Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New file-encrypting ransomware called CryptoGraphic Locker


  • Please log in to reply
12 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 03 September 2014 - 07:57 AM

A new file-encrypting ransomware was discovered today by BartBlaze called CryptoGraphic Locker. Just like other encrypting ransomware, this infection will scan your your data files and encrypt them so that they are unusable. The infection will then display a ransom note that requires you to purchase the decryption key in order to decrypt your files. The initial cost to purchase the key is .2 BTC, or approximately $100 USD, which makes this one of the cheaper ransoms that we have seen in a long time. Though the ransom starts out small, there is a 24 hour timer built into the application that will increase the ransom amount each time it hits 0.
 

cryptographic-locker-screen.jpg


When you are infected with CryptoGraphic Locker, the application will configure itself to start when you login to Windows. It will then scan your drives for data files and create new encrypted copies using AES encryption and then delete the old ones. These new files will be renamed to have the extension .clf. A list of all encrypted files will be stored in the %Temp%\CryptoLockerFileList.txt file. The data files that CryptoGraphic Locker targets are:
 
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2,.dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .lnk, .der, .cer, .crt, .pem, .pfx,.p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt
When the infection has finished encrypting your data it will display a ransom screen that explains how you can pay the ransom and decrypt your files. Unlike other file-encrypting ransomware that have been released lately, instead of using a decryption site, the malware application itself allows you to make payments, receive your decryption keys, enter your key to decrypt files, etc. While the infection is running it will also terminate the following applications if they are started or are running: Process Hacker, MalwareBytes, Spyhunter, Msconfig, Task Manager, Registry Editor, System Restore, or Process Explorer.

Last, but not least, the infection will also change your Windows desktop background to the background below. Suprisingly, it uses the CryptoLocker name in the wallpaper instead of the CryptoGraphic Locker name that it uses in the application window.
 

wallpaper.jpg


At this time the Command & Control servers are down, so there is no way to pay the ransom. There is, though, some good news for those who are infected. This ransomware does not delete files using a secure deletion method and does not wipe your system restore points. Therefore you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.

Thanks to BartBlaze, Decrypterfixer, and Cody Johnston for providing info on this malware.

File additions and registry changes are:
 
%Temp%\CryptoLockerFileList.txt
%Temp%\wallpaper.jpg
<Path to Dropper>\<random.exe

HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\User\AppData\Local\Temp\wallpaper.jpg"	(old value="")
HKCU\Control Panel\Desktop\WallpaperStyle	"1"	(old value="10")
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CLock


BC AdBot (Login to Remove)

 


m

#2 pauloalex409

pauloalex409

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lisbon, Portugal
  • Local time:04:53 PM

Posted 03 September 2014 - 08:15 AM

Virus nowdays are scaring me more than ever.....Sugestion...Using an antivírus...With malwarebytes anti-malware and using the malwarebytes anti-exploit..i guess with these 3 things it will be hard to get infected with ransomware like that

 

There is anyway to get a sample of it...?Just to know because i like to test how vírus works in virtual machines.

 

Sorry my bad english...just wanna help


Edited by pauloalex409, 03 September 2014 - 08:18 AM.


#3 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 AM

Posted 03 September 2014 - 08:49 AM

Once again great post, thanks for the updates on these ransomeware virus's. Being in I.T. it helps to know what virus's exist out there to verify that I am protecting company assets to the best of my ability.

 

I am getting tired of seeing all of these ransomeware virus's being created, to end them we all need to start using proper backups with offline storage that can not be encrypted or online storage that does versioning.

 

If everyone started using proper backups, this type of virus would fall to the curb.


Edited by zingo156, 03 September 2014 - 08:56 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#4 IllusionEclipse

IllusionEclipse

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chillin in my Compspace
  • Local time:02:53 AM

Posted 03 September 2014 - 09:05 PM

More Replica Ransomwares?! Jeez, these people just don't quit, and I thought 4 was enough...I guess I'll need to make another backup, I do need to update it and thankfully I have the day off school tommorow.


An illusion is as real as the person who sees it, but wouldn't that be an illusion in and of itself?


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:53 AM

Posted 03 September 2014 - 09:46 PM

They will continue to keep coming. It's where the money is right now.

#6 BitMonk

BitMonk

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest, USA
  • Local time:09:53 AM

Posted 04 September 2014 - 09:59 AM

Virus nowdays are scaring me more than ever

TOTALLY AGREE
For some reason these ransom wares eat at me. So cold, indiscriminate, hitting everyday people...

#7 HackinUrCompBro

HackinUrCompBro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 05 September 2014 - 10:08 AM

This is some scary stuff! These things seem to be getting more and more powerful each release - the payment options are now expanded more than ever before. Beware!  :smash:



#8 Guest_PhoenixRisen_*

Guest_PhoenixRisen_*

  • Guests
  • OFFLINE
  •  

Posted 05 September 2014 - 02:40 PM

This is so discouraging. It would take me far more than 24 hours to figure out the BC routine, and if the ransom just doubles every day the math is mind boggling. The suggestion of a proper backup is critical to my issue. I can not perform a proper backup to my external E: Toshiba device. When I try the Norton Security Suite Backup, it stops me and says I do not have Administrator access. It is starting to feel like the "you can't get there from here" story.



#9 skoenewillie

skoenewillie

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 07 September 2014 - 12:29 PM

Is there a way to get the data back? does anyone knows?



#10 Guest_PhoenixRisen_*

Guest_PhoenixRisen_*

  • Guests
  • OFFLINE
  •  

Posted 07 September 2014 - 12:46 PM

Is there a way to get the data back? does anyone knows?

According to one Admin post, pay the ransom if you can. "It's where the money is right now."

Desperate times call for semi-desperate measures. Eliminate ego and desire and you will feel serene. Best of luck to you, skoenewillie.


Edited by PhoenixRisen, 07 September 2014 - 12:48 PM.


#11 skoenewillie

skoenewillie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 08 September 2014 - 11:40 AM

 

Is there a way to get the data back? does anyone knows?

According to one Admin post, pay the ransom if you can. "It's where the money is right now."

Desperate times call for semi-desperate measures. Eliminate ego and desire and you will feel serene. Best of luck to you, skoenewillie.

 

Are you kidding me, there is no way i'm going to pay those idiots.

But i found a recovery tool so i get most of the data back



#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 08 September 2014 - 12:32 PM

Good stuff. Paying ransom is only a completely last resort. If you don't need the data, then start over rather than paying these people. Paying just encourages them.

#13 Guest_PhoenixRisen_*

Guest_PhoenixRisen_*

  • Guests
  • OFFLINE
  •  

Posted 08 September 2014 - 01:07 PM

 

 

Is there a way to get the data back? does anyone knows?

According to one Admin post, pay the ransom if you can. "It's where the money is right now."

Desperate times call for semi-desperate measures. Eliminate ego and desire and you will feel serene. Best of luck to you, skoenewillie.

 

Are you kidding me, there is no way i'm going to pay those idiots.

But i found a recovery tool so i get most of the data back

 

May I have the name of the recovery tool you found? Congratulations on getting most of the data back.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users