Categories

Malware Analysis

Cryptolocker Ransomware: What You Need To Know

Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.

Original story:

Just last month, antivirus companies  discovered a new ransomware known as Cryptolocker.

This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.

cryptolocker

Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.

Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.

The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.

Below is an image from Microsoft depicting the process of asymmetric encryption.

assemcrypto

The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.

Currently, infected users are instructed to pay $300 USD to receive this private key.

Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.

Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.

Removal:

Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.

mbam-detect

In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).

While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.

Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.

To learn more on how Malwarebytes stops malware at its source, check out this blog.

Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.

mbam-pro

Backup:

Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.

However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.

Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).

mbsb

To find out more on remove Cryptolocker, check out the official removal guide from Malwarebytes.

Update: Adam Kujawa from Malwarebytes gives further insight about Cryptolocker in an interview with Category 5

_________________________________________________________________

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis.  Follow him on Twitter @joshcannell


39 thoughts on “Cryptolocker Ransomware: What You Need To Know

  1. Ken Halloran says on October 8, 2013 at 12:16 pm :

    This whole article reads like an add for Malwarebytes payed software. That is disappointing. I’ve always thought highly of your software and approach to security. Your web site is very informative. This just sounds like so many other bait & switch security tools that offer “free” scans but low and behold, you have to purchase the “pro” version to actually get rid of anything. I always thought Malwarebytes eas above that kind of tactic. Guess I was wrong.

  2. Judie Tassie Jag says on October 8, 2013 at 1:01 pm :

    I have 2 Trojan.Ransom in my Quarantine of Malwarebytes Anti-Malware Pro. Do I just leave or delete these or do I need to do something else. There seems to be no effect on my computer that I’ve noticed.

  3. Cecile Nguyen says on October 8, 2013 at 1:34 pm :

    Judie, if the trojans are in the quarantine, they will no longer affect your computer. Deleting it will permanently remove it from your computer. We place items in quarantine first to allow users to decide if they would like to delete or perhaps restore the item. In your case, I would recommend deleting it.

  4. Cecile Nguyen says on October 8, 2013 at 1:40 pm :

    Hi Ken, Malwarebytes Anti-Malware Free will still detect AND remove cryptolocker. However, since the Free version is an on-demand scanner, Malwarebytes Anti-Malware Free will not detect cryptolocker until after you run a scan. It will remove the ransomware following a scan but right now, there is no way to get your encrypted files back besides using a restore point.

    The paid PRO version, however, offers real-time protecting and will block cryptolocker from running and thus saving you the headache of encrypted files.

  5. Marquis Washington says on October 10, 2013 at 9:50 am :

    Here is what I have found. It helped me, and it worked perfectly. If you need more assistance, feel free to ask me.

    http://freetechsupport.com/virus-removal/cryptolocker-virus-removal-decryption-guide/

  6. Adam Kujawa says on October 10, 2013 at 10:54 am :

    @Marquis Washington Thanks for the guide, it’s very comprehensive.

    However, for anyone who reads it, please keep in mind that unless you have already backed up your files prior to the infection, there is very little to no chance that you can get them back. If you call the number of the “Technician” described on the freetechsupport.com website, do not fall for any potential scams or false truths about them being able to recover your files. Without the decryption key stored on the remote command and control server, it is not possible to get back your files.

    Keep a lookout for any of the potential scams listed on our Tech Support resource page of common tactics and always be suspicious =). http://blog.malwarebytes.org/tech-support-scams/#tricks

    Thanks and good luck!

  7. smpsn07 says on October 10, 2013 at 12:23 pm :

    I’m not sure if this will help anyone, but a computer came into our shop recently with this virus. The countdown timer is controlled by the bios clock. Changing the bios clock back a few days resets the timer til the private key is destroyed.

  8. Bryan L says on October 11, 2013 at 11:18 am :

    presuming this this doesn’t utilize privilege escalation, wouldn’t the simplest defense be limited accts w/explicit exe whitelisting and no internet access for admin accts?

  9. Ted Mittelstaedt says on October 11, 2013 at 2:20 pm :

    Hi All,

    Sorry to report but there’s a new version of CryptoLocker out there and Malwarebytes with todays signature will not detect it.

    To find it, boot system, when the cryptolocker displays, Cntl-alt-del, task manager, find the cryptolocker application, click goto process, right click and select find location,

    Also, it’s now not only marked hidden but it’s also marked itself as a system file so you got to turn that on, too.

    I have the file on a flash drive if someone would tell me where to upload it I’ll send it to Malwarebytes. Right now I’mm too busy dealing with this to search the website.

  10. John P says on October 11, 2013 at 3:43 pm :

    Nice ad for Malwarebytes. Here’s the FACTS: A. This sort of thing has been around for YEARS, not just “last month” B. I have personally worked on several computer infected with this and similar malware, and MBAM Pro installed and running, so the assertion that it will protect you is FALSE. C. In many cases, even a MBAM scan after will not fully remove this, or detect it, and that is if you can even get to the point of running it, in which case, a System Restore or Reinstallation is your only remedy. D. ALWAYS backup your data

  11. Nikolay Shmakov says on October 13, 2013 at 10:57 pm :

    Now to the good news. I have found the way to decrypt files after Cryptolocker has done its modifications. :) It renamed the files but there were no encyption set. So you should be able to restore them by renaming the extension of the tmp file.

    Nick
    Res-Q IT

  12. sc0tt says on October 14, 2013 at 4:44 am :

    Hi Nick,
    That is potentially big news. Do you know if you were just dealing with the original version of the trojan which reportedly only had weak encryption? The one we have been dealing with is the real deal with 256bit.

    Where were these tmp files you speak of?
    Thanks!
    Theres a long ongoing discussion on this with people trying different things here:
    www bleepingcomputer com/forums/t/506924/cryptolocker-hijack-program/page-45

  13. sc0tt says on October 14, 2013 at 6:05 am :

    We have successfully reinfected and decrypted, see the URL mentioned above for full info.

  14. Keith Golon says on October 15, 2013 at 8:40 pm :

    @sc0tt – that’s misleading. Saying here, on this forum, that you decrypted the files is incorrect. You may have recovered some from vss and other protected stores. But to decrypt them, no, absolutely not.

  15. Arcadian Duran says on October 24, 2013 at 6:42 pm :

    I find it funny though, that most Malware companies, and virus companies releases these so called vagrant files to the public. either thru devious method as update for google and flashplayers, fake websites when its easy to shut down these fake websites they refuse to go after them, so by knowing that. they are the one releasing it to make money from people ignorant people.
    Nice going!

  16. Kim Taylor says on October 24, 2013 at 7:41 pm :

    “Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.” I have to agree with Ken. You couldn’t have come up with a better advertisement for Malwarebytes if you had paid an ad agency to do it for you. I am truly thankful that the Center for Disease Control doesn’t use your philosophy for virus protection.

  17. Olivia Sky says on October 24, 2013 at 9:56 pm :

    This virus is insane and virtually impossible to get rid of. I made a youtube video documenting the process when we had to pay our dreaded $300 to “get” our files back, http://www.youtube.com/watch?v=iiGSr-HSPb0 Hopefully this helps anyone who wants to know what happens after they pay. I hope they find the morons who made this virus.

  18. Brandon Adkins says on October 25, 2013 at 8:49 am :

    @Kim Taylor

    It seems they just worded it poorly. The free version *DOES* detect AND remove the trojan. The free version just does not have active real-time protection, which is available in the Pro version.

    MB is very clear that the free version is on-demand, and the Pro version is real-time prevention/protection. It’s always been that way. It’s not a bait and switch. Compared to most other solutions, MBAM Pro is a steal anyway. No recurring subscription costs, and very effective scanning and removal.

    I’ve only used the free version but it has helped me out many times when helping family members and others with malware removal.

    This blog post is a little overly-saturated in marketing, sure, but they do have a product that removes and prevents this malware, so why wouldn’t they market it as a solution?

  19. Shamus McYellybean says on October 25, 2013 at 12:45 pm :

    Calling this a blatant plug for MBAM makes you a total douchebag. Its not like MBAM can reverse the encryption, it just prevents the code from executing.

    If you dont use malware protection or have backups, then you are a fool and your mom knows it, she just cant come to bear telling it to your face.

  20. Jared Armstrong says on October 25, 2013 at 2:41 pm :

    Here is a free scan tool that finds files that may have been encrypted by CryptoLocker:

    http://omnispear.com/tools/cryptolocker-scan-tool

  21. imaddbrad says on October 25, 2013 at 11:47 pm :

    I paid the $300 and then after an hour the files were unlocked. it took about 7 hours. I was able to access the files for most of the day. I decided to buy
    MalwareBytes anti-malware Premium and Installed it on the computer. I ran it and found many objects that said “Spybot”. Once I removed them and restarted the machine the windows 7 operating system went into start up repair for a couple of hours and eveything was encryted again and the Cyberlocker was back after it had been gone for half a day. If you pay the ransom, backup your files before you remove the Cryptolocker because it comes back with a vengeance if you try and remove it. This thing is a nightmare and has spread to other computers in my office. I dont think there is a way to stop it.

  22. François Bernard-Thibault says on October 31, 2013 at 6:09 pm :

    Please don’t make that guess! I would like it to be useful, but I believe that the secret key isn’t on your system, making it impossible to decipher your data by any mean. The key shall be on the attacker’s machines and given to you only when you give the ransom.

    The data is encrypted on your machine with a “matching” public key , which is totally useless to recover your data. (at least in these days ans ages!)

    In reply to :
    smpsn07 on October 10, 2013 at 12:23 pm said:
    I’m not sure if this will help anyone, but a computer came into our shop recently with this virus. The countdown timer is controlled by the bios clock. Changing the bios clock back a few days resets the timer til the private key is destroyed.

  23. Peter Pisto says on November 1, 2013 at 7:54 am :

    I’ve got 3 of these at my work…2 we were able to removed and restored data. 3rd..unable to do so (user decided to clean it and restored the system).

    1. Do not attempt to clean the virus right away
    ***there are 2 files..one is in temp folder,second is in your profile common folder.
    2. Disconnect yourself from the internet right away and avoid using the mouse( meaning do not click on anything).
    3. If you already infected with this virus..reset system changed the dates…this a token, which will utilize your bios time.

    4. Back up your data..and format hard drive and install OS..potentially eliminate keylogger programs running in the background.

    ***AVG,Avast,Hitman Pro.

    Good luck.

  24. Troy Barnes says on November 6, 2013 at 4:20 pm :

    Fyi. If you use ctrl+although+del to kill the crypo process it will be useless. It is self regenerating. Download process explorer, run it and select the crypto process and then select KILL TREE!!!! I have stopped the virus and cleaned it but unless you have system restore set to create restore points of EVERYTHING.

  25. superstupidvideos100 . says on November 7, 2013 at 12:20 am :

    I have an idea but I haven’t test it yet. I have a bachelor in Information Technology and Systems, but this may or may not help anyway.
    If you backup the files, that nasty piece of software can encrypt your backup, but if you encrypt your files first, your files are protected and I guess you cannot encrypt an already encrypted file.
    Use AxCrypt to encrypt them.
    Someone can test it for me? Reason is my computer is repairing.
    cheers
    Jc

  26. Nixitur . says on November 9, 2013 at 1:52 pm :

    superstupidvideos, that is absolute nonsense.
    You can easily encrypt files multiple times and you’ll have to decrypt them in reverse order (usually, anyway, some encryptions are commutative).

    Anyway, there’s a free Windows tool called CryptoPrevent which is able to keep malware like Cryptolocker from running. It works by keeping executables in certain locations from running which is what Cryptolocker depends on.

  27. bob123 says on December 11, 2013 at 9:21 pm :

    Been an interesting read but no one here (well maybe Nixitur) understands how encryption works. Not even sure, having seen video, that Malware knows…..

    So here is the deal, cryptolocker:
    Installed by whatever means
    disables task manager/regedit etc
    polls a load of address until it can find a control server
    server gives it public key
    cryptolocker save public key in registry
    it then trolls all drives for file patterns (*. whatever) – anything with a letter assigned
    it finds a file and generates a NEW AES key and encrypts then overwrites, stores change record in file under your user directory. This file then contains the filename and the unique AES key but is encrypted with the public key (so no reverse)
    … repeats over and over

    I did think about weakness in all this but I have to say the unique AES key each file is a killer…. the obvious counter, I thought, of was to grab the current AES key whilst it was still active but buggers clearly thought of that :(

    So a nice video but not well informed. I personally got myself a Bluray burner for Crimbo this year so I can do so hard copy backups. Also use Outpost and lock down a folder of important backup data (but clearly that can never be 100% as still in the OS)

  28. paul1940 says on December 12, 2013 at 6:22 pm :

    I am using MBAM Pro which I assume can keep this virus from running, but I prefer the belt and suspenders approach.

    Backing up data files to protect against a CRYPTOLOCKER infection now seems to be mandatory. Since you can now buy a WD 4 TB USB drive for $160 it doesn’t really pay to not backup files. Since the extensions which CRYPTOLOCKER attempts to encrypt are known you could write a ROBOCOPY job file to copy just those extensions to a USB drive. Immediately before making this backup you could run REGEDIT and search for CRYPTOLOCKER in the entire registry. If REGEDIT did not find it you would be reasonably certain that the computer is not currently infected. You could then go ahead and make your ROBOCOPY backup. The backup USB drive must be unplugged whenever you are not actually copying to it. It would also be a good idea to disconnect the computer from the Internet before starting a backup. Unplugging the ethernet cable which connects it to a router or cable modem is simple enough. I don’t really know how to temporarily disconnect a computer from a wireless modem.

    Would anyone care to assist me in temporarily disconnecting my computer from my wireless modem, writing a ROBOCOPY job file to copy the required extensions, or writing a batch file which would not write over older backups but would instead place a new backup in a new dated directory?

  29. rbaboo says on December 17, 2013 at 8:54 am :

    What about using SandBoxie to keep it out of your system?

  30. Animedude Johnson says on December 19, 2013 at 4:39 pm :

    Unless the communication between the virus and the hacker’s server is AES encrypted with a Diffie Hellman or RSA protected key, then a simple packet sniffer should be able to determine the “private key” that is being sent to be stored on the hacker’s server. Further more.

    Even if it is encrypted for sending over the internet, at some point in the program’s running the private key must at SOME point be an unencrypted copy of it in memory. In Window 7, you can dump the memory of a running program from task manager. Also the free software HxD hex editor can show and edit memory in realtime. Using such tool’s it should be possible to dump the memory and eventually figure out where the private key is, and decrypt these files yourself, without paying even a penny to the hackers. Also as mentioned by someone here, paying only decrypts the files. It does NOT remove the malware. Any attempt by any antivirus software to remove the malware (even after you payed to get your files decrypted) will be detected by the malware, and it will get its revenge upon you be reencrypting everything.

    I’d recommend rebooting in safe mode, and and manually deleting the virus’s exe file.

  31. Gary Nicholl says on December 23, 2013 at 4:23 am :

    This is for paul1940 in regards to disabling the wi-fi on his PC. If you are using windows 7 which i presume you are then you do the following:

    Click on start
    Go into control panel
    Go into network and internet
    Go into network and sharing centre (if you do not have network and internet in the first screen then just go straight into network and sharing centre)
    Click on “change adaptor settings” on the left hand side of the window
    Right click on your wireless icon and click on disable.

    Another way to do this would be to disable the wireless drivers entirely.

    Go to start
    Right click on computer (or right click on computer if it is on your desktop screen)
    Go into manage
    Select device manager on the left hand side
    Look for “network adaptors” on the list on the right hand side
    Click on the + sign and right click on your wireless driver and select disable.

    Please be sure to remember to turn this back on again after you have done what it is you need to do otherwise you won’t get access to your wi-fi on the machine off course.

  32. Kevin S says on January 13, 2014 at 8:29 pm :

    I am a avid Malwarebytes user. We use it on about at least 10 machines a day on the bench at the shop. We are a reseller for malwarebytes and it honestly their software is amazing. I thought I would share my interesting experience today. We had a computer come in with the crptolocker virus today and we kept scanning it and nothing would get rid of it. SO i put the hard drive back in and powered the machine on one last time, and I noticed there was a Splash screen right after the bios for a program called rollback rx and there it said press home key to access subconsole so me being curious george I pressed the HOME KEY. it seemed to access some preboot console thing , at this point I was curious so I went to the bench computer and did a quick google on rollback rx and it turned out it was like system restore program but installed outside of windows. So i went through the subconle thingy and selected to restore to one day earlier before the infection came in, and well it seemed to work. all the customers data was there and there was no trace of the bug. So i contacted the makers of Rollback and they confirmed that as long as you have rollback installed prior to getting cryptolocker or any infection, you can rollback with no issues and be back up and running. They also gave me this link to read more because I had soo many questions LOL : http://www.horizondatasys.com/en/cryptolocker_removal_and_protection.ihtml

  33. David Beard says on February 20, 2014 at 1:22 pm :

    Ken Halloran says on October 8, 2013 at 12:16 pm : Right on Ken. My thoughts too. I was thinking, ‘if a panic ensues and a mass purchase of Malwarebytes and cloud products occurs, I wonder how $ would be involved? Instant millionaires? Billionaires?’ Who wrote this malware anyway?

  34. aalia lyon says on February 28, 2014 at 8:24 pm :

    That’s a Awesome blog ,We can provide a best services of you problem , any time you can call my help desk number and solve your problem just go through this url.
    error 1068 windows7
    Thank you
    Aalia lyon

  35. Aussie Skeptic says on March 31, 2014 at 8:29 am :

    Malwarebytes will NOT protect you against the AFP ransomware (Australian Federal Police). It will NOT detect it once the HDD is infected. The Malwarebytes “To The Rescue” disk will NOT boot once the machine is infected.

    Save your money, and seek an alternative product to Malwarebytes. Its advertising is somewhat over-generous in self praise – to say the least.

  36. Carl Taylor says on April 3, 2014 at 11:48 am :

    The best way to combat this is for the credit card companies to get involved. They need to allow their clients to pay the ransom and then allow them to reverse the charges afterwards. This is after all a criminal act and the criminals have no right to keep the ransom. What are they going to do after all. Call the credit card company and complain that the money was taken away from them? That would be great then they might be able to be identified and put in jail where they belong!

    People should start by calling their credit card company and explaining the situation. I think any reasonable credit card company should comply with this especially if their client calls them in advance to explain the situation.

    Carl.

  37. mark says on April 3, 2014 at 6:17 pm :

    The Malwarebytes.org comment above “..Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention..” is incorrect. My wife has a licensed, paid-for, recently-updated “Pro” Malwarebytes version running in a Windows 8 PC. Yet, the CryptoLocker malware program – apparently downloaded as an e-mail attachment – executed just fine. Post-malware execution, MBPro identified these malware files: trojan.agent, spyware.zbot, trojan.dofoil, and Malware.Packer.as. Ok, so we quarantined them after the fact, but then taking inventory of encrypted and thus effectively destroyed files we were just heartsick. The malware destroyed a large set of Word, Excel and pdf files, and jumped to the backup drive (regrettably, plugged in to the PC at the time) and destroyed all the backups too. Yes, MB seemed like an enlightened company and the product was inexpensive, but we certainly regret relying on MBPro for malware protection.

  38. Joshua Fritz says on April 13, 2014 at 12:03 pm :

    If you still have a system restore point, you can use shadow explorer on vista or 7 to recover your documents. But this virus tries to delete the restore points.

  39. treth says on April 15, 2014 at 12:23 am :

    Having just read through the above, is there a ‘good’ prevention method?

    I didn’t see a reply to post does Sandboxie prevent this?
    I have found Sandboxie prevent ‘things’ in the past and you can simply delete your sandbox.
    Or what about a virtual machine, could that help?

Leave a Reply

Subscribe to our YouTube Channel