Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroLocker - a new destructive encrypting ransomware


  • Please log in to reply
23 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 15 August 2014 - 05:25 PM

So many malware developers are trying to jump onto the get-rich-quick encrypting ransomware train that mistakes are starting to become common. This is readily apparent with the latest ransomware called ZeroLocker that encrypts your files with AES encryption. Like many other encrypting ransomware, ZeroLocker will encrypt your files and then display a ransom note that explains how you can pay using bitcoins to decrypt your files. Unlike other encrypting malware, this infection pretends to be a helper tool that had discovered the encrypted files and is trying to help you. In reality, though, this could be one of the more destructive ransomware we have seen to date.
 

zerolocker.jpg

 
Unlike all other file-encrypting ransomware, when ZeroLocker starts it does not only target data files. Instead this infection will encrypt all files on your C:\ drive, including executables, with AES encryption unless they are located in certain folders or are larger than 20 MegaBytes. The folders that are safe from encryption are ones that contain the keywords: Windows, WINDOWS, Program Files, ZeroLocker, and Desktop. Any files that are encrypted, will have .encrypted appended to their filename. When it has finished encrypting your files, it will then run the C:\Windows\System32\cipher.exe /w:C:\ command, which will overwrite all deleted data on your C:\ drive. This makes it so you are unable to use file recovery tools to restore your files. It will create the C:\ZeroLocker folder and store various files and the decryptor executable called ZeroRescue.exe. This file will be set to start automatically via Registry entry when you login to your computer.

The main issue, though, is when ZeroLocker uploads your decryption key to the Command & Control server. If the C2 server was properly configured, when the private key was uploaded it would respond with a HTTP 200 status code that means that a web page was successfully accessed. Unfortunately when ZeroLocker attempts to upload its private key it receives a 404 status code because the requested web page does not exist on the server.
 
 

404-error.jpg

 
 
Therefore, the decryption key was not stored in any database or file for later recovery. In fact the only way to recover the key would be to manually filter though the HTTP access logs if they have not been overwritten or rotated already. This is obviously a coding mistake on the part of the developer and one that essentially trashes the encrypted computer as you are unable to retrieve your decryption key even if you pay the ransom. With the lack of a recoverable encryption key and the fact that it encrypts all files and not just data files, this ransomware becomes very destructive especially to companies that have custom software not being used under normal paths.

There is, though, some light at the end of the tunnel. This infection does not delete the Windows System Restore points so you can restore your files using a program like Shadow Explorer or Windows built-in Previous Version. For information on how to restore your files via these methods, please read this section from our CryptoLocker guide: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow
 
A big thanks to decrypterfixer for reversing this malware!


BC AdBot (Login to Remove)

 


m

#2 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:05:18 PM

Posted 18 August 2014 - 01:00 PM

Great Read Grinler as always. Keep it up ^_^


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#3 Bleky

Bleky

  • Members
  • 185 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on internet
  • Local time:01:48 PM

Posted 18 August 2014 - 04:29 PM

But why every ransomware accepts bitcoins only?

Mac OS XI Tard-The world's most difficult-to please-operating system grumpy_cat.gif


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 18 August 2014 - 04:58 PM

Harder to trace.



#5 Bob.

Bob.

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 18 August 2014 - 10:30 PM

I guess I would restore my latest partition image, but what do others do (citizens or companies)? I understand that this particular malware issue means that there is no recovery likely, but what of those malwares that do decrypt  when the 'ransom' is paid? Is there no choice but to pay?


Edited by Bob., 18 August 2014 - 10:31 PM.


#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 19 August 2014 - 07:54 AM

Yes, for the most part the encryption is not breakable and you have to restore from backup or pay the ransom.



#7 Marc Meshurle

Marc Meshurle

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:48 AM

Posted 19 August 2014 - 10:00 AM

Does it work in the same manner as CryptoWall or CryptoLocker? Do programs such as CryptoPrevent help alleviate the execution in certain directories as it does for the crypto viruses?



#8 Libyan expert

Libyan expert

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 19 August 2014 - 10:51 AM

when ZeroLocker attempts to upload its private key it receives a 404 status code because the requested web page does not exist

-------

if this is true thats mean that the private key is lost or not?



#9 Libyan expert

Libyan expert

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 19 August 2014 - 10:54 AM

I want to ask, why we see many types of this malawaer ?

 

are all this types from the same man or its deiffrent ?

 

I heard that the source code of the malawear have been sold in the black market



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 19 August 2014 - 12:42 PM

if this is true thats mean that the private key is lost or not?


Lost. Theoretically it could be retrieved from the HTTP access logs, but there is no guarantee the developer is even keeping them. 
 

I want to ask, why we see many types of this malawaer ?


Big money for the malware developer with hard to trace ransom payments.


are all this types from the same man or its deiffrent ?


Different from what we can tell.

I heard that the source code of the malawear have been sold in the black market


Possible. There are many variants so its hard to say. CTB-Locker, aka Critroni, may be what you are referring to. This was being sold on the black market by the original malware developer. The developer would offer the kit and support for a fixed monthly price.

#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 19 August 2014 - 12:45 PM

Does it work in the same manner as CryptoWall or CryptoLocker? Do programs such as CryptoPrevent help alleviate the execution in certain directories as it does for the crypto viruses?


Yes, CryptoPrevent would prevent the ransomware from running. In fact CryptoPrevent would prevent any malware from running that was in the blacklisted paths.

#12 Libyan expert

Libyan expert

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:48 PM

Posted 19 August 2014 - 01:05 PM

Lost. Theoretically it could be retrieved from the HTTP access logs, but there is no guarantee the developer is even keeping them.


ah..ok thanks

#13 IndiGamer

IndiGamer

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US, Minnesota
  • Local time:06:48 AM

Posted 21 August 2014 - 04:25 PM

Hey Grin :) If you can figure out what the Bitcoin address is would you please pm me the address? 


Owner of NFinite Tech, website coming soon.

 

3614793002.png

 


#14 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:48 AM

Posted 21 August 2014 - 04:38 PM

It uses a new bitcoin address for each infection. There is one static one but its unused.

#15 ElfBane

ElfBane

  • Members
  • 775 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:48 AM

Posted 22 August 2014 - 04:42 AM

Does BC recommend the use of CryptoPrevent?

Also, I clone my HDD twice a week, and the clone is in the spare HDD bay of the PC (clones go MUCH faster this way!), would a crypto ransomware attack affect both HDDs in a PC? Just wondering.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users