off WinPE until I can identify the virus and assess damages.

Link to post
Share on other sites
Make backups. It is the only real cure. Making proper backups means off-site, and either off-line or in a completely different system.

Prudent advice, but keep the human factor in mind. Everybody loves restore, hardly anyone wants to do backups. The more complicated the process of making a backup, the more infrequent they become. Cantab's aproach of pulling them from a server should make for (almost) daily backups, which goes a long way. Hint: if there's a RAID involved, check it's integrity every few months. The events were one would need an off-site backup I only read about in the paper, but hyper-degraded RAIDs happen to people I know, and surprisingly often.

@longbyte1: don't even try to assess the damage, unless you have a lot of time to kill. Otherwise, only try to salvage the most recent work, then wipe the disk and restore from backup.

Link to post
Share on other sites
Prudent advice, but keep the human factor in mind. Everybody loves restore, hardly anyone wants to do backups. The more complicated the process of making a backup, the more infrequent they become. Cantab's aproach of pulling them from a server should make for (almost) daily backups, which goes a long way. Hint: if there's a RAID involved, check it's integrity every few months. The events were one would need an off-site backup I only read about in the paper, but hyper-degraded RAIDs happen to people I know, and surprisingly often.

RAID is not a backup! Let's be very clear about that. It is a way of improving uptime, but it is not a viable method of backing your files up. Any IT-guy worth his salt will tell you this.

Local backups are just a risk. Theft is common, as are lightning strikes, ransomware and human error. Fire or water damage are not unheard of. Backing up things off-site, preferably with a longer interval to thwart ransomware, is much preferred. You could also combine different methods: a regular backup to deal with some of the possible failure modes, and one you do every few months or so to squirrel away your personal data and photo's (which generally is the one thing that really matters). When push comes to shove, you might lose a couple months worth of photos or work, but at least you do not lose a lifetime.

Edited by Camacha
Link to post
Share on other sites
RAID is not backup! Let's be very clear about that.

Surely, that's context dependent. If the only kind of failure I want to safeguard against is mechanical drive failure, which is usually the only one that's entirely out of my hands as a user, then RAID is just as good as the first backup layer. Not that having something like a weekly off-site backup isn't a good idea to have on top of that, even for a personal machine. Fortunately, there are now cloud services that make it really easy.

Link to post
Share on other sites

RAID makes for a pretty rubbish backup. It'll save you from a hard drive failure, but not from any of the many other things that could cause data loss. Like Camacha says, RAID isn't about keeping your data safe but about keeping your system running. If you have a PC that you cannot afford unexpected downtime on then RAID is appropriate.

Link to post
Share on other sites
RAID is not a backup! Let's be very clear about that.

Reading my own post again, I still can't see how you got there. I mean, it's true and certainly bears repeating, no harm done...

I was merely assuming that a central storage for numerous backups might involve a raid of some sort. And advising people to occasionally check their raid's consistency is a pet peeve of mine.

Disk failure, replace, rebuild, and suddenly it becomes apparent that one of the still-good disks isn't that good after all: Not only does it happen, according to my anecdata it's happening quite often, four cases in five years where I was close enough to hear the yelling. After the first event, we ran consistency checks on all of our raids, and weeded out three disks out of a hundred. Since then we run them quarterly and occasionally score a hit.

My numbers are too small for a statistic, it may be a freakish coincidence. But still.

Edited by Laie
Link to post
Share on other sites
Surely, that's context dependent.

Well, if the context is that you only want to safeguard against one partial failure mode, and not against others that are common or less common, then I guess it is :D Though I would argue that any user just interested in that is not making a backup, but improving uptime - creating a backup for the function of the hard drive, rather than the data on it.

My comment is just meant to signify that backups, in the conventional data sense of the word, are not being properly made by just employing RAID, as it leaves you open to a whole host of failure modes. This can be slightly counter-intuitive to people ('What do you mean? I have two copies!') and means they could still easily lose their data, so it cannot hurt to be rather clear about the level of protection (and lack thereof) it provides.

Fortunately, there are now cloud services that make it really easy.

I must admit I have a slight distrust of the cloud. Though I can certainly see how a server park full of trained professionals guarding my data 24/7 can be more effective than I am with a couple of hard drives lying around the house, but it does help to be critical (and pay for good service, pick a reliable partner and set up a legally binding contract). Making the data you upload unusable to anyone else is a sensible precaution too, considering how much sensitive data is generally in backups.

Link to post
Share on other sites

How did a thread about malware get derailed to backups..?

Everyone knows you should make backups. But, we need to stop treating Windows/Linux backups as merely disposable iCloud backups. Please try to understand that not everyone can afford the money to install personal datacenters in their homes or the time to wipe a disk and start afresh.

There must be a middle ground between keeping browsable drive backups in one's home and disposable drive images stored in the cloud. I can't go about restoring everything trying to look for an old file, neither can I waste terabytes upon terabytes a month for a service that only brings out the catches once you make your first backup.

Link to post
Share on other sites
or the time to wipe a disk and start afresh.

This is just basic maintenance, to be honest. Without malware you will need to do this occasionally anyway. People understand that cars need maintenance, yet when it comes to computers they expect everything to work and keep working no matter what. Wiping a disk and starting afresh is a matter of spending an evening to gets things to work. I bet it takes about the same to put together new furniture :D

There is no need for a 'personal datacenter' either. Just a single additional drive could be enough, and considering most people's personal files are under 20 GB, a small (and thus cheap) one will suffice. As I have said before, it is not about the money you spend, it is about making the odds look good.

Link to post
Share on other sites
If you need to wipe everything and start fresh in your "basic maintenance" then you're doing it horribly, horribly wrong.

That is the most terrible way to interpret that statement :D Starting fresh every now and then is sensible, though. Not absolutely necessary, but it removes the no longer needed clutter from the past and means you also update all programs and drivers, including those you inevitably overlooked or forgot about. When you keep plugging along with the same old installation you will run into vague or intermittent problems sooner or later. I do not really care for cloned installations* for the same reason. Starting fresh is not really that much work, yet vanquishes any demons from the past.

*Old installations copied to a new drive that is, a new installation copied to multiple systems through cloning is quite convenient.

Edited by Camacha
Link to post
Share on other sites
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...