What is CryptoLocker?
CryptoLocker is a virus from the ransomware Trojan family, specialized in extortion. Alongside its other cousins (CryptoWall, TorrentLocker, TeslaCrypt), it targets mainly Windows computers via infected email attachments or, sometimes, even through the Gameover ZeuS botnet (if previously present on the user’s system). Once activated, the malware encrypts your files and sends you a digital ransom note. You could even go as far as calling it the mafia of cybersecurity. Imagine Al Pacino in the Godfather holding your data hostage and demanding payment in exchange for the decryption key.
The CryptoLocker ‘mafia’ first surged in September 2013, aiming at all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. As any ‘criminal’ attempt, it preys on users’ worst nightmare: losing their data forever. But what makes this virus just so dangerous? As opposed to previous variations that only locked operating systems (leaving the data on them intact), CryptoLockers go one step further by locking files with a private encryption key (a mixture of RSA & AES) and making it virtually impossible for anyone other than the mastermind of the operation to retrieve the data.
At the end of the encryption process, the malware runs a payment program (‘blackmail’ is the more appropriate word here), asking for a certain sum, until a certain date, in exchange for decrypting the user’s files. If conditions are not met, the encryption key is erased and the hostage situation quickly goes south. In other words, if there is no backup available for the encrypted data, it’s quite likely that it is lost forever.
We should probably start by saying that the original CryptoLocker is no longer in circulation, thanks to the ‘Operation Tovar’, conducted by the police in May 2014, when the Gameover ZeuS botnet was taken down. In order to do so, the police involved a security firm that created an online tool, based on the database of private keys employed by the malware, enabling users to recover their files for free. However, even with the head of the mafia taken out of the equation, there are many other recent successors eager to take on the role. And no wonder, since it is believed that the original CryptoLocker alone extorted aproximatively 3 million $ over the course of its existence, many pretenders (under the same name) attempt to follow in its footsteps.
The most recent example and possibly the most publicized ransomware attack in North America, was recorded in Hollywood, beginning of February, when hackers stroke by shutting down the computer network of a Presbyterian Hospital. Cutting deep in the staff’s ability to treat patients, the malware took over the entire medical facility for a full two weeks, until finally a ransom of 16900 $ was paid. This served as a grim reminder that CryptoLocker successors are on the rise.
Since the CryptoLocker virus payload usually hides in the attachment to a phishing message, common antiviruses have a hard time in putting a stop to this infection (read our previous article here to see why). Other available solutions involve Software Restriction Policies or AppLocker (the upgraded version of SRP), which enable users to control or prevent to block executable files from running on the specific space areas used by CryptoLocker for take-off. Even so, these too have their limitations if users are given administrative rights over their own computers. This scenario is sometimes unavoidable, in which case, both tools can be easily misled.
Window of opportunity
What to do if you’re computer is already infected with CryptoLocker? First of all, don’t panic. The good news is that there is a window of opportunity that you can take advantage of and, hopefully, put an end to the data hostage situation before it even began.
When a user launches (unknowingly) the malware on their computer, it installs itself in the user directory and obtains the public key from its C&C server. CryptoLocker commences the encryption of the data stored locally or on shared network drives by generating random symmetric keys for each file it encrypts, all the while focusing on Office documents, photos, videos, anything that might be of value to the targeted user. It then encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits, and adds it to the encrypted file.
It is at the beginning at this phase that Reveelium, our behavior analysis solution, can detect the weak signals coming for attempted connections to the malware control center. This gives users a brief period of time until the encryption process is completed to act and remove CryptoLocker from your computer before it’s too late. Keep in mind though, that once removed, the only way to restore your data is through Windows System Restore.
Reveelium is a solution developed by ITrust with the aim of bridging the intelligence gap that antiviruses are confronted with, bringing detection times down from a typical 12 months to 1 week and reduces false positives by 95%. It can identify the symptoms of all malicious behaviors through its automated anomaly detection system, built as a 3D technology comprising: a weak signal detection engine, the result of extensive research into mathematical algorithms (1); a correlation engine, based on the experience of system engineers and security consultants (2); a global knowledge base, Reveelium’s experience repository which collects, abstracts and shares the behaviors identified across Reveelium users (3).