Any one come up against cryptolocker yet?

[DataWreck]

Had a few calls from people who have been hit by the cryptolocker virus this weekend.

Any one have any intel on this horrible looking virus.

Only thing I can think is wont effect deleted data so maybe a chance to recover some older or temp files.

[LarrySabo]

The BleepingComputer FAQ is informative, but from what my colleagues on technibble.com have reported, only systems infected with earlier versions of CryptoLocker have files that can be recovered using "restore previous version" or ShadowExplorer. Disconnecting the infected PC from the internet stops the encryption process, which apparently starts with external and mapped drives first, then files on the host system. If the user doesn't have an offline backup or a cloud backup service that includes versioning, they're out of luck. I install CryptoPrevent and CryptoGuard on all my customers' computers when I service them, because most people are lax about making backups.

[craig6928]

we had issues with this but also fix them with no problem
as we dont want our system getting encrypted.

there is a program that is not for public use but mainly kept private.
in the scene

[HaQue]

we had issues with this but also fix them with no problem
as we dont want our system getting encrypted.

there is a program that is not for public use but mainly kept private.
in the scene

So you decrypted the 2048 bit encryption after a users files were encrypted? wow, well done.

if so, and I'm sceptical, why on earth would that information be kept private?

the phrase" as we don't want our systems getting infected"... does that mean you ran the public domain cryptolocker prevention software? as mentioned on Krebs's site?

[craig6928]

hello no i did not unencrypt the files a program does



it encrypt Documents and Settings if your still connected onto the net
but once the 72 hour up is

you loose your files for good they are destroyed.


go ahead be sceptical there is always away around these problems
you reverse engineer the coding.

the correct information is that it 256 bit AES key.

for it to work is that you need a public rsa key and the private rsa key
of the server which is live but switches domain some are fake and some are the real deal.


the only way to get infected is if the host computer is connected to the internet
this will download the virus then it encrypt the data right away.

try this download the exe file and go off the net but do not click on the file yet

disconnect from the internet net and click on the program

your see it wants to connect to dns domains automatic

now go into task management of windows and your see two processing running forget about cancelling these they just pop up again



most anti virus will pick this up and flag it

end of the day people should not click on any exe.files from emails



please come back when you know the solution

[craig6928]

we had issues with this but also fix them with no problem
as we dont want our system getting encrypted.

there is a program that is not for public use but mainly kept private.
in the scene

So you decrypted the 2048 bit encryption after a users files were encrypted? wow, well done.

if so, and I'm sceptical, why on earth would that information be kept private?

the phrase" as we don't want our systems getting infected"... does that mean you ran the public domain cryptolocker prevention software? as mentioned on Krebs's site?

if you dont want to get cryptolocker most anti virus will pick it up now

you can download software that will protect you and stop the program from starting up


all it does is encrypt the Documents/My Documents/ nothing else


encrypted:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

anything in the my documents will be encrypted

but any other folders should be untouched.

[HaQue]

hello no i did not unencrypt the files a program does

it encrypt Documents and Settings if your still connected onto the net
but once the 72 hour up is

you loose your files for good they are destroyed.

ok, so did you(or a program) decrypt the files or are you saying you disconnected from the net, and then removed the virus? BTW you don't lose your files, they are not destroyed but rather just are still there encrypted with a key that is possibly deleted. In some cases the criminals give the victim more time to pay but increase the ransom.

go ahead be sceptical there is always away around these problems
you reverse engineer the coding.

The exact reason I am sceptical. I am quite comfortable reverse engineering, have done so for 20 odd years. Reverse engineering the code isn't going to help much as the algo's are known, but you need the key to decrypt. I have seen a disassembly of the malware, and an analysis. It is nothing special, but it is very nasty in what it does to the victim. I believe the criminals have painted a huge target on themselves doing this and will regret being so destructive. I hope they have bulletproof OpSec, better than the dreaded pirate Roberts, lol.

the correct information is that it 256 bit AES key.

for it to work is that you need a public rsa key and the private rsa key
of the server which is live but switches domain some are fake and some are the real deal.

the only way to get infected is if the host computer is connected to the internet
this will download the virus then it encrypt the data right away.

try this download the exe file and go off the net but do not click on the file yet

disconnect from the internet net and click on the program your see it wants to connect to dns domains automatic

now go into task management of windows and your see two processing running forget about cancelling these they just pop up again

most anti virus will pick this up and flag it

end of the day people should not click on any exe.files from emails

please come back when you know the solution

The files are encrypted with a 256bit AES key. That key is encrypted with 2048bit RSA key pair and the bit I am sceptical about is that

we had issues with this but also fix them with no problem
as we dont want our system getting encrypted.

there is a program that is not for public use but mainly kept private.
in the scene

sounded like you had a solution for people that did not pay and had files encrypted, that's all..

yes most AV will flag known variants of it, but it is still being developed so don't get complacent. The mitigation for it in future versions might not be so easy in later versions

yes people should not click things, but that's always going to happen.

I bet if I posted a PDF on here saying how I found this great internal document from Seagate about hidden commands, 90% would not scan it in any way. the criminals spend a lot of time targeting people and I don't see a change coming anytime soon.

And not all malware infections are done by clicking.

Spildit, the malware has domain generating technology. work has been done to figure out the generating routine but it isn't realistic to block them. It also creates dummy, decoy or unused domains and if one domain goes down it tries generating others

BTW Craig, it does not only do the my docs folder, As soon as the infection specific RSA key has been obtained, the malware will look for files to encrypt. It does so by searching through all connected drives, including mapped network shares, for files matching one of the extension patterns.

[craig6928]

point out not the new version of cryptolocker the older version

the new version is more harder to crack

i got some source code of a program that just works like it
all someone has to do is add the dsn servers.

there diffrent version about there so everyone has to be careful

[HaQue]

ok, but what are you going to do when CL generates 100,000 domain names?

[bcometa]

Finally got our first cryptolockered drive in today. The price is now $1000USD because customer didn't pay in time!

Attachments

[thatdellguy]

Maybe the customer thought $300 was better than $1000.

[fzabkar]

Why would it not be possible for the authorities or ISPs to lock down the Command and Control Server(s) and retrieve the stored public keys?

I notice that the crooks are demanding either EUR1000 or USD1000 as payment. I wonder if any of their victims have paid the ransom in Euros?

[HaQue]

Why would it not be possible for the authorities or ISPs to lock down the Command and Control Server(s) and retrieve the stored public keys?

I notice that the crooks are demanding either EUR1000 or USD1000 as payment. I wonder if any of their victims have paid the ransom in Euros?

Because alot of the C&C servers are on compromised machines. as silly as it sounds, you cant just go and mess with someones server. even if it known to be compromised.

Same as sending a known "kill" command to a botnet, no matter how "safe" it may be know to be, you cannot run code on someone elses machine with jumping through some massive proverbial hoops. Think C&C servers on healthcare servers, critical infrastructure etc.

Then there is the Logistics. there are literally Thousands of unique malware doing this, with varying methods/key locations/encrypted traffic between victim and C&C each needs to be researched.

some of the malware indeed stores the keys on a C&C, some store it in the windows registry(LOL!), some dont really store it at all. Different encryption schemes, different levels of implementation /coding skill..

but you also don't really hear about it, but there are a LOT of resources poured into tackling this issue, many smart people are reverse engineering each variant, but there are a LOT of them.

some of the malware can use thousands of domains to iterate through and create C&C servers, some also dont ever communicate victim->C&C directly. C&C posts to youtube/twitter/facebook etc and Victim monitors said services for triggers/ C&C codes.

Microsoft and the govt have actually shut a few botnets down, but it is a long process getting everything sorted to be able to shut it down, and really it is like peeing in the wind.

also remember the powers of good have to tackle every other type of malware as well, and there are only so many people inthe world able to tackle this crapola effectively.

Yes it really is all doom and gloom.

[fzabkar]

I notice that bcometa's victim is being sent to 24.43.128.186.

That IP address appears to belong to Time Warner Cable Internet. Would that be where the encryption keys are stored? Or is that just an intermediate address that handles the processing of the ransom payment?

[HaQue]

Franc, that address is the victims IP address. The victim appears to be a customer of TWCI, it is their modems dynamically assigned IP.

as for where the keys are stored - think of every possible scenario, keys are gone, keys are on victim PC, Keys are on C&C server, Keys are on external db from C&C etc.. and the answer will be yes for a subset of the cryptolocker family of malware.

Craig aluded that there was an old version and now a new version. This is incorrect. here are many different types of old versions, many new versions and copycat malware that implement their crap wrong. No garauntee that after payment files will be decrypted.

BTW, this malware is cryptowall not cryptolocker. It is a new variant of CryptoDefense.

http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/

These guys must be PISSED!
https://www.compumatica.eu/cms/data/index.php?id=25

[bcometa]

I believe that is the ip where the virus was initiated, i.e., the victims ip address at the time.

[HaQue]

Do you follow the Security Now podcast ?

No I follow real InfoSec podcasts.. going down my iPhone list: (yes I have listened to nearly all to date) in no particular order
Defensive Security
Risky Business
Southern Fried Security Podcast
Pauls Security Weekly
Exotic Liability, if it ever gets another ep..
ContraRisk
Crypto-Gram
OWASP 24/7
Sophos Security Chet Chat
Network Security Podcast
The Loopcast
SpiderLabs Radio
Liquid Matrix Security Digest
Data Breach Today
DiscussIT
RB2 - Risky Business 2
Down the Security Rabbithole
GrumpySec Podcast
Chaos Computer Club Recent Events Feed
The CyberJungle
The Digital Underground Podcast
Eurotrash security
Forensic forecast
The malware Report
Security Weekly TV
SecuraBit
Security Wire Weekly
The Social Engineering Podcast
TechGrumps