… And Weren’t Afraid to Ask
If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.
(Episode Runtime: 12:54)
Direct YouTube Link: http://www.youtube.com/watch?v=uifwqLHYGsk
Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.
Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server. Some sample Crytpolocker domains might look like this:
- jkamevbxhupg.co.uk
- uvpevldfpfhoipn.info
Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.
What should I do if I get infected?
If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.
There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.
Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.
Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.
How can I avoid Cryptolocker?
First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.
Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.
Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.
So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares, which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.
If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources:
- Bleeping Computer’s Cryptolocker FAQ
- Reddit’s Guide to Cryptolocker
- Reddit’s Original Cryptolocker post
two workstations infected by Cryptolocker on network protected by Watchguard XTM-5 device
Are you using UTM services? Do you use proxies, AV, and Webblocker? Also, don’t forget backdoor infections… i.e. someone walks a laptop in, and infection spreads via shares.
There is now a piece of software out there that helps sort through you files and determines if any of them are unencrypted. if they are recoverable it automatically copys them to an external drive of your choice. I work at a computer shop and we use it on computers that have been hit with cryptolocker.
http://www.solutisoft.com/downloads.html
Unfortunately we had an infection that was not stopped also. UTM is installed and configured, including RED. We traced the infection to the user, then used WSM logging to confirm exactly when it occurred, which workstation was infected, and saw it calling home to the C&C every 60 minutes.
Matt and Lucci, what XTM specifically are you using.
One key to our AV catching it is that you have the large AV signature set (It has 2.5mil signatures instead of around 250K). Only smaller appliances, like the 2-Series, and some 5’s have the small signature set (due to memory constraints).
Also, random interesting fact… if you use XTMv (the virtual version), the signature set depends on the amount of RAM you reserve for you VM. If you reserve 1GB or less, you get the smaller set, but if you reserve 2GB or more, you get the large set.
Cheers,
Corey
Using XTM510 v11.8
Lucci,
That model definitely uses the Small signature set for GAV (memory restrictions). So it is possible for that small set to not have as many Cryptolocker related signatures. That said, the Small set is supposed to have all the major wild list sigs, which Cryptolocker is definitely one of, so we will work with our partner to see if we can get some of the large set’s cryptolocker related signatures into the small set too.
Thanks Corey. Let me know if will be implemented.
No problem… Also one other pro-tip I may not have made clear in the post. Many cryptolocker emails include the file as a zip first. You need to open the zip to find the evil, double-extension .pdf.exe or whatever. If it arrives as a zip file, our GAV will only catch it if you “Enable decompression” in the GAV settings.
This is something I always do, and may have been a default before… However, I just learned in a conversation that it is NOT the default any longer. So check your AV settings and make sure you are enabling decompression, so we can find threats in zips too.
Cheers,
Corey
already have had enabled decompression – 3 levels deep
“That model definitely uses the Small signature set for GAV”
I have that same model, but I may have opted for a better model if I had known that little bit of info. There is no mention of this in the comparison sheets – perhaps something for WG to update
We have an XTM 525 – Can you please let me know if this uses the small or large signature set?
I agree with Nik Y – If there is a difference in signature set size between devices it should be made note of. Kind of important you would think.
1. The most nasty thing about Cryptolocker – is that the key generation process goes online. In earier versions of different crypto-ransomware instances private key stores on the victim’s machines, generated from computer SID and encrypted by one of the standard Windows API’s functions… Now – malware goes online, generate pairs, and you can’t get the pair to decrypt… Looks like it’s a start a new botnet trend.
2. My thanks to Corey for PoC about the protection against some versions of Cryptolocker with WatchGuard XTM.
I’ve been advising everyone to make sure ‘Control Panel – Folder Options – View – Hide extensions for known file types’ is not ticked. With this option removed, it will be easier to spot a fake (e.g. sample.pdf.exe) file.
Great bloog article. On an unconnected note, I’m truly looking onward
to the Battlefield 4 . How about you guys?
there is any tool to decrytp the infect files?
Unfortunately, no. Obviously, if you have a backup that helps. If you are using Windows’ automatic System Restore, you MAY be able to restore files from Shadow copies (though newer variants killed those)… The only known way is to pay the ransom, which I personally really don’t recommend.
Whoa! This blog looks just like my old one! It’s on a completely different subject but it
has pretty much the same page layout and design. Excellent choice of colors!
Hello There. I found your weblog the use of msn. This is a very
neatly written article. I will be sure to bookmark it and return to learn more of your helpful information. Thank you
for the post. I will certainly comeback.
Very great post. I just stumbled upon your blog and wished to say that
I have truly loved surfing around your weblog posts.
After all I’ll be subscribing in your feed and I’m hoping you write once more soon!
An impressive share! I’ve just forwarded this onto a friend who
had been conducting a little research on this. And he actually ordered me
breakfast because I found it for him… lol. So let me reword this….
Thank YOU for the meal!! But yeah, thanx for spending time to
discuss this topic here on your web page.
So a 200 calorie deficit daily will result in a
20 pound fat loss in a year. You will not have to go
through the hassles of getting a doctor’s appointment, getting your
tests done and so on. It aromatizes (changes) to estrogen, a molecule proven to increase fat storage
and decreases muscle mass.
Estupendo amigo, mas de esto por favor.
Me encanta mucho mas uno de estos que cualquier mujer.
I’m gone to say to my little brother, that he should also
pay a visit this weblog on reguloar basis to take updated froom most up-to-date gossip.
Nicely authored and articulated.
I feel I have just found the best new writer!
Hi and thanks!
Have you ever considered about adding a little bit more than just your articles?
I mean, what you say is important and all.
But think about if you added some great photos or videos to give
your posts more, “pop”! Your content is excellent but with pics and videos,
this site could certainly be one of the best in its field.
Superb blog!
Amazing! Its genuinely awesome paragraph, I have got
much clear idea regarding from this article.