Just last month, antivirus companies discovered a new ransomware known as Cryptolocker. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.
Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks. Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key. The public key is used to encrypt and verify data, while the private key is used for decryption, each the inverse of the other. Download Free CrytpoLocker Prevention Utility Here
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server. Currently, infected users are instructed to pay $300 USD to receive this private key.
Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at Bleeping Computer have some additional insight on this found here.
Tips on How To Deal With Cryptolocker from Bleeping Computer
How did you become infected by Cryptlocker
CryptoLocker currently has the following infection vectors:
- This infection was originally spread sent to company email addresses that pretend to be customer support related issues from FedEx, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
- Currently dropped by Zbot infections disguised as PDF attachments
- Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
- Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
What happens when you become infected with Cryptlocker
The CryptoLocker infection will install itself into the root of the %AppData% folder as a random filename. It will then create an autostart in the following keys and values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
Please note that the * in front of the RunOnce value causes CryptoLocker to start in Safe Mode.
If you find another infection starting from the above registry keys with a random value name and a path %AppData%\random\random.exe, then that is probably the Zbot dropper. More info about that infection can be found in a different section below.
Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
For each file that is encrypted, a resulting registry value will be created under this key:HKCU\Software\CryptoLocker\Files
After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.
More detailed information about what this infection does when run can be found in this post by Fabian Wosar of Emsisoft.
Are there any tools that can be used to decrypt the encrypted files?
Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possible due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.
If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back. Please note that there have been cases when people have paid the ransom and the decryption did not work for whatever reason. Furthermore, if you do not pay the ransom within the allotted time, the Cryptolocker decryption tool will be removed from your system and make it much more difficult, if not impossible, to restore your files.
How to generate a list of files that have been encrypted
If you wish to generate a list of files that have been encrypted, you can download this tool:
When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.
How to restore your encrypted files from Shadow Volume Copies
If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of these files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.
Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
The Complete Bleeping Computer Article has located Here
Information courtesy of MalwareBytes and Bleeping Computer