Author Topic: CryptoLocker Ransomware + CryptoPrevent Q&A  (Read 31330 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
CryptoLocker Ransomware + CryptoPrevent Q&A
« on: October 13, 2013, 12:30:34 AM »
To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom.  There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline.  Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours.

Additional information an references are available in my blog post, CryptoLocker Ransomware.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #1 on: October 15, 2013, 08:12:22 PM »
Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date.   

CryptoLocker Ransomware Information Guide and FAQ


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #2 on: October 22, 2013, 01:17:31 PM »
Corrine, I see from the BC link that at present this is aimed at business networks. is it likely this will spread to home users and is there anything we should do to minimise the risk.
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #3 on: October 22, 2013, 02:26:45 PM »
Corporate networks are being targeted because there is a better chance of collecting the ransom in order to decrypt the files.  Seeing as how malware writers sell their wares, it wouldn't surprise me to see a variant hit the general population.  New variants are being installed via ZBot infections that install CryptoLocker through via spam emails and hacked websites.  Even though the home users are currently not likely to receive the type of phishing attacks targeting corporations, they are not exempt from hacked websites.

The first step is ensuring that important files are backed up.  Since you use Malwarebytes PRO, the likelihood of infection is significantly diminished via the malware execution prevention and blocking of malware sites and servers that it provides.  Another option is Emsisoft Anti-Malware or Online Armor which use behavior blocking.

Malwarebytes:   A license is currently a one-time fee of $24.95 for one computer. 
See Cryptolocker Ransomware: What You Need To Know | Malwarebytes Unpacked and the related Stopping Malware Distribution at the Source | Malwarebytes Unpacked.

Emsisoft:  A one-year license for one computer for either Emsisoft Anti-malware or Online Armor is $39.95.  They also have "package" deals for both.
See CryptoLocker - a new ransomware variant | Emsisoft Blog

CryptoPrevent:  Home users can also install CryptoPrevent. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #4 on: October 22, 2013, 03:08:53 PM »
Thank you Corrine,
I have just downloaded/installed CryptoPrevent. Despite the fact that I have MBAM PRO, this is a nasty infection that has been worrying me. I feel more relaxed now.... :thumbsup:

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: CryptoLocker Ransomware
« Reply #5 on: October 22, 2013, 08:46:01 PM »
Thanks Corrine
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #6 on: October 23, 2013, 12:53:40 AM »
Another update today:

Quote
Updated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #7 on: October 23, 2013, 06:24:44 AM »
Just updated. Thank you.

Offline SpyDie

  • The Spyware Cooker
  • Administrator
  • Hero Member
  • *****
  • Posts: 2197
    • View Profile
    • The LandzDown Forum
Re: CryptoLocker Ransomware
« Reply #8 on: October 23, 2013, 02:51:21 PM »
This has been incredibly well designed. It really does put emphasis on prevention is better than a cure.
Beta. Software undergoes beta testing shortly before it's released. Beta is Latin for 'still doesn't work.'

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #9 on: October 23, 2013, 05:53:02 PM »
Quote
prevention is better than a cure

That's for certain!


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #10 on: October 23, 2013, 10:47:31 PM »
Update:  CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #11 on: October 24, 2013, 06:09:58 PM »
New version 2.2.1 available

http://www.foolishit.com/vb6-projects/cryptoprevent/

Quote
v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied multiple times without undoing the protection first.  No harm would come from the duplicate rules, but my OCD was bothering me.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: CryptoLocker Ransomware
« Reply #12 on: October 24, 2013, 09:53:51 PM »
Thanks, Basil!

Interesting development:  DNS Sinkhole campaign underway for CryptoLocker - News
Quote
A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server.

There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files.  Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole. 

At this time, it is unknown who is responsible for setting up the sinkhole.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #13 on: October 25, 2013, 06:59:32 AM »
Thank you Corrine !
Very interesting article. I had to do a bit of reading, to understand what a DNS Sinkhole is.....  :goodie:

All this stuff is a bit above my pay grade....  :cheers:
To me, it starts sounding like the beginning of a new "Star Wars" type script ........  :thud:

Offline Basil

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 564
  • Formerly known as gr277
    • View Profile
Re: CryptoLocker Ransomware
« Reply #14 on: October 28, 2013, 05:36:23 PM »
Version 5, has an additional item which is not ticked by default:
"Temp Extracted Executables in Archive Files"

I don't fully understand its significance. Should I tick it?
Thank you