• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Everything You Wanted to Know About Cryptolocker…

November 4, 2013 By Corey Nachreiner

… And Weren’t Afraid to Ask

If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.

(Episode Runtime: 12:54)

Direct YouTube Link: http://www.youtube.com/watch?v=uifwqLHYGsk

Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.

Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.

If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server.  Some sample Crytpolocker domains might look like this:

  • jkamevbxhupg.co.uk
  • uvpevldfpfhoipn.info

Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.

Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.

Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.

Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.

Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.

So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares,  which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.

If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources:

  • Bleeping Computer’s Cryptolocker FAQ
  • Reddit’s Guide to Cryptolocker
  • Reddit’s Original Cryptolocker post

— Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes

Comments

  1. Lucci says

    November 4, 2013 at 9:11 am

    two workstations infected by Cryptolocker on network protected by Watchguard XTM-5 device

    Reply
    • Corey Nachreiner says

      November 4, 2013 at 9:14 am

      Are you using UTM services? Do you use proxies, AV, and Webblocker? Also, don’t forget backdoor infections… i.e. someone walks a laptop in, and infection spreads via shares.

      Reply
    • Josiah says

      June 19, 2014 at 5:20 am

      There is now a piece of software out there that helps sort through you files and determines if any of them are unencrypted. if they are recoverable it automatically copys them to an external drive of your choice. I work at a computer shop and we use it on computers that have been hit with cryptolocker.

      http://www.solutisoft.com/downloads.html

      Reply
  2. Matt Schubeck says

    November 5, 2013 at 6:18 am

    Unfortunately we had an infection that was not stopped also. UTM is installed and configured, including RED. We traced the infection to the user, then used WSM logging to confirm exactly when it occurred, which workstation was infected, and saw it calling home to the C&C every 60 minutes.

    Reply
    • Corey Nachreiner says

      November 5, 2013 at 8:18 am

      Matt and Lucci, what XTM specifically are you using.

      One key to our AV catching it is that you have the large AV signature set (It has 2.5mil signatures instead of around 250K). Only smaller appliances, like the 2-Series, and some 5’s have the small signature set (due to memory constraints).

      Also, random interesting fact… if you use XTMv (the virtual version), the signature set depends on the amount of RAM you reserve for you VM. If you reserve 1GB or less, you get the smaller set, but if you reserve 2GB or more, you get the large set.

      Cheers,
      Corey

      Reply
      • Lucci says

        November 5, 2013 at 8:22 am

        Using XTM510 v11.8

        Reply
      • Corey Nachreiner says

        November 6, 2013 at 12:21 pm

        Lucci,

        That model definitely uses the Small signature set for GAV (memory restrictions). So it is possible for that small set to not have as many Cryptolocker related signatures. That said, the Small set is supposed to have all the major wild list sigs, which Cryptolocker is definitely one of, so we will work with our partner to see if we can get some of the large set’s cryptolocker related signatures into the small set too.

        Reply
        • Lucci says

          November 6, 2013 at 12:40 pm

          Thanks Corey. Let me know if will be implemented.

          Reply
      • Corey Nachreiner says

        November 6, 2013 at 12:53 pm

        No problem… Also one other pro-tip I may not have made clear in the post. Many cryptolocker emails include the file as a zip first. You need to open the zip to find the evil, double-extension .pdf.exe or whatever. If it arrives as a zip file, our GAV will only catch it if you “Enable decompression” in the GAV settings.

        This is something I always do, and may have been a default before… However, I just learned in a conversation that it is NOT the default any longer. So check your AV settings and make sure you are enabling decompression, so we can find threats in zips too.

        Cheers,
        Corey

        Reply
        • Lucci says

          November 6, 2013 at 12:58 pm

          already have had enabled decompression – 3 levels deep

          Reply
      • Nik Y says

        November 11, 2013 at 5:19 am

        “That model definitely uses the Small signature set for GAV”
        I have that same model, but I may have opted for a better model if I had known that little bit of info. There is no mention of this in the comparison sheets – perhaps something for WG to update

        Reply
      • Ben says

        December 1, 2013 at 9:02 pm

        We have an XTM 525 – Can you please let me know if this uses the small or large signature set?

        I agree with Nik Y – If there is a difference in signature set size between devices it should be made note of. Kind of important you would think.

        Reply
  3. Alexander Kushnarev says

    November 8, 2013 at 12:53 am

    1. The most nasty thing about Cryptolocker – is that the key generation process goes online. In earier versions of different crypto-ransomware instances private key stores on the victim’s machines, generated from computer SID and encrypted by one of the standard Windows API’s functions… Now – malware goes online, generate pairs, and you can’t get the pair to decrypt… Looks like it’s a start a new botnet trend.
    2. My thanks to Corey for PoC about the protection against some versions of Cryptolocker with WatchGuard XTM.

    Reply
  4. nick ioannou says

    November 21, 2013 at 8:13 am

    I’ve been advising everyone to make sure ‘Control Panel – Folder Options – View – Hide extensions for known file types’ is not ticked. With this option removed, it will be easier to spot a fake (e.g. sample.pdf.exe) file.

    Reply
  5. Bf4 Cheats says

    December 31, 2013 at 5:24 am

    Great bloog article. On an unconnected note, I’m truly looking onward
    to the Battlefield 4 . How about you guys?

    Reply
  6. Marco Mota says

    May 21, 2014 at 3:15 pm

    there is any tool to decrytp the infect files?

    Reply
    • Corey Nachreiner says

      May 28, 2014 at 9:37 am

      Unfortunately, no. Obviously, if you have a backup that helps. If you are using Windows’ automatic System Restore, you MAY be able to restore files from Shadow copies (though newer variants killed those)… The only known way is to pay the ransom, which I personally really don’t recommend.

      Reply
  7. Jacuzzi/Cantar 4-Way Dial Valve Kit 39258207R says

    July 9, 2014 at 3:26 pm

    Whoa! This blog looks just like my old one! It’s on a completely different subject but it
    has pretty much the same page layout and design. Excellent choice of colors!

    Reply
  8. ceh france says

    July 18, 2014 at 6:21 pm

    Hello There. I found your weblog the use of msn. This is a very
    neatly written article. I will be sure to bookmark it and return to learn more of your helpful information. Thank you
    for the post. I will certainly comeback.

    Reply
  9. Swim Time Ultimate Solar Powered LED Light says

    August 4, 2014 at 2:54 pm

    Very great post. I just stumbled upon your blog and wished to say that
    I have truly loved surfing around your weblog posts.
    After all I’ll be subscribing in your feed and I’m hoping you write once more soon!

    Reply
  10. top 16 fleck water softeners says

    August 24, 2014 at 5:31 pm

    An impressive share! I’ve just forwarded this onto a friend who
    had been conducting a little research on this. And he actually ordered me
    breakfast because I found it for him… lol. So let me reword this….
    Thank YOU for the meal!! But yeah, thanx for spending time to
    discuss this topic here on your web page.

    Reply
  11. Buy HCG says

    August 24, 2014 at 10:38 pm

    So a 200 calorie deficit daily will result in a
    20 pound fat loss in a year. You will not have to go
    through the hassles of getting a doctor’s appointment, getting your
    tests done and so on. It aromatizes (changes) to estrogen, a molecule proven to increase fat storage
    and decreases muscle mass.

    Reply
  12. manuel says

    August 26, 2014 at 4:00 am

    Estupendo amigo, mas de esto por favor.
    Me encanta mucho mas uno de estos que cualquier mujer.

    Reply
  13. Http://Bit.Do says

    September 2, 2014 at 11:26 am

    I’m gone to say to my little brother, that he should also
    pay a visit this weblog on reguloar basis to take updated froom most up-to-date gossip.

    Reply
  14. Phoebe says

    September 8, 2014 at 5:54 am

    Nicely authored and articulated.

    Reply
  15. Domain Proxy says

    September 9, 2014 at 8:35 am

    I feel I have just found the best new writer!
    Hi and thanks!

    Reply
  16. virus removal internet explorer says

    September 12, 2014 at 11:52 pm

    Have you ever considered about adding a little bit more than just your articles?
    I mean, what you say is important and all.

    But think about if you added some great photos or videos to give
    your posts more, “pop”! Your content is excellent but with pics and videos,
    this site could certainly be one of the best in its field.
    Superb blog!

    Reply
  17. fit body says

    July 14, 2015 at 5:52 am

    Amazing! Its genuinely awesome paragraph, I have got
    much clear idea regarding from this article.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use