Cybercriminals are constantly looking for ways to evolve their malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. During the past year, Ransomware has received a lot of news coverage which has decreased the number of uninformed victims and lowered the impact and effectiveness of the malware along with the percentage of return to the criminal.
Due to this increased public awareness, in the last quarter of 2013 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, Cryptolocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker's private key.
The following Q&A outlines Cryptolocker and Symantec’s protection against this malware:
Q: What is the difference between Ransomware and Cryptolocker (also known as Ransomcrypt)?
The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.
Q: When was this threat discovered?
In September 2013 the Cryptolocker threat began to be seen the wild.
Q: Is the Cryptolocker threat family something new?
No. Symantec detects other similar malware families such as Trojan.Gpcoder (May 2005) and Trojan.Ransomcrypt (June 2009) that encrypt and hold files ransom on compromised systems.
Q: What is the severity of this Cryptolocker threat?
The severity is high. If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.
Q: How do I know I have been infected by Cryptolocker?
Once infected, you will be presented on screen with a ransom demand.
Figure 1. Cryptolocker ransom demand
Q: How does a victim get infected?
Victims receive spam email that use social engineering tactics to try and entice opening of the attached zip file.
Figure 2. Cryptolocker spam email example
If victims open the zip file attached to the email, they will find an executable file disguised to look like an invoice report or some other similar social engineering ploy, depending on the email theme. This executable file is Downloader.Upatre that will download Trojan.Zbot. Once infected with Trojan.Zbot, the Downloader.Upatre also downloads Trojan.Cryptolocker onto the compromised system. Trojan.Cryptolocker then reaches out to a command-and-control server (C&C) generated through a built-in domain generation algorithm (DGA). Once an active C&C is found, the threat will download the public key that is used to encrypt the files on the compromised system while the linked private key—required for decrypting the files— remains on the cybercriminal’s server. The private key remains in the cybercriminal control and cannot be used without access to the C&C server which changes regularly.
Figure 3. Cryptolocker attack steps
Q: Does Symantec have protection in place for Cryptolocker and the other associated malware?
Yes. Symantec has the following protection in place for this threat:
Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.
Some earlier Symantec detections that detect this threat have been renamed:
- Virus definitions dated November 13, 2013, or earlier detected this threat as Trojan.Ransomcrypt.F
- Intrusion Prevention Signature (IPS) alerts dated November 14, 2013, or earlier were listed as "System Infected: Trojan.Ransomcrypt.F"
Q: What do the C&Cs look like?
The following are recent examples of command-and-control (C&C) servers from the DGA:
Cryptolocker can generate up to one thousand similar looking domain names per day in its search for an active C&C.
Q: How sophisticated is this threat?
While the Cryptolocker campaign uses a common technique of spam email and social engineering in order to infect victims, the threat itself also uses more sophisticated techniques like the following:
- Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted without the private key held on the attacker’s server, the victim will not be able to decrypt the files.
- Cryptolocker employs a DGA that is based on the Mersenne twister pseudo-random number generator to find active C&Cs.
Q: How prevalent is the threat?
Symantec telemetry for this threat shows that the threat is prevalent in the United States at present. While the numbers being reported are low, the severity of the attack is still considerable for victims.
Figure 4. Top 5 countries reporting detections
Q: Has Symantec previously released any publications around these attacks?
Yes, Symantec has released the following blogs:
Q: Should I pay the ransom?
No. You should never pay a ransom. Payment to cybercriminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.
Q: Who is behind the Cryptolocker malware?
Investigations into the cybercriminals behind the Cryptolocker malware are ongoing.
Q: Is there any advice on how to recover files affected by this attack?
Yes, Symantec Technical Support has released the following article:
Q: Any advice on how to not become a victim?
Yes. First, follow information security best practices and always backup your files. Keep your systems up to date with the latest virus definitions and software patches. Refrain from opening any suspicious unsolicited emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.
Q: Does Symantec offer backup and disaster recovery software?
Yes. Symantec has the Backup Exec Family of products.