Everything You Wanted to Know About Cryptolocker…

… And Weren’t Afraid to Ask

If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.

(Episode Runtime: 12:54)

Direct YouTube Link: http://www.youtube.com/watch?v=uifwqLHYGsk

Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.

Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.

If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server.  Some sample Crytpolocker domains might look like this:

  • jkamevbxhupg.co.uk
  • uvpevldfpfhoipn.info

Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.

Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.

Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.

Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.

Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.

So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares,  which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.

If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources:

— Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

42 Responses to “Everything You Wanted to Know About Cryptolocker…”

  1. two workstations infected by Cryptolocker on network protected by Watchguard XTM-5 device

  2. Unfortunately we had an infection that was not stopped also. UTM is installed and configured, including RED. We traced the infection to the user, then used WSM logging to confirm exactly when it occurred, which workstation was infected, and saw it calling home to the C&C every 60 minutes.

    • Matt and Lucci, what XTM specifically are you using.

      One key to our AV catching it is that you have the large AV signature set (It has 2.5mil signatures instead of around 250K). Only smaller appliances, like the 2-Series, and some 5’s have the small signature set (due to memory constraints).

      Also, random interesting fact… if you use XTMv (the virtual version), the signature set depends on the amount of RAM you reserve for you VM. If you reserve 1GB or less, you get the smaller set, but if you reserve 2GB or more, you get the large set.

      Cheers,
      Corey

      • Using XTM510 v11.8

      • Lucci,

        That model definitely uses the Small signature set for GAV (memory restrictions). So it is possible for that small set to not have as many Cryptolocker related signatures. That said, the Small set is supposed to have all the major wild list sigs, which Cryptolocker is definitely one of, so we will work with our partner to see if we can get some of the large set’s cryptolocker related signatures into the small set too.

      • Thanks Corey. Let me know if will be implemented.

      • No problem… Also one other pro-tip I may not have made clear in the post. Many cryptolocker emails include the file as a zip first. You need to open the zip to find the evil, double-extension .pdf.exe or whatever. If it arrives as a zip file, our GAV will only catch it if you “Enable decompression” in the GAV settings.

        This is something I always do, and may have been a default before… However, I just learned in a conversation that it is NOT the default any longer. So check your AV settings and make sure you are enabling decompression, so we can find threats in zips too.

        Cheers,
        Corey

      • already have had enabled decompression – 3 levels deep

      • “That model definitely uses the Small signature set for GAV”
        I have that same model, but I may have opted for a better model if I had known that little bit of info. There is no mention of this in the comparison sheets – perhaps something for WG to update

      • We have an XTM 525 – Can you please let me know if this uses the small or large signature set?

        I agree with Nik Y – If there is a difference in signature set size between devices it should be made note of. Kind of important you would think.

  3. 1. The most nasty thing about Cryptolocker – is that the key generation process goes online. In earier versions of different crypto-ransomware instances private key stores on the victim’s machines, generated from computer SID and encrypted by one of the standard Windows API’s functions… Now – malware goes online, generate pairs, and you can’t get the pair to decrypt… Looks like it’s a start a new botnet trend.
    2. My thanks to Corey for PoC about the protection against some versions of Cryptolocker with WatchGuard XTM.

  4. I’ve been advising everyone to make sure ‘Control Panel – Folder Options – View – Hide extensions for known file types’ is not ticked. With this option removed, it will be easier to spot a fake (e.g. sample.pdf.exe) file.

  5. Great bloog article. On an unconnected note, I’m truly looking onward
    to the Battlefield 4 . How about you guys?

  6. there is any tool to decrytp the infect files?

    • Unfortunately, no. Obviously, if you have a backup that helps. If you are using Windows’ automatic System Restore, you MAY be able to restore files from Shadow copies (though newer variants killed those)… The only known way is to pay the ransom, which I personally really don’t recommend.

  7. Whoa! This blog looks just like my old one! It’s on a completely different subject but it
    has pretty much the same page layout and design. Excellent choice of colors!

  8. Hello There. I found your weblog the use of msn. This is a very
    neatly written article. I will be sure to bookmark it and return to learn more of your helpful information. Thank you
    for the post. I will certainly comeback.

  9. Very great post. I just stumbled upon your blog and wished to say that
    I have truly loved surfing around your weblog posts.
    After all I’ll be subscribing in your feed and I’m hoping you write once more soon!

  10. An impressive share! I’ve just forwarded this onto a friend who
    had been conducting a little research on this. And he actually ordered me
    breakfast because I found it for him… lol. So let me reword this….
    Thank YOU for the meal!! But yeah, thanx for spending time to
    discuss this topic here on your web page.

  11. So a 200 calorie deficit daily will result in a
    20 pound fat loss in a year. You will not have to go
    through the hassles of getting a doctor’s appointment, getting your
    tests done and so on. It aromatizes (changes) to estrogen, a molecule proven to increase fat storage
    and decreases muscle mass.

  12. Estupendo amigo, mas de esto por favor.
    Me encanta mucho mas uno de estos que cualquier mujer.

  13. I’m gone to say to my little brother, that he should also
    pay a visit this weblog on reguloar basis to take updated froom most up-to-date gossip.

  14. Nicely authored and articulated.

  15. I feel I have just found the best new writer!
    Hi and thanks!

  16. Have you ever considered about adding a little bit more than just your articles?
    I mean, what you say is important and all.

    But think about if you added some great photos or videos to give
    your posts more, “pop”! Your content is excellent but with pics and videos,
    this site could certainly be one of the best in its field.
    Superb blog!

  17. Your style is really unique in comparison to other folks I’ve read stuff
    from. Thanks for posting when you’ve got the opportunity, Guess I’ll just book mark this blog.

Trackbacks/Pingbacks

  1. eXactBot Hosting Solutions » How To Combat CryptoLocker - November 8, 2013

    […] If you do have a backup, it’s time to wipe your computer of the virus. Fortunately for you, said Nachreimer, just about every antivirus vendor has a CryptoLocker cleanup tool. Work with your regular antivirus software, or follow a tutorial. Nachreimer suggests the FAQ at Bleeping Computer, which he links in his own blog post. […]

  2. How To Fight CryptoLocker And Evade Its Ransomware Demands - November 9, 2013

    […] If you do have a backup, it’s time to wipe your computer of the virus. Fortunately for you, said Nachreiner, just about every antivirus vendor has a CryptoLocker cleanup tool. Work with your regular antivirus software, or follow a tutorial. Nachreiner suggests the FAQ at Bleeping Computer, which he links in his own blog post. […]

  3. CryptoLocker – time to take notice! | Kiandra IT Blog - November 11, 2013

    […] http://watchguardsecuritycenter.com/2013/11/04/everything-you-wanted-to-know-about-CryptoLocker/ […]

  4. IT Security Guru | US CERT issues warning about CryptoLocker - November 26, 2013

    […] one of several botnets frequently leveraged in the cyber-criminal underground.” According to Watchguard, CryptoLocker is a ransomware Trojan that encrypts your personal files and often arrives as a file […]

  5. Visibility is necessary to determine which information to secure | Smart Security - November 26, 2013

    […] demonstration of how WatchGuard Dimension can actively identify the signatures of CryptoLocker. CryptoLocker is a form of ransom ware that is quickly spreading across the Internet through phishing and social […]

  6. 5 things you can do to block Cryptolocker infections without spending another cent. | LogicalTech's enterprise technology thought leadership blog forum - November 26, 2013

    […] Cryptolocker Ransomware seems to be everywhere right now. This Ransomware is one of the most dangerous computer viruses to appear in recent years and has been a real threat for businesses globally. It has largely taken the Security industry by surprise, especially given that the infection vector is mostly via Email attachments which in themselves are very easy to identify and block. Based on the success of Cryptolocker we will probably see a few more variants and new infection vectors. Anything that makes money is likely to spawn a whole family of copycats. So it’s important to stop the spread. […]

  7. IT Security Guru Around 140 CryptoLocker C&C domains sinkholed | IT Security Guru - December 3, 2013

    […] to Watchguard, CryptoLocker is a ransomware Trojan that encrypts your personal files and often arrives as a file […]

  8. Professional Virus, Malware Removal and System Tune Up » Bowes IT Solutions - December 15, 2013

    […] then blackmails you into paying hundreds or even thousands of dollars to unencrypt them. The list of file types it attacks […]

  9. How Managed Security Can Help Stop Cryptolocker | MegaNet Communications - December 16, 2013

    […] step towards protecting users and their data. We’re an authorized WatchGuard partner, and their firewalls have two different ways they can protect users. Both WebBlocker and Reputation Enabled Defense help stop machines from either downloading infected […]

  10. Expert Virus, Malware Removal and System Tune Up » Bowes IT Solutions - December 16, 2013

    […] then blackmails you into paying hundreds or even thousands of dollars to unencrypt them. The list of file types it attacks […]

  11. How To Block CryptoLocker, A Virus That Encrypts Your Files Then Demands A $300 Ransom | BaciNews - January 2, 2014

    […] If you do have a backup, it’s time to wipe your computer of the virus. Fortunately for you, said Nachreiner, just about every antivirus vendor has a CryptoLocker cleanup tool. Work with your regular antivirus software, or follow a tutorial. Nachreiner suggests the FAQ at Bleeping Computer, which he links in his own blog post. […]

  12. Cryptolocker - Nasty Ransomware Wrecking Havoc Worldwide - Checkmarx - January 13, 2014

    […] Source 1 – All You Wanted To Know About Cryptolocker […]

  13. How important visibility is to defending your data in 2014? | LogicalTech's enterprise technology thought leadership blog forum - January 13, 2014

    […] demonstration of how WatchGuard Dimension can actively identify the signatures of CryptoLocker. CryptoLocker is a form of ransom ware that is quickly spreading across the Internet through phishing and social […]

  14. US CERT issues warning about CryptoLocker - January 28, 2014

    […] one of several botnets frequently leveraged in the cyber-criminal underground.” According to Watchguard, CryptoLocker is a ransomware Trojan that encrypts your personal files and often arrives as a file […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,680 other followers

%d bloggers like this: