… And Weren’t Afraid to Ask
If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.
(Episode Runtime: 12:54)
Direct YouTube Link: http://www.youtube.com/watch?v=uifwqLHYGsk
Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.
Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server. Some sample Crytpolocker domains might look like this:
Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.
What should I do if I get infected?
If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.
There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.
Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.
Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.
How can I avoid Cryptolocker?
First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.
Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.
Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.
So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares, which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.
If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources: