Please be advised that we have observed several “RansomWare” security incidents in recent weeks.
RansomWare is software that attempts to extort money from the owner of the computer, usually by doing something malicious such as encrypting important documents so that they’re unusable, and then demanding money to have them decrypted. One program named “CryptoLocker” has been seen several times in the last few weeks. We want you to be aware of how to prevent this disastrous program from ending up on your computers.
How does CryptoLocker infect computers?
CryptoLocker is often distributed inside an email attachment on a forged customer-support-style email, and those emails often claim to be from Dun & Bradstreet, the Better Business Bureau, Companies House, FedEx, UPS, and other commonly recognized business names. Often, Cryptolocker arrives as file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
What does CryptoLocker do?
If you run CryptoLocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server. Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back. There are only two ways to get your documents back once CryptoLocker has encrypted them. Either restore those files from your backups, or pay the ransom.
Many have asked whether or not CryptoLocker’s decryption process works if you pay the ransom. We highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that CryptoLocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.
What should you do?
If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted. It’s always best to be extremely suspicious of email attachments, even if they appear to be sent by someone you know (their computer might be infected, or the email sender might be forged). Be especially wary of anything that’s not a normal office document (Excel, World, PDF, etc.), and anything compressed inside of a Zip file (zips are often used to try and bypass email filtering). If there’s a program file ending in “.exe” or any other file extension that’s not obviously an office document, don’t touch it without checking with an engineer. CryptoLocker is often a “.exe” program inside of a zip file attachment to an email.
What else can you do to protect yourself?
Up-to-date commercial antivirus software should always be the first line of defense, but shouldn’t be relied upon as a sole guarantee of protection. Robust anti-spam solutions are often quite good at quarantining infected emails before they ever reach your mail server, and are more consistently effective at protecting against email-borne attacks than antivirus software alone. Malicious software authors and antivirus/anti-spam vendors are always in an “arms race”, with the bad software authors continually changing their schemes to try and sneak through. Also note, some web security solutions, such as WatchGuards WebBlocker or Reputation Enabled Defense (RED) service can help. There services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers.
Awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, you should be able to avoid most Cryptolocker infections.
If you’d like more technical detail about Cryptolocker, here are some additional resources:
• Bleeping Computer’s Cryptolocker FAQ
• Reddit’s Guide to Cryptolocker
• Reddit’s Original Cryptolocker post