Tech: Cryptolocker virus. ransomeware
Subject: Tech: Cryptolocker virus. ransomeware|
From: Mr Red
Date: 04 Nov 13 - 12:47 PM
Only just heard and not all Av software seems to be aware of it.
Basically an e-mail attachment that looks like a PDF from a plausible business contact presumably the big global ones like FEDEX & UPS referring to accounts or delivery.
What it does is encrypt files like .doc & .xls (and a big similar list) but not AFAIK mp3 or TXT then crawls along any network you are connected to and tries to do the same (from your computer) to any folders it can access (mostly any folders mapped as a letter) the a pop-up reports its worst and demands a ransom via bitcoin (& another such service). $100 or $300 within 96 hours. Then e-mails a release key.
A ceilidh band (Panjandrum) knew all about it and MJ had a PhD student who lost 3 weeks research work through it.
Anyone able to report on why some AV companies seem to be quiet on this?
Bleepingcomputer has info
& another discussion
a download (save don't run) as I read this in the Telegraph I would trust the download but it won't hurt to run a scan on it - my AV likes it.
Subject: RE: Tech: Cryptolocker virus. ransomeware|
From: Stilly River Sage
Date: 04 Nov 13 - 04:47 PM
There have been fake FedEx emails around for ages, landing in spam filters mostly. They are never to be trusted. I love the Bleepingcomputer site - I've used it for years to sort out installed programs, and learn about malware, and figure out if start programs really need to start, etc. It's a great resource.
Subject: RE: Tech: Cryptolocker virus. ransomeware|
Date: 05 Nov 13 - 05:21 PM
Cryptolocker is a specific malware form used mainly to connect individual computers into botnets. Since the intent is that you will NOT KNOW that your computer has been "seized for malicious use" it should give you no indications that it's present. This particular version is well enough known that the AV industry has a project currently working specifically to take down the servers that Cryptolocker goes to for its instructions for what to do. Some success has been reported.
Fake messages are used to get malware onto individual computers, but the method is not necessarily related to what particular malware the message carries. In many cases the malware is not contained in the first fake message, but the message tries to get you to "click here" and when you click, the link tells your computer that you've given permission for your computer to do something. This overrides some AV systems that would otherwise have blocked the malware, since "you're da boss." This method is commonly called a "SOCIAL ENGINEERED ATTACK" since it disguises itself as coming from someone you might recognize, and might be likely to "click" to reply. Business networks get a lot of these, with messages pretending to be from "your boss" or "your IT department." Local reports in my area have indicated a recent high incidence of messages "from the IRS." Anybody who wants to work at it a little can do it.
The fake message method may also be used to demand that you provide information that you shouldn't give to anyone, and if you reply it doesn't really need to put any malware on your computer since you've already given it what it wants. This doesn't mean it won't infect you since any reply you make can be faked into looking like a permission to download something, and they "might find something else later" if the get real malware on your computer.
Ransomware is a third and distinct kind of scam. Usually the first thing you see is a popup that tells you that your computer is "infected," and tells you you should "click here" to find out what to do about it. In many cases the first message is completely phony, as NO EXTERNAL WEB PAGE OR EMAIL should be able to look at sufficient content on your computer to tell whether there's anything malicious on it, if you have fairly ordinaty AV and Firewalls set up.
IF YOU CLICK, the site you click to may be rigged to make your computer assume that you've given permission, and malware may be downloaded to it. In the worst case, the download may seriously compromise the operation of your computer, and you'll be offered a removal if you send money. In many cases, sending money will only get a notice that "something better is needed," but once again when you send more money nothing useful will be done. When/if you conclude that sending more money won't help, you're left with a crippled comp0uter.
By now, anyone who has connected to the internet at least twice should know about each of these scams (and several other common ones), and should know the rule:
JUST DON'T CLICK
on anything that doesn't come from a source you KNOW and TRUST, and from whom you EXPECT to be receiving advice.
There are a few "semi-legitimate" programs that claim to be able to "clean your machine" and may produce similar popups. Nearly all of these are useless, but any IDIOT who would use an advertising method that emulates malware is not to be trusted by anyone who isn't a similarly afflicted idiot. (personal opinion, from one differently afflicted?)
Subject: RE: Tech: Cryptolocker virus. ransomeware|
Date: 06 Nov 13 - 05:44 PM
Previous news in Tech sources reported CryptoLocker as botnet recruiting malware, without explanation of what intended use it might have. Rumors were plentiful, but it has now been confirmed from reliable sources that it was/is distributing "ransomware" that messes up your machine and demands payment to get your data back. The initial CryptoLocker infection is still legitimately a botnet infection, but the malware downloaded to your computer, if yours is recruited, is well defined.
For those who won't follow a link:
The link for full article cited here: Nasty new malware locks your files forever, unless you pay ransom
Herb Weisbaum NBC News contributor 06 November 2013
CryptoLocker, a new and nasty piece of malicious software is infecting computers around the world – encrypting important files and demanding a ransom to unlock them.
According to Sophos, the worldwide digital security company, it's been hitting pretty hard for the past six weeks or so.
"It systematically hunts down every one of your personal files – documents, databases, spreadsheets, photos, videos and music collections – and encrypts them with military-grade encryption and only the crooks can open it," said Chester Wisniewski, a senior security advisor at Sophos.
Even though it's infected, your computer keeps working normally; you just can't access any of your personal files. It's scary, especially if you haven't backed-up your data.
CyrptoLocker is different from other types of "ransomware" that have been around for many years now that freeze your computer and demand payment. They can usually be removed which restores access to your files and documents.
Not CryptoLocker – it encrypts your files. There's only one decryption key and the bad guys have that on their server. Unless you pay the ransom – within three days, that key will be destroyed. And as the message from the extorters says" "After that, nobody and never will be able to restore files…"
The typical extortion payment is $300 USD or 300 EUR paid by Green Dot MoneyPak, or for the more tech savvy, two Bitcoins, currently worth about $400.
To instill a sense of urgency, a digital clock on the screen counts down from 72 hours to show much time is left before that unique decryption key is destroyed.
Good anti-virus software can remove the CryptoLocker malware from your computer, but it cannot undo the damage – the encryption is that good.
"It's the same type of encryption used in the commercial sector that's approved by the federal government," Wisniewski told me. "If the crooks delete that encryption key, your files are gone forever – even the NSA can't bring them back."
The cyber-crooks are targeting both businesses and individual computer users – anyone who will pay to regain access to their files.
OF COURSE, THERE'S NO GUARANTEE THERE WILL BE A HAPPY ENDING IF YOU PAY THE RANSOM. And then there's the bigger issue – by doing this, you're helping fund a criminal operation.
Since the encryption key is on the botnet server it's likely that the botnet connection is necessary for both the encryption and any decrypting. The program to take down the net servers should reduce the number of new infections, and a significant number of CryptoLocker servers have already been disabled; but if the server that has the key you need to decrypt your files goes down you won't be able to get it even if you pay them (and you might not get it anyway).
[If the key was downloaded so your computer could do the encryption "off line from their server" it likely would be possible, although difficult, to retrieve it from your own compter? No (known) programs to do this exist, but the possiblity suggests the BitLocker criminals would avoid this use.]
The only feasible way for most individual users to provide for recover from this malware is to have a full and complete backup of all their personal files, on a separate drive that IS NOT CONNECTED TO THE COMPUTER except when backups are being updated.
My own experience with external drives has been that you can't handle a "desktop backup drive" carefully enough to prevent loss of data, if not complete failure of the drive if you ever move it, so I'd recommend a PORTABLE USB EXTERNAL DRIVE if there's any possibility you might want to move the backup when it's not actually connected and in use. The portable ones generally are similar to laptop drives, and expected to take an occasional bump, although they still need to be handled carefully.
A "desktop" external drive likely will be a little faster, but once you have a basic copy, you should only need to add changes to the internal hard drive(s), so updates can be fairly quick even with a slightly slower drive.
ALL PERSONAL DATA on your computer and on any other computers connected via a local network MUST BE BACKED UP and the backup drives MUST BE DISCONNECTED when not actually being updated.
Most "backup" programs also "synchronise" what's in the backup. The article at the link explains why this kind of backup is NOT SUITABLE if you want protection from this particular malware.