English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Cryptolocker Wants Your Money!

Costin Raiu
Kaspersky Lab Expert
Posted October 25, 15:40  GMT
Tags: Antivirus Updates, Proactive Protection, Ransomware, Antivirus Technologies, Data Encryption
0.8
 

You may have read about the Cryptolocker malware, a new ransomware Trojan that encrypts your files and demands money to return them.

In the past, we have witnessed similar malware like the famous GPCode that used RSA keys for encryption. Back in 2008, we cracked the 660 bit RSA key used by GPCode and provided the victims with a method to decrypt and recover their data. Later, the GPCode authors upgraded the RSA key to 1024 bits, putting it perhaps only in the realm of NSAís cracking power.

Cryptolocker uses a solid encryption scheme as well, which so far appears uncrackable. For each victim, it connects to its command-and-control (C2) to download an RSA public key that is used to encrypt the data. For each new victim, another unique key is created and only the Cryptolocker authors have access to the decryption keys.

The attackers give you roughly three days to pay them, otherwise your data is gone forever. A multitude of payment options are available, including Bitcoin:

To make sure the victim gets the message, they set a pretty scary wallpaper on the infected machine:

To connect to the C2 servers, Cryptolocker uses a domain generation algorithm that produces 1000 candidate unique domain names every day.

Dimiter Andonov from ThreatTrack Security reverse- engineered the algorithm and Kaspersky Lab sinkholed three domains to measure the number of worldwide victims.

In total, we've had 2764 unique victim IP's contacting the sinkholed domains.

The highest number was recorded on Wednesday October 16, with 1266 unique IP addresses.

Below you can find the distribution of victims per country - top 30. The most affected countries are the UK and US, followed by India, Canada and Australia:

Itís important to point out the statistics indicate the number of victims that havenít had their files encrypted yet. If they act quickly after the infection and clean their system with an anti-malware tool, then the data might not be encrypted at all.

Defense strategies

Cryptolocker uses a solid method to encrypt files and to make sure their unencrypted versions canít be recovered by tools such as Photorec. The best strategy is to make sure you are running an updated anti-malware product, capable of stopping the infection. The Kaspersky host intrusion prevention system is capable of blocking even unknown versions of this Trojan from infecting the systems.

For a free system check, you can use the Kaspersky Rescue Disk:

1. Download the ISO image of Kaspersky Rescue Disk 10 (kav_rescue_10.iso).

2. Download the Kaspersky Rescue Disk Maker (rescue2usb.exe).

3. View documentation on Knowledgebase.

The most widespread variants of the Cryptolocker malware are detected by Kaspersky products with the following verdicts:

Trojan-Ransom.Win32.Blocker.cfkz, Trojan-Ransom.Win32.Blocker.cmkv, Trojan-Ransom.Win32.Blocker.cggx, Trojan-Ransom.Win32.Blocker.cfow, Trojan-Ransom.Win32.Blocker.cjzj, Trojan-Ransom.Win32.Blocker.cgmz, Trojan-Ransom.Win32.Blocker.cguo, Trojan-Ransom.Win32.Blocker.cfwh, Trojan-Ransom.Win32.Blocker.cllo, Trojan-Ransom.Win32.Blocker.coew.

If your data has already been encrypted, the worst thing to do is to pay the bad guys. This will encourage them to expand and strengthen the attack techniques.

As always, prevention is the best cure!


5 comments

Oldest first
Threaded view
 

bchurby

2013 Oct 26, 01:45
1
 

Free Utility to scan for encrypted Cryptolocker Files

Here is a free scan tool that finds files that have been encrypted by CryptoLocker:

http://omnispear.com/tools/cryptolocker-scan-tool

Reply    

Claudiu Francu

2013 Oct 28, 13:41
1
 

Colaboration

In today world where we all hear about joint collaboration (criminals and AV vendors alike), why don't you all join forces, break the encryption and put an end to this?

If not for the users, at least to make a statement? Is their encryption really that good?

Reply    

Costin Raiu

2013 Dec 03, 16:36
0
 

Re: Colaboration

Hi Claudiu,

Unfortunately, the encryption algorithm is cryptographically strong and can't be broken using any publicly _known_ technologies (not speaking for NSA and similar).

Reply    

This comment was deleted by luv_my_kaspersky, 2013 Dec 05, 10:32

enigma-2

2013 Oct 29, 19:35
0
 

Re: kaspersky keeps us informed

I agree that Kaspersky is the best. But, the Kaspersky firewall is more then sufficient to protect your computer. And it's a mistake to run more than one firewall, especially if both are stateful inspection. (One firewall can't keep track of the packets if the attributes of a connection go out on one firewall, but are returned on the other. They're fighting each other for the connection.)
I would caution you to turn off your windows firewall.

Reply    

luv_my_kaspersky

2013 Dec 05, 10:34
0
 

kaspersky is beatable

it does not work as advertised.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog