Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.
To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.
Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.
“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”
Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.
“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”
Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.
“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”
The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCUSoftwareCryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.
“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”
CRYPTOLOCKER DECRYPTION SERVICE
On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.
“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.
“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site — yet another potential hurdle for victims to jump through.
According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.
Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.
DETECTING AND PREVENTING CRYPTOLOCKER
Last week’s story pointed to two tools that can help block CryptoLocker infections. Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Small business administrators can avail themselves of a free tool from enterprise consulting firm thirdtier.net, which recently released its CryptoLocker Prevention Kit. This comprehensive set of group policies can be used to block CryptoLocker infections across a domain.
As this scam illustrates, relying on antivirus software alone to protect you from attacks is foolhardy. Also, it’s vitally important not only to have a backup plan for when a malware or hardware disaster strikes, but also in the event of nasty attacks like this one. For example, backing up your files to a removable or network drive is a great idea, but one added layer of protection against attacks like this is to perhaps disconnect those drives when you’re not backing up your data.
Also, I hope it’s clear that tools like CryptoPrevent and antivirus are no substitutes for common sense. Threats like these are opportunistic, and as with many modern threats your best protection against them is to employ basic online street smarts: Street smart rule #1 is don’t blithely open attachments in emails you weren’t expecting, even if they appear to come from someone you know.
For other tips on keeping your data and computer safe, see my tutorial — Tools for a Safer PC. While many of these CryptoLocker attacks have been perpetrated via cleverly disguised malicious email attachments, there are indications that this malware is being disseminated via networks of PCs that have already been hacked through other methods. Abrams said many recent CryptoLocker attacks have actually started with infections from the ZeuS or Zbot banking Trojan, which is then used to download and install CryptoLocker.
“If you’re really lucky, your system may also get [the spam bot] Cutwail installed on there as well and start spamming,” Abrams said.
For more information on this threat, see BleepingComputer.com’s CryptoLocker Ransomware Information Guide and FAQ.