Ransomware in general is not exactly the nastiest malware out there, but a new variant – called CryptoLocker – is particularly worrisome because it actually does what most ransomware merely claims to do: it encrypts the contents of your computer using strong cryptography.
If you are unfamiliar, ransomware is a variety of malware that, once it infects its host-machine, at least says it’s encrypted the data on or locked its victim’s machine in some other way. The malware then informs the infected user that he or she must pay a ransom in order to unlock their files. Of course, there is never any guarantee whatsoever that paying the ransom will unlock anything. More likely than not, paying the ransom won’t accomplish anything other than fattening the pockets of the jerk or jerks that developed or deployed the malware.
We write about plenty of lofty threats here because they are interesting and because you may have heard scary things about them on the news. We like to come along and explain the threat, how it works, what it is, and, generally, why you don’t really need to worry about it. This is not one of those cases. CryptoLocker is the sort of threat that can seriously ruin your week, month, or year depending on how important the data on your computer is (and backup frequency), so you should worry about it at least a little.
It comes as no surprise that a few infected users that paid the ransom are saying that they never received the decryption key in return, though some reports indicate that the group behind the attack started distributing decryption keys late last week.
There appear to be a few different attack groups utilising CryptoLocker at the moment. I wrote about one such implementation of it last month for Threatpost. The malware encrypted photos, videos, documents, and more, even providing victims with a link to a full list of encrypted file-types. The malware was using RSA-2048 encryption protected by a private key. The ransomware-interface displayed a countdown clock of three days, warning users that if time elapses, the private decryption key would be deleted forever and there would be no way to recover the encrypted files.
The attackers are demanding a ransom-payment of roughly $300 via a number of different payment methods, including Bitcoin.
So potent is this threat that it warranted an advisory from the United States Computer Emergency readiness Team (US-CERT). US-CERT is a branch of the Department of Homeland Security that is essentially tasked with analysing and reducing the risk posed by online threats. Their advisory noted that CryptoLocker infections were on the rise, but it’s primary purpose was to urge those infected not to pay the ransom associated with the malware.
For the most part, CryptoLocker is spreading via various phishing campaigns, including some from legitimate businesses, or through phony Federal Express or UPS tracking notifications. Some victims said CryptoLocker has appeared after a separate botnet infection as well. According to Kaspersky’s Costin Raiu, this malware primarily targets users from US and UK, with India, Canada, Australia and France being second-tier targets.
Some versions of CryptoLocker are reportedly capable of affecting not only local files but also files stored in removable media such as USB sticks, external hard drives, network file shares and some cloud storage services that are able to sync local folders with online storage. The US-CERT notification also warns that the malware can jump from machine to machine within a network and advises that infected users remove affected machines from their networks immediately.
Respected security journalist Brian Krebs reported earlier this week that the crew behind CryptoLocker has softened their 72-hour deadline, likely because they were losing money on users that would pay, but could not figure out how to pay with Bitcoin or MoneyPak in the time allotted. The countdown clock remains, but the decrypt-key doesn’t get deleted after that window of time is over. Instead, the attackers merely ratchet the price up to ten times the original price.
Lawrence Abrams, a malware expert from BleepingComputer.com who is cited in Krebs’s article, says that a number of businesses and individuals will have no choice but to pay the ransom. I disagree, mostly on principle. If you pay these guys it will only encourage them. Back up your machine now, and regularly, and don’t leave your external backup drive plugged into your machine. If you become infected, just roll it back to one of your backups.
Certain anti-virus product-features may help you, but according to Krebs’s report, some AV products are removing the infection after it has encrypted the files, meaning that it would be impossible for those users to pay the ransom even if they wanted to. Quite interestingly, CryptoLocker authors utilise system wallpapers to address this scenario. If a victim is willing to pay, but antivirus has removed the infection (this doesn’t decrypt files), it is possible to voluntarily download malware executable using the link written on the wallpaper.
Users of Kaspersky Internet Security are protected against all current modifications of CryptoLocker, preventing it from executing on their systems.