The Cryptolocker

The Cryptolocker Ransomware (as well known as Crilock) intrusions are becoming Polycephaly, and so far there is a Antivirusvendor (AVV) counting more than 12.000 infections in the United States alone.

The Nasty piece of Malware, which encrypts your files (mainly .DOC files, pictures as well as AutoCAD-Files) when infected, requires thereafter a Ransom for decryption, up to 300 USD (in bitcoins) and more. Time available you have left to pay: up to between 3 days and 100 hours. Some may say that the genuine thoughts (targets) of those developers of Cryptolocker were, or, could have been the clientele of the ongoing Expansion of World-Wide-Web-Communities of Pedophiles, in fearness of getting "outed" !

The United Kingdom alone was spammed with several millions of malicious e-mails. This went so far (as it looked like a Campaign), that the National Cyber Crime Unit (NCCU), a sub-organization of the
National Crime Agency (NCA) (sounds a bit like NSA), had to give out an Alert on
November 15th 2013.

"The NCA's National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions.

The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular. This spamming event is assessed as a significant risk.

The emails carry an attachment that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a malware that can install Cryptolocker – which is a piece of ransomware

Cryptolocker works by encrypting the user’s files on the infected machine and the local network it is attached to.

Once encrypted, the computer will display a splash screen with a count down timer and a demand for the payment of 2 Bitcoins in ransom (Approx £536 as at 15/11/2013) for the decryption key.

The NCA would never endorse the payment of a ransom to criminals and there is no guarantee that they would honour the payments in any event.

Lee Miles, Deputy Head of the NCCU says "The NCA are actively pursuing organised crime groups committing this type of crime. We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public."

An NCCU investigation is ongoing to identify the source of the email addresses used. Anyone who is infected with this malware should report it via Action Fraud

Sound advice can be found at GetSafeOnline

Advice: This is a case where prevention is better than cure.

• The public should be aware not to click on any such attachment.
• Antivirus software should be updated, as should operating systems.
• User created files should be backed up routinely and preserved off the network.
• Where a computer becomes infected it should be disconnected from the network, and professional assistance should be sought to clean the computer.
• Various antivirus companies offer remedial software solutions (though they will not restore encrypted files)."

Researchers of Bitdefender Labs revealed that a bit more than 12.000 victims were affected during a one-week period at the end of October. “CryptoLocker servers are changed very often (it is seldom that a CnC-Botserver remains online for more than a week), however, once it has been Reverse engineered, Security Researchers can pre-analyse the relevant domains and count connection attempts.” according to a Bitdefender Post last November.

BitDefender used the DNS-Sinkholes and studied that the quantity of those connections could get traced back to IPs in the United States. Quote from that Post:

"In fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the US are targeted, with the rest being collateral damage."

First appeared, Cryptolocker came into nature as a out of "the wild"-Trojan, spreading through fake emails. It penetrates then encrypted files on the user's CPU and any profiled network drive(s). Once you are padlocked, it demands you for a MoneyPak or Bitcoin payment within three days (or up to 100 hours). Further on, (if) you pay the Ransom, you will receive a key that unlocks your encrypted files.

In the very first period, the Unlock-key was destroyed 72 hours after infection, so you could forget your files for good, locking them permanently. After the Attackers found out, they may gain more money with a lucrative Scheme in giving you a "Last Chance", they rewrote CryptoLocker around beginning of November 2013, to allow the recovery of your files, beyond the designated time at a higher Ransom of Bitcoins.

According to Microsoft, Crilock affected about 34.000 machines between September and early November 2013. By today, the Malware changed to
CnC-Hosts in Countrys like Russia, Germany, Kazakhstan and Ukraine and the Ware is still spreading...

Map showing the first Rampage of Cryptolocker (Pict. by BitDefender)

Further interesting Articles about Cryptolocker:

• Cryptolocker Wants Your Money! by Costin Raiu, Kaspersky Lab Expert @ SECURELIST
• New Malware Holds Computers For Ransom by Ryan W. Neal, IBT
• We're making TOO MUCH CASH, say CryptoLocker scum in ransom price cut, The Register
• US-Cert Alert Alert (TA13-309A)

"US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments."