Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3452 replies to this topic

#391 iladelf

iladelf

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 25 September 2013 - 11:03 AM

Hello everyone,

 

Is there any way to setup the Software Restrictions mentioned by Grinler on XP machines that DON'T have the Group Policy editor?  I'm guessing through the registry, but would be unsure how to implement.



BC AdBot (Login to Remove)

 


#392 ripitone

ripitone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 September 2013 - 12:02 PM

not sure if anyone can use this but paid the ransom and pulled the registry while it was decrypting.  I pulled the files list out as this was a 750G drive that was full.  However both the public and private keys are there!  Hope it helps someone with decrypting without paying.

 

[HKEY_CURRENT_USER\Software\CryptoLocker]
"VersionInfo"=hex:2a,30,9c,81,00,95,dc,d3,86,fa,d8,d3,f4,5f,eb,f9,c3,4a,e8,f6,\
  c8,46,eb,f4,c5,1d,f2,e4,da,33,ee,e6,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,b0,e5,63,ab,b3,c8,71,\
  f1,e9,9d,6b,de,d3,c8,46,d6,c5,e3,5d,a9,b2,ef,63,fd,f0,e3,05,f5,cc,fc,40,ec,\
  c2,c6,33,d1,81,c1,33,f2,81,cb,33,e5,81,fe,33,fd,81,c5,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,a8,81,96,33,a5,81,98,\
  33,aa,81,99,33,aa,81,9f,33,af,81,9c,33,a5,81,97,33,ad,81,9d,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,\
  9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,\
  81,9d,33,ac,81,9e,33,bc,81,fb,33,cf,81,ea,33,9c,81,ae,33,9c,81,ae,33,9c,81,\
  ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,33,9c,81,ae,\
  33,9c,81,ae,33,9c,81,ae,33,9c,81,96,02,aa,b5,cd,0b,a8,e4,97,02,fd,e4,9b,57,\
  ae,b2,98,56,fd,b9,96,52,ff,e0,cf,0b,f8,b6,cf,51,aa,b6,9a,06,a9,e5,cf,55,ac,\
  b7,ae,33,9c,81
"PublicKey"=hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00,00,01,00,01,00,63,\
  19,ab,b9,e8,c1,02,4b,42,7e,c7,8f,c7,91,38,1e,75,51,97,1b,5f,3f,3e,2b,ad,ca,\
  38,83,62,e2,e2,09,00,63,c3,a7,42,43,ff,a5,67,fb,de,99,19,e4,dc,ce,94,5f,1c,\
  05,34,d1,ca,23,b7,6e,34,f3,99,b4,e1,fe,f3,42,f0,41,30,3c,87,1f,de,98,0a,98,\
  62,09,64,d1,65,db,cc,0b,f8,a9,e8,a9,a5,12,9b,cd,b6,34,db,02,11,72,e8,57,37,\
  6c,28,7d,5f,6b,85,77,bb,40,0f,c8,f7,70,64,5a,36,49,81,25,bf,a4,74,67,57,7e,\
  ea,ab,6b,f7,48,95,2d,b3,61,6f,a1,5a,bd,78,df,eb,60,b2,57,c1,02,b4,de,3f,ff,\
  11,f8,74,41,9f,7d,bc,14,74,b4,8d,9f,42,33,5f,48,d1,be,9b,7c,0c,0a,7d,5b,e7,\
  f6,9e,b0,58,c3,e0,9d,d4,c5,21,61,68,c7,e9,47,7e,a1,06,2f,df,c3,7f,30,86,a4,\
  dd,16,48,48,38,30,1a,23,02,d9,8e,3d,82,7a,6e,90,da,8e,12,e3,df,46,54,78,4b,\
  00,2e,18,1f,be,af,97,9c,b0,c5,a7,a1,8c,ef,1c,c1,25,e5,03,0e,51,8e,e3,77,af,\
  18,f2,96,d2,d0
"Wallpaper"=hex:43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,67,00,68,\
  00,65,00,72,00,6e,00,62,00,6c,00,6f,00,6d,00,5c,00,41,00,70,00,70,00,44,00,\
  61,00,74,00,61,00,5c,00,52,00,6f,00,61,00,6d,00,69,00,6e,00,67,00,5c,00,4d,\
  00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,69,00,6e,00,\
  64,00,6f,00,77,00,73,00,5c,00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,54,\
  00,72,00,61,00,6e,00,73,00,63,00,6f,00,64,00,65,00,64,00,57,00,61,00,6c,00,\
  6c,00,70,00,61,00,70,00,65,00,72,00,2e,00,6a,00,70,00,67,00,00,00,00,01,2a,\
  2a,2a,2a,10,00,00,1a,2a,2a,2a,29,00,00,00,1a,2a,2a,2a,29,00,00,00,01,2a,2a,\
  2a,2a,2a,2a,2a,2a,2a,2a,2a,10,00,00,00,00,02,2a,2a,2a,2a,2a,2a,2a,2a,2a,20,\
  00,00,00,00,00,00,00,06,2a,2a,2a,2a,2a,24,00,00,00,00,00,00,00,01,ff,ff,ff,\
  ff,e0,00,00,00,00,00,0f,ff,ff,ff,ff,ff,ff,fc,00,00,00,01,ff,ff,ff,ff,ff,ff,\
  ff,ff,e0,00,00,1f,ff,ff,fe,00,00,1f,ff,ff,fe,00,00,7f,ff,ff,e0,00,00,01,ff,\
  ff,ff,80,00,ff,ff,ff,80,00,00,00,7f,ff,ff,c0,00,ff,ff,ff,80,00,00,00,7f,ff,\
  ff,c0,00,ff,ff,ff,80,00,00,00,7f,ff,ff,c0,00,7f,ff,ff,e0,00,00,01,ff,ff,ff,\
  80,00,1f,ff,ff,fe,00,00,1f,ff,ff,fe,00,00,01,ff,ff,ff,ff,ff,ff,ff,ff,e0,00,\
  00,00,0f,ff,ff,ff,ff,ff,ff,fc,00,00,00,00,00,01,ff,ff,ff,ff,e0,00,00,00,00,\
  00,00,00,00,1a,00,08,00,1e,ff,1f,20,27,00,00,00,20,00,00,00,e0,91,e5,c1,00,\
  f9,ff,ff,90,53,2b,c2,00,f9,ff,ff,44,00,00,00,90,01,00,00,00,00,00,00,60,00,\
  00,00,60,00,00,00,20,00,fd,ff,1f,00,20,00,00,00,00,27,a1,00,00,00,40,00,24,\
  00,00,08,00,00,a8,09,00,00,8e,03,00,00,ff,2e,00,e1,5b,60,00,c0,29,00,00,00,\
  00,00,00,00,ff,01,01,20,00,00,28,20,61,6c,00,08,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00
"PrivateKey"=hex:07,02,00,00,00,a4,00,00,52,53,41,32,00,08,00,00,01,00,01,00,\
  63,19,ab,b9,e8,c1,02,4b,42,7e,c7,8f,c7,91,38,1e,75,51,97,1b,5f,3f,3e,2b,ad,\
  ca,38,83,62,e2,e2,09,00,63,c3,a7,42,43,ff,a5,67,fb,de,99,19,e4,dc,ce,94,5f,\
  1c,05,34,d1,ca,23,b7,6e,34,f3,99,b4,e1,fe,f3,42,f0,41,30,3c,87,1f,de,98,0a,\
  98,62,09,64,d1,65,db,cc,0b,f8,a9,e8,a9,a5,12,9b,cd,b6,34,db,02,11,72,e8,57,\
  37,6c,28,7d,5f,6b,85,77,bb,40,0f,c8,f7,70,64,5a,36,49,81,25,bf,a4,74,67,57,\
  7e,ea,ab,6b,f7,48,95,2d,b3,61,6f,a1,5a,bd,78,df,eb,60,b2,57,c1,02,b4,de,3f,\
  ff,11,f8,74,41,9f,7d,bc,14,74,b4,8d,9f,42,33,5f,48,d1,be,9b,7c,0c,0a,7d,5b,\
  e7,f6,9e,b0,58,c3,e0,9d,d4,c5,21,61,68,c7,e9,47,7e,a1,06,2f,df,c3,7f,30,86,\
  a4,dd,16,48,48,38,30,1a,23,02,d9,8e,3d,82,7a,6e,90,da,8e,12,e3,df,46,54,78,\
  4b,00,2e,18,1f,be,af,97,9c,b0,c5,a7,a1,8c,ef,1c,c1,25,e5,03,0e,51,8e,e3,77,\
  af,18,f2,96,d2,d0,6b,24,22,db,8c,7f,b2,b6,50,50,b4,75,b8,22,54,2b,74,6b,31,\
  5d,5c,9c,be,8b,30,89,cd,22,69,85,af,aa,e0,50,34,a1,7e,f7,94,69,e6,24,48,99,\
  73,be,40,2c,33,60,c6,56,58,c1,6d,e6,ef,cb,c7,65,c4,a7,20,51,4c,f5,78,0b,9d,\
  12,0f,36,38,64,06,2b,0a,6d,55,2b,9c,d2,62,5a,66,34,af,99,bc,6f,3e,ed,7d,c8,\
  79,67,b9,f9,24,4b,93,ef,91,a1,04,93,d1,d2,fd,5b,d7,9d,95,ed,79,2d,7c,c4,8b,\
  9c,bb,16,90,25,5f,5d,72,f9,e9,dc,e4,c3,3a,16,1c,78,54,87,3b,5c,d0,37,18,95,\
  11,7a,39,ca,ac,f5,c8,e6,17,27,f5,e5,e7,b6,83,55,77,cb,b9,87,e3,4c,f1,69,24,\
  b0,13,3f,32,3d,d7,1a,a6,ad,35,a6,a6,d5,a9,15,47,4a,6f,55,69,aa,63,9e,15,22,\
  a7,b5,cb,97,9a,ed,6b,47,01,b4,09,f3,1f,ba,de,c8,9c,a0,5c,2f,ab,30,b9,cc,64,\
  27,c8,61,06,fe,90,06,cd,99,d7,ea,8d,56,58,0d,e8,f9,da,ba,23,e8,4c,1a,c9,09,\
  96,a6,1d,14,82,c8,58,3c,ab,02,4f,d6,91,9f,53,74,61,a1,04,ca,b8,1c,97,a0,73,\
  df,57,96,14,19,db,81,a1,88,22,2e,82,d4,ca,00,d4,cf,c0,21,07,2d,96,9c,c8,92,\
  6c,6f,49,16,ce,1c,16,bc,52,f4,f0,8f,b9,8b,af,9c,cf,57,f0,df,50,d7,09,5c,2c,\
  5b,53,76,53,cc,df,75,fa,14,d7,c4,fc,e2,b5,1c,b4,0a,f9,be,96,74,f3,b4,11,e9,\
  f1,58,d3,c1,c6,34,70,df,9b,3a,4c,df,93,2c,67,f4,19,01,1c,80,48,b4,46,21,61,\
  da,c7,3d,0c,28,d3,5f,12,f2,a6,d0,e3,60,21,86,11,7c,a1,db,69,28,69,09,11,09,\
  ac,85,cb,e1,e4,fe,80,5b,b9,3f,25,db,0a,1b,7c,fe,00,52,0b,5b,3e,82,f7,2c,b1,\
  e0,e5,b7,87,70,ba,05,3f,f0,82,81,b1,69,a3,ff,97,ed,7e,71,f9,c0,bd,c9,f3,29,\
  67,22,83,0e,54,ce,34,ab,fa,16,9e,6a,ab,48,64,2e,43,05,86,52,4b,1c,f6,9c,66,\
  fa,7b,e2,26,cc,ba,72,d8,5a,08,7a,10,df,1c,ad,b4,a1,a4,98,fd,c8,d0,3e,ea,a6,\
  81,7f,74,6b,79,a3,c7,a4,5b,49,28,80,ad,2a,b0,af,78,9c,d3,21,86,80,55,4b,fc,\
  7c,ba,79,ce,33,25,f6,c6,16,31,93,0d,c3,0f,da,8e,31,65,f2,52,a0,c4,1e,4e,ad,\
  30,a3,7e,da,aa,05,99,35,1f,2e,94,6a,4c,e9,cb,1a,a4,98,b2,e5,b8,ec,01,fa,99,\
  28,13,f1,22,5f,a9,45,33,94,49,8e,10,b5,84,69,6f,b1,77,7c,2b,50,4d,de,bd,5a,\
  be,1a,9b,8c,7f,b5,af,84,4e,d9,06,56,0f,3b,0f,1a,c2,1e,6c,89,de,39,6b,05,47,\
  f0,2c,58,e8,27,dc,f2,3d,00,5c,88,76,8f,33,48,a9,32,dc,1b,1c,60,21,bf,05,7c,\
  97,c8,ca,f6,d3,17,56,31,e5,66,c6,5f,66,57,8f,b0,c7,24,93,ce,fe,80,d8,4f,e8,\
  69,2b,91,85,3e,6b,4a,37,e5,99,90,61,1c,c7,64,67,39,f6,92,32,74,38,63,f9,26,\
  8e,fd,70,bf,4c,da,fe,4b,7e,eb,42,4c,4f,8e,b0,00,a7,df,17,5f,49,fc,a2,6c,a0,\
  ef,69,f2,91,8f,fe,56,9a,20,6e,48,f2,7c,18,be,2f,87,3e,55,9c,90,23,7c,dc,8e,\
  09,9c,1d,be,8d,2f,73,5c,af,9a,70,4f,49,c0,d8,a2,f3,cb,ed,54,a7,d2,5d,db,c8,\
  f4,e5,a5,d5,85,1c,9e,2f,c6,20,0a,7e,ab,10,6a,06,34,40,57,47,63,f2,3f,8e,5b,\
  ce,ea,92,13,46,06,5a,28,54,99,70,06,93,ff,72,a3,37,78,86,c1,7a,b1,99,07,d8,\
  1e,2a,06,76,e7,db,ef,d8,4c,d8,65,06,ef,c6,14,fe,68,c2,4d,f8,cb,a6,fc,c8,97,\
  96,c0,22,1d,24,75,11,15,8c,d0,61,e0,63,f3,ee,04,00,29,f1,f1,f1,8f,11,12,ca,\
  69,7b,c7,c7,17,78,17,f9,9b,cb,27,55,dd,e9,a0,57,91,49,7e,fb,9d,d5,73,5d,49,\
  2e,69

[HKEY_CURRENT_USER\Software\CryptoLocker\Files]
 



#393 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 25 September 2013 - 12:26 PM

Yes - but was the private there before you paid? Still dont understand why the private key is captured by wireshark - but then not visible anywhere on the machine. it looked like this: di48xs4rsbxou9z



#394 ripitone

ripitone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 September 2013 - 12:43 PM

Version info, Public key and wallpaper were there before paid.  private is new.



#395 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 25 September 2013 - 01:25 PM

Private key is unique to the machine unfortunately.
 

Yes - but was the private there before you paid? Still dont understand why the private key is captured by wireshark - but then not visible anywhere on the machine. it looked like this: di48xs4rsbxou9z[/size]

The private keys are shown over the network during initial encryption only. From what I understand from Fabian's writeup, essentially a new private key is generated by the developers server for every file encrypted. As each file is encrypted, you will see the remote server giving the private key, but it is not stored in any files in a retrievable format.

#396 1badmutha

1badmutha

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 25 September 2013 - 02:38 PM

Hello All,

     Has anybody been able to successfully pay the ransom in the last day or 2 and if so how long was the wait for the activation? I know ripitone just posted recently but was wondering if the ransom was actually paid very recently. I want to make sure it is still working as payment activation has now taken over 5 hours...

 

Thank You All!!



#397 huberthpham

huberthpham

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 25 September 2013 - 06:18 PM

Hello All,

     Has anybody been able to successfully pay the ransom in the last day or 2 and if so how long was the wait for the activation? I know ripitone just posted recently but was wondering if the ransom was actually paid very recently. I want to make sure it is still working as payment activation has now taken over 5 hours...

 

Thank You All!!

 

I paid the $100 yesterday, the screen closed out after a few hours, the files still are encrypted, the virus uninstalled itself, and the money is gone.

At least it was only $100 instead of $500.



#398 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:16 PM

Posted 25 September 2013 - 10:42 PM

CryptoLocker. http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Unfortunately, once the encryption of the data is complete, decryption is not feasible. To obtain the file specific AES key to decrypt a file, you need the private RSA key corresponding to the RSA public key generated for the victims system by the command and control server. However, this key never leaves the command and control server, putting it out of reach of everyone except the attacker.

Unique 2048 bit RSA public key created by the version of the malware, a numeric id, the systems network name, a group id as well as the language of the system.
Different 256 bit AES key created for each targeted file.

[2048 bit RSA public key]{256 bit AES key}ENCRYPTED FILE{256 bit AES key}[2048 bit RSA public key]


ECRYPT II Yearly Report on Algorithms and Keysizes (2010-2011) (30th June 2011) at http://www.ecrypt.eu.org/documents/D.SPA.17.pdf
To crack DES keys: Chapter 5, Determining Symmetric Key Size. Page 15 or 27/122.
To crack RSA keys: Chapter 6, Determining Equivalent Asymmetric Key Size. Page 25 or 37/122.


The Mathematics of the RSA Public-Key Cryptosystem, Burt Kaliski, RSA Laboratories. http://www.mathaware.org/mam/06/Kaliski.pdf
ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through the company that Ronald Rivest, Adi Shamir and Leonard Adleman started in 1982 to commercialize the RSA encryption algorithm that they had invented. At the time, Kaliski had just started his undergraduate degree at MIT. Professor Rivest was the advisor of his bachelors, masters and doctoral theses, all of which were about cryptography. When Kaliski finished his graduate work, Rivest asked him to consider joining the company, then called RSA Data Security. In 1989, he became employed as the companys first full-time scientist. He is currently chief scientist at RSA Laboratories and vice president of research for RSA Security.


WHY BRUTE-FORCE WHEN YOU CAN BACKDOOR.

Deliberately flawed? RSA Security tells customers to drop NSA-related encryption algorithm. http://rt.com/usa/nsa-weak-cryptography-rsa-110/

An encryption algorithm with a suspected NSA-designed backdoor has been declared insecure by the developer after years of extensive use by customers worldwide, including the US federal agencies and government entities.
Major US computer security company RSA Security, a division of EMC, has privately warned thousands of its customers on Thursday to immediately discontinue using all versions of company's BSAFE toolkit and Data Protection Manager (DPM), both using Dual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit Generator) encryption algorithm to protect sensitive data.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#399 proapp

proapp

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 September 2013 - 12:34 AM

Private key is unique to the machine unfortunately.
 

Yes - but was the private there before you paid? Still dont understand why the private key is captured by wireshark - but then not visible anywhere on the machine. it looked like this: di48xs4rsbxou9z[/size]

The private keys are shown over the network during initial encryption only. From what I understand from Fabian's writeup, essentially a new private key is generated by the developers server for every file encrypted. As each file is encrypted, you will see the remote server giving the private key, but it is not stored in any files in a retrievable format.

This is infection, for as technically "tight" as it is, there is still some sloppiness in the "business" process..

We know that this virus contacts a server, or servers, to generate a private key upon initial infection. Then again there is contact when submitting payment. There is once again contact when payment has been processed.... I also assume that there is contact if an invalid payment is submitted and rejected since they claim the timer will be cut in half if an invalid payment is submitted..

They also claim that the payment is processed manually. The delay between submitting payment and decryption starting seems to confirm this.

This is not a perfect system by far.. I see two weaknesses: #1 the server #2 the human processing of payment.

I say we figure out a way to exploit the exploiters.. WITH THEIR OWN BUSINESS PROCESS

I have an idea... think of it as some what of a ddos attack of sorts. Now I'm just thinking out loud here, but what if we figured out a systematic way to infect a ton (literally a ton) of virtual machines. This would cause an excess of traffic to the server(s), not only that but with something like wireshark implemented on the VMs we could capture the private keys (for good measure).
This process could work on the server weakness

That brings us to the human weakness.. the reason payment processing takes so long is because it takes time to manually. If all the newly infected VMs started submitting bogus (but valid looking) payment details, then the humans on the other end will be inundated with "payments" to process.. eventually they will be overwhelmed by all the incoming "payments" from the VMs.



Eventually they will move to automate the payment, at which time the (hopefully) someone (authorities, green dot, whoever) will be able to track them down, or the payment companies will block their servers from all the failed payment attempts.

I'm tired... so I'm sure there are PLENTY of flaws in this plan.. there is also implementation, which is way above my pay grade... but I'm sitting here thinking about how this could be fought.

Thoughts? Comments?

#400 iladelf

iladelf

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 September 2013 - 12:42 AM

For those running XP Home, I have found an answer on how to install Group Policy Editor!  Obviously, the forum moderators here can check this out for authenticity, but I now have GPE installed on an XP Home machine by following the steps at the link below:

http://www.mydigitallife.info/install-and-enable-group-policy-editor-gpedit-msc-in-windows-xp-home-edition/

Edited by Grinler, 26 September 2013 - 06:50 AM.


#401 pcrx9000

pcrx9000

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 26 September 2013 - 12:52 AM

I met with the FBI today. They basically say unless the damages exceed $5K - they can not directly get involved. The agent that met with me suggested filing complaints to: http://www.ic3.gov he thinks they are probably already on it.

 

I went over the whole moneypak/greendot scam. I asked why they can't simply shut this crap down - he didn't seem to know that much about it, and also was surprised about the NO CHARGE BACKs on that crap. 

 

I found an article dating from 2007 with a similar type strategy.

 

http://arstechnica.com/security/2007/07/new-trojans-give-us-300-or-the-data-gets-it/

 

Soooo ... I guess they've been working on it for awhile.  Why is this not pursued as an extortion crime? If someone kidnapped your dog or child and demanded money, how do you think they would respond? 

 

Luckily, all of my customers run our offsite backup program which keeps file revisions, so the infections have not had a terrible impact other than a minor inconvenience. The basic infection was fairly easy to get rid of.

 

I feel very sorry for anyone not backed up - 


Edited by pcrx9000, 26 September 2013 - 12:54 AM.


#402 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 26 September 2013 - 06:51 AM

My guess is that someone from the FBI is already on it. The problem is that one office may have a cyber expert working on it, but the other offices don't know about it. This has happened in the past with other infections.

#403 danrdj

danrdj

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 26 September 2013 - 08:23 AM

Craziness.. we deployed the SRP rules today blocking:

 

%AppData%\*.exe
%AppData%\*\*.exe

 

My concern is, has anyone run into issues with legitimate applications needing to run within AppData?

 

I did a quick search of *.exe in my own %AppData% folder and found a couple of legitimate applications that live in subfolders, but not in the root.  So we did as Grinler suggested and blocked only %AppData%\*.exe.  It seems your second path would block more than the virus.

 

Also, I haven't tested this yet but if you wanted to be extra careful not to block anything but the exe's that we've seen CryptoLocker produce, maybe this would work:

%AppData%\{*}.exe

 

Thoughts on this?  I've seen other viruses live directly inside %AppData% so you'd lose the ability to block those with such a rule.



#404 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:09:16 PM

Posted 26 September 2013 - 08:50 AM

I would have to say the damages appear to be in the tens of thousands, if not hundreds of thousands. Perhaps the lack of news coverage is keeping it from being considered a "major threat".

 

Not sure if the FBI is the best course of action- as I still think this is a foreign attacker.



#405 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted 26 September 2013 - 09:14 AM

I would have to say the damages appear to be in the tens of thousands, if not hundreds of thousands. Perhaps the lack of news coverage is keeping it from being considered a "major threat".


Agreed. If you have any connections with the media, go for it!
 

Not sure if the FBI is the best course of action- as I still think this is a foreign attacker.


This is definitely a foreign attacker. From what I understand, this still, falls under the jurisdiction of the FBI. I could be wrong.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users