Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Original Cryptolocker Ransomware Support and Help Topic


  • Please log in to reply
3457 replies to this topic

#91 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 10 September 2013 - 02:51 PM

Can we have a discussion on what possible ways these files can be decrypted based on each user needing a private key and that key being impossible to attain.  What conceivable way could this be done?

All ways involve getting access to the server storing the private keys. Currently the malware connects to a server in Baltimore (173.246.105.23). However, I have a feeling that it is just acting as a reverse proxy, connecting to the actual server someplace else. In addition, due to the way the malware connects to its command and control server, even if you take the actual server down, the attacker can just set up a new one.
 

We are currently working with this virus now, and wanted to see if anybody still has the original executable that it created. We want to infect one of our test machines to see if we can figure out a fix for the encryption, as well as see how it functions.

You can get both the malware sample as well as a rough overview of how files are encrypted here:

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2945

Downloading the file may require a registration though.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

BC AdBot (Login to Remove)

 


#92 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 10 September 2013 - 03:01 PM

Excellent, thanks for your help Fabian!



#93 jonathan020

jonathan020

  •  Avatar image
  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:02 AM

Posted 10 September 2013 - 03:05 PM

It's near impossible without the private key. Would take a forensics team a lot of resources to crack the RSA encryption.

 

For me this whole ordeal was a good lesson in keeping up to date backups. We lost half a days worth of data changes in the end after restoration. Configure VSS, take regular offsite backups. Crashplan is only a few bucks and worth its weight in gold when this kind of thing happens.



#94 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 10 September 2013 - 10:27 PM

Does anyone have any experience with the emsisoft anti-spyware program linked to above by Elise?

They state on that link that:

"Users of Emsisoft Anti-Malware or Online Armor are not at risk of falling victim to either CryptoLocker or the malware downloader from the initial email campaign, unnoticed, as both are no match for our award winning behavior blocking technology."



i'm guessing that most of us here who got this was not running this software?

The price is extremely reasonable, 10 licenses for a total of $200 a year...

I just haven't heard of or used Emsisoft Anti-Malware personally.... Any thoughts?

#95 danrdj

danrdj

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 11 September 2013 - 01:22 AM

Can anyone confirm whether either the initial trojan downloader or the CryptoLocker virus itself is detected and removed by Trend WFBS Services?  Or has a sample at least been submitted to Trend?  I'm a little hesitant to bring this restored share back online before the latest definitions can take care of this thing.  I searched "trendmicro.com" for "cryptolocker" and got 0 results.



#96 solomonshv

solomonshv

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 11 September 2013 - 02:08 AM

Can we have a discussion on what possible ways these files can be decrypted based on each user needing a private key and that key being impossible to attain.  What conceivable way could this be done?

 

the version of the virus i got claimed that it was an RSA 2048 bit encryption. assuming that Moore's Law continues to apply in the future, it would take over 1000 years to break such an ecryption. you need the key. no key = no decryption.

 

sorry, i don't mean to sound incensitive, but it just can't happen. i also happen to be in the same boat as you, if that makes you feel any better.


Edited by solomonshv, 11 September 2013 - 02:08 AM.


#97 Elise

Elise

    Bleepin' Blonde


  •  Avatar image
  • Malware Study Hall Admin
  • 65,966 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:02 AM

Posted 11 September 2013 - 02:24 AM

Does anyone have any experience with the emsisoft anti-spyware program linked to above by Elise?

They state on that link that:

"Users of Emsisoft Anti-Malware or Online Armor are not at risk of falling victim to either CryptoLocker or the malware downloader from the initial email campaign, unnoticed, as both are no match for our award winning behavior blocking technology."



i'm guessing that most of us here who got this was not running this software?

The price is extremely reasonable, 10 licenses for a total of $200 a year...

I just haven't heard of or used Emsisoft Anti-Malware personally.... Any thoughts?

Both Fabian and I work for Emsisoft, just for the record, this is not in any way related to what I do here at BC nor is there an affiliation between BC and Emsisoft that would lead to BC promoting this software over any other. Let it also be noted that the below is not a comparison between different products, this goes for Emsisoft products, no idea if it applies to other products as well (as you all know there are many security products out there, all with their own specific features and pros and cons).

 

Based on my own tests with this variant (setup: a VM, the sample Fabian provided at KernelMode and Emsisoft Anti-Malware installed, you can use the trial from the website), I can tell you that Emsisoft's behavior blocker would have blocked the infection from ever becoming active on a computer (you can see this also in the last screenshot in the blogpost). By now the file is of course detected as well, but behavior blocking doesn't care about whether or not a file is already detected by signatures, it cares about what a file or process does to a computer. If that behavior is suspicious a message will pop up to inform you about it together with a suggested course of action. In case of CryptoLocker this means "threat blocked, no encryption".

 

Generally speaking, in order to escape detection, new malware files (of whatever variant) are released every minute. This has the "advantage" that, no matter how on top of new threats an AV company is, there is always a short time window in which a new released bad file goes undetected and can infect a computer without being blocked. When you use behavior blocking this doesn't matter as much because even if the bad file is able get on the computer undetected, the behavior blocker will still notice that this file does something suspicious.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter 


Malware analyst @ Emsisoft | Follow me on Twitter


animinionsmalltext.gif


#98 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 11 September 2013 - 03:17 AM

Thank you for the full disclosure!

#99 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 11 September 2013 - 03:23 AM

Social engineering, via an email attachment, does seem the logical culprit, but does anyone have any specifics as to what one of these emails looks like?

Also, do we know how long the infection laid dormant before coming active? We all got hit on the same day, more or less. Id like to find the offending email to point it out to the user who got the infection.

#100 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 11 September 2013 - 03:41 AM

Thank you for the full disclosure!

Well, it is not like it was a secret before, given my user title ;).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#101 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  •  Avatar image
  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:02 AM

Posted 11 September 2013 - 03:47 AM

Social engineering, via an email attachment, does seem the logical culprit, but does anyone have any specifics as to what one of these emails looks like?

Look for mails from "Better Business Bureau" or "Dun & Bradstreet". They will have a ZIP attachment with a random case number. Subject starts with "FW:" to suggest it is a forwarded case mail.
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#102 proapp

proapp

  •  Avatar image
  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 11 September 2013 - 05:00 AM

Thank you! Ill post if I find anything. Any specifics on the attachment name? I have a feeling that my user may have deleted the email, but I could also look for a saved attachment.


Do we know a date range of the emails? Are you seeing that they were all received on the same date? Do we know if the virus is spamming the infected's address book to help it to continue to spread?

#103 Craig Herbert

Craig Herbert

  •  Avatar image
  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 11 September 2013 - 06:47 AM

I am from the UK and my personal PC has been infected with the Cryptolocker, my PC has been cleared by ESET, but all my work files (doc and xlsx) and family photos have been altered/encrypted

 

the email that I was infected by was delivered on Tuesday 3rd September 10:55GMT

 

the email was disguised as from Companies House, I even checked the details, and then opened the attachment like a fool! the ransom pop up appeared on Sunday 8th September about lunch time.

 

The virus has cleverly targeted most importantly for me all our family photos, including all photos of my children growing up over the last 8 years. photos with the file name altered were not altered?

 

again, like a fool I felt that being on a raid5 nas, they would be secure and safe as they were not on my pc, or any other pc!

 

I have read the entire thread and what I am hoping to not be true is that I will never recover these photos or my work docs? is there no way of reverse engineering the encryption?

 

another question I have, do we know they have actually encrypted the files? could they have just altered the files.

 

has anyone paid the ransom and their files been restored? I would clearly consider this as an option, but I cant believe it would be one?

 

I potentially have access to some very power computers (server farms) set up to crunch numbers (big numbers) what would be needed to reverse engineer?

 

any help, advice answers would be great, if someone can help and resolve the photos I am willing to pay a very large reward! I have a distraught wife who blames me!



#104 Chuck Sp

Chuck Sp

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 11 September 2013 - 07:07 AM

I have a client who decided (against advice) to pay the ransom.  It took approximately 24 hours to process the payment and decrypt about 126 GB of legal documents in various word processing and spreadsheet formats.  Especially nerve wracking was the 2 and a half hours or so it took to "process the payment" before it started decrypting.

 

My other clients that were infected took the restore from backup approach.

 

We had staff meetings at every clients office about opening files attached to emails, and took the extra step of blocking all emails with a .zip attachment.  We will deal with people who need .zip files by email on a case-by-case basis.  As soon as a virus definition is developed that can detect this thing and block it from being delivered we will unblock the .zip file attachments.



#105 kenoindallas

kenoindallas

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 11 September 2013 - 07:43 AM

...

 

another question I have, do we know they have actually encrypted the files? could they have just altered the files.

 

has anyone paid the ransom and their files been restored? I would clearly consider this as an option, but I cant believe it would be one?

 

I potentially have access to some very power computers (server farms) set up to crunch numbers (big numbers) what would be needed to reverse engineer?

 

any help, advice answers would be great, if someone can help and resolve the photos I am willing to pay a very large reward! I have a distraught wife who blames me!

 

I am from the UK and my personal PC has been infected with the Cryptolocker, my PC has been cleared by ESET, but all my work files (doc and xlsx) and family photos have been altered/encrypted

 

the email that I was infected by was delivered on Tuesday 3rd September 10:55GMT

 

the email was disguised as from Companies House, I even checked the details, and then opened the attachment like a fool! the ransom pop up appeared on Sunday 8th September about lunch time.

 

The virus has cleverly targeted most importantly for me all our family photos, including all photos of my children growing up over the last 8 years. photos with the file name altered were not altered?

 

again, like a fool I felt that being on a raid5 nas, they would be secure and safe as they were not on my pc, or any other pc!

 

I have read the entire thread and what I am hoping to not be true is that I will never recover these photos or my work docs? is there no way of reverse engineering the encryption?

 

another question I have, do we know they have actually encrypted the files? could they have just altered the files.

 

has anyone paid the ransom and their files been restored? I would clearly consider this as an option, but I cant believe it would be one?

 

I potentially have access to some very power computers (server farms) set up to crunch numbers (big numbers) what would be needed to reverse engineer?

 

any help, advice answers would be great, if someone can help and resolve the photos I am willing to pay a very large reward! I have a distraught wife who blames me!

 

We had one customer who got hit by this and did not have sufficient backups.  Fabian on this board was kind enough to work with us a bit on the issue as he was disecting the malware.  He has a very thorough breakdown of what the program does and how.  We also had several other experts look at the damaged files and did some testing on our own.  I can confirm that they are encrypted, not just hashed or rendered in base64 or something else that would just obfuscate the contents.

 

Unfortunately this thing was designed very well.  Our customer was facing losing hundreds of GB of important data.  We were forced to pay the ransom.  We had removed the initial infection immediately so we had to do several steps to even be able to pay the ransom.  We had to restore the registry keys we deleted, as they hold the list of files encrypted and the public key information (had to system restore to after the infection, before the cleanup).  We also had to get another sample of the virus, which we did from registering here:  http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2945

 

We set up a test lab to execute the infection, let it encrypt, clean up the infection and then re-infect the machine to make sure it would not double encrypt the files.  It detected the existing reg key and file list and instantly popped up the ransom page.

 

From the customers site we procured a payment method listed, entered the info, and after about a half an hour the program started decrypting the files.  We spot checked a few and confirmed they were restored to readable.

 

It went against everything we know as IT professionals to do it this way, but in the end there was no choice.  All the local encryption is done with windows API, but the keys are then encrypted with RSA using a key that never leaves the command and control servers.  We have alerted our customer base and have not implemented a proper backup system for the affected client.






2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users