Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Hijack program


  • Please log in to reply
3152 replies to this topic

#376 mattysyr

mattysyr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 23 September 2013 - 11:14 AM

Its been a few days since one PC on my network had Cryptolocker. So far the affected files on the network are restored from the backup (and it took the two tapes from the days before we were hit out of rotation). I left the PC that wa infected running disconnected from the network, and the cryptolocker program is gone. I downloaded the shadow explorer, and was able to restore the user files from the last backup before infection. I have been reveiwing the Kaspersky logs on the mail server, and found the message that caused the issue (and the new messages being deleted by kaspersky).

Can you share the text of the email?



BC AdBot (Login to Remove)

 


#377 ElysiumUS

ElysiumUS

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 23 September 2013 - 11:50 AM

I want to see if this is a correlation with anyone else.  My two victims (independent clients) had the Sexy/Porn.exe/x.mpeg hiding files via attribute change worm.  I'm interested if others were in the same boat?



#378 mattysyr

mattysyr

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 23 September 2013 - 11:52 AM

I want to see if this is a correlation with anyone else.  My two victims (independent clients) had the Sexy/Porn.exe/x.mpeg hiding files via attribute change worm.  I'm interested if others were in the same boat?

Yes, exact same payload.



#379 toubis

toubis

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 23 September 2013 - 11:54 AM

I want to see if this is a correlation with anyone else.  My two victims (independent clients) had the Sexy/Porn.exe/x.mpeg hiding files via attribute change worm.  I'm interested if others were in the same boat?

Same here, but it was on a shared folder the user does not access.



#380 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,044 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 AM

Posted 23 September 2013 - 03:30 PM

This post is designed to be repository of all current knowledge regarding the Cryptolocker infection. A link to this post will be added to the first post of this topic so that new visitors do not have to read the entire topic to get all of the current information.


How did you become infected by Cryptlocker

CryptoLocker currently has the following infection vectors:
  • This infection was originally spread sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
  • Currently dropped by Zbot infections disguised as PDF attachments
  • Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
  • Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
What happens when you become infected with Cryptlocker

The CryptoLocker infection will install itself into the root of the %AppData% folder as a random filename. It will then create an autostart in the following keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
Please note that the * in front of the RunOnce value causes CryptoLocker to start in Safe Mode.

If you find another infection starting from the above registry keys with a random value name and a path %AppData%\random\random.exe, then that is probably the Zbot dropper. More info about that infection can be found in a different section below.

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.

More detailed information about what this infection does when run can be found in this post by Fabian Wosar of Emsisoft.


Are there any tools that can be used to decrypt the encrypted files?

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back. Please note that there have been cases when people have paid the ransom and the decryption did not work for whatever reason. Furthermore, if you do not pay the ransom within the allotted time, the Cryptolocker decryption tool will be removed from your system and make it much more difficult, if not impossible, to restore your files.


How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

http://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.


How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

shadow-explorer.jpg

To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.


Information about other malware that are being installed with Cryptolocker.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:


 
HKCU\Software\Microsoft\<random>
Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.


How to determine which computer is infected with CryptoLocker on a network

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.


How to block this infection from running on other computers on your computer.

You can use Software Restriction Policies to block executables from running when they are located in the %AppData% folder, or any other folder, which this thing launches from. See these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

This can also be setup in group policy :)

File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is:

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData.

With the bundling of Zbot with Cryptolocker, it is now also recommend that you create a rule to block executables running from a subfolder of %AppData%. This can be done with this path rule:

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from immediate subfolders of AppData.

You can see an alert and event log showing an executable being blocked:

133-software-restriction-log.jpg

software-restriction-alert.jpg

If you need help configuring this, let me know.

Edited by Grinler, 15 October 2013 - 12:41 PM.
Updated with new info


#381 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,044 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:50 AM

Posted 23 September 2013 - 03:32 PM

If there is anything that I missed for the overview post above, please let me know so I can add it.

#382 tuscani

tuscani

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 24 September 2013 - 03:04 PM

Craziness.. we deployed the SRP rules today blocking:

 

%AppData%\*.exe
%AppData%\*\*.exe

 

My concern is, has anyone run into issues with legitimate applications needing to run within AppData?



#383 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 52,678 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:50 AM

Posted 24 September 2013 - 03:18 PM

My concern is, has anyone run into issues with legitimate applications needing to run within AppData?

While there might be some applications that maybe could use it, off hand I can't think of anything. Any self-respecting software developer using settings/data in the user profile usually ensures a designated subfolder is created.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#384 tuscani

tuscani

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 24 September 2013 - 03:38 PM

 

My concern is, has anyone run into issues with legitimate applications needing to run within AppData?

While there might be some applications that maybe could use it, off hand I can't think of anything. Any self-respecting software developer using settings/data in the user profile usually ensures a designated subfolder is created.

 

 

yeah that was my thought.. not worth the risk. :)



#385 n3mo

n3mo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 24 September 2013 - 08:00 PM

Serious Question:

 

So for those of you who actually paid the $100/$300 for the decryption key, do you actually have the key?  Will that key work for everyone whose infected by this?  I would assume it is the same encryption because there's 1 virus files going around. 

 

 

Rants:

 

Who invented this type of encryption in the first place?  The should be able to break it.  NSA or FBI should be able to as I'm sure they have tools unknown to anyone outside that can do it easily with a click.  

 

I've tried re-installing the ransomware, it does not re-infect and at this point I wouldn't even bother paying it cause I see some users have paid it and the encryption does not even work.  I refuse to sit around for a trillion years and believe my excel/dbf files are forever locked up.  Those are  needed for work and I'm getting sick and tired of waiting for someone to break this thing.    



#386 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 24 September 2013 - 10:53 PM

Does anyone have the code for this? i did a clean up today and permanently deleted all of the executable before realizing what it was - i did note that the code can be captured using wireshark in the inital infecection. so anyone using packet capturing software you will be able to initiate the decryption yourself with the private key. what i dont understand is that the key is handed off during the infection - but i can not find where it embeds in the program



#387 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 52,678 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:50 AM

Posted 25 September 2013 - 02:43 AM

The key is saved on a remote server, This key is required to get all keys used to encrypt individual files. In other words, each key is different and there is no way you can break this.

 

As stated also elsewhere in this topic your only choices are using ShadowExplorer or similar to try to retrieve a copy of the file before it was encrypted or using a backup.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+


#388 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,993 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:50 AM

Posted 25 September 2013 - 08:12 AM

Who invented this type of encryption in the first place?

Who Writes Malicious Programs and Why? Hackers and malware writers come from differnet age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Below are a few articles which attempt to explain who these individuals are and why they do what they do.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#389 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:50 AM

Posted 25 September 2013 - 08:52 AM

The key is saved on a remote server, This key is required to get all keys used to encrypt individual files. In other words, each key is different and there is no way you can break this.

 

As stated also elsewhere in this topic your only choices are using ShadowExplorer or similar to try to retrieve a copy of the file before it was encrypted or using a backup.

My syntax was sloppy. I need the executable - The private key actually does get transferred at the time of infection and can be captured using wireshark - but of course how many of our customers are running packet sniffing utilities. My questions is if it is captured and seen with wireshark - where is it embedded on the infected machine?



#390 EagleComputerRepair

EagleComputerRepair

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Gaffney, South Carolina
  • Local time:01:50 AM

Posted 25 September 2013 - 09:59 AM

 

Who invented this type of encryption in the first place?

Who Writes Malicious Programs and Why? Hackers and malware writers come from differnet age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

 

 

 

I think he was asking about encryption itself rather than malicious use of encryption. Basic overly simplified explanation of encryption and why it is used. Think of the purpose of encryption as like a safe with a programmable combination. Yes the encryption is of key importance for secure transfer of information. The way everything transfers across the internet, imagine that as a like sending it through snail mail... only in a world in which every postman on earth has the magical power to duplicate anything he touches leaving no way to know if the original has been touched.

 

Encryption is designed like a safe more or less. anyone can use encryption, and it is very difficult to open without the key. Different types require different levels of expertise. But due to the rapid spreading nature of expertise. (IE once one person knows how, he could write a tool and everyone on earth would know it, rendering the entire system nul). All in all, since the bad guys have access to more or less the same technology as the good guys, the world had to err on designing encryption strong enough that no known person can break it, the only other option was to automatically assume all information on any online transfer, has been spied upon.

 

Could it have been designed with say a "master key" that would allow the author of encryption to break it, not really. Ignoring that would create a single point of failure, an encryption standard with that weakness would never be adopted. Could you safely grant someone the power to see every bit of information that travels on the internet, as well as the ability to share that power with anyone, and safely say "oh yeah he would never misuse that".

 

Now is it possible the NSA or some group has actually figured out a weakness in this encryption? Absolutely possible, but it wouldn't be in their interest to admit they do. The assumption that no one has it, is what allows online sales to exist. If that assumption collapsed, the damage would be far worse than a few million people losing their data on the economic side, which isn't their concern at all anyway... the NSA is a spy organization. Just like it isn't their job to say, forward someone's phone records to help exonerate him in a murder trial, they wouldn't give up their edge over other countries just to help virus victims.






5 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users


    Facebook (1)