CryptoLocker Ransomware

[Corrine]

To put it simply, CryptoLocker encrypts the files on the computer and holds them for ransom. There is only one private key available to unencrypt the public key and it is stored on a secret server with a time bomb set to destroy the key if the ransom isn't paid by the deadline. Depending on the version, the ransom is $100 to $300 with a deadline for payment of between ~72 to 100 hours.

Additional information an references are available in my blog post, CryptoLocker Ransomware.

 

[Corrine]

Due to the incorrect and vague information available on CryptoLocker, Grinler published a guide containing all the known information on CryptoLocker to this date.

CryptoLocker Ransomware Information Guide and FAQ

 

[Corrine]

Grinler's guide has been updated with new information. Of particular interest it the information about CryptoPrevent. CryptoPrevent is a free utility by FoolishIT LLC that automatically adds the suggested Software Restriction Policy Path Rules (listed in the guide) to your computer. The added Software Restriction Policies are to prevent CryptoLocker and Zbot from being executed in the first place.

 

[Corrine]

Another update today:

Updated the CryptoLocker guide to include updated info on the new Registry keys, updates to CryptoPrevent, and the message on the Command & Control Server.

 

[Corrine]

Update: CryptoLocker guide updated to fix issues with %Temp% SRP rules and info on known bitcoin payment wallet addresses.

 

[Corrine]

Interesting development: DNS Sinkhole campaign underway for CryptoLocker - News

A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server.

There are a couple of issues with the sinkhole. First, of course, would be those caught in the middle having paid the $300 ransom but still waiting for the key to decrypt their files. Another is that CryptoLocker will merely move on to another domain that isn't in the sinkhole.

At this time, it is unknown who is responsible for setting up the sinkhole.

 

[Corrine]

An unfortunately development: CryptoLocker developers charge 10 bitcoins to use new Decryption Service

The price for the decryption key, though, has been significantly increased from 2 bitcoins to 10 bitcoins. With the current price of bitcoins at around $212 USD the ransom has increased from around $400 USD to over $2,100 USD.

Prevention along with backing up important data are definitely the only way solution.

 

[Corrine]

Via Bleeping Computer:

CryptoLocker emails now including password protected attachments to evade av software. Email pretends to be new outlook settings.

 

[Corrine]

It certainly would be good to see an end to this.

The past few weeks have seen the ransomware CryptoLocker emerge as a significant threat for many users. Our monitoring of this threat has revealed details on how it spreads, specifically its connection to spam and ZeuS. However, it looks there is more to the emergence of this thread than initially discovered.

We have identified one possible factor in this growth: the arrest of Paunch, the creator of the Blackhole Exploit Kit. Paunch’s arrest led to a significant reduction in spam campaigns using exploit kits. Clearly, this caused a vacuum in the spam-sending world – spammers would not all of a sudden stop sending spam. So they would need to send something out; what would this be?

More at CryptoLocker Emergence Connected to Blackhole Exploit Kit Arrest | Security Intelligence Blog | Trend Micro