Saturday, December 21, 2013

ALERT: Cryptolocker Ransomware infecting computers and demanding payment in Bitcoin

Warning to PC users - a new malware "Ransomware" will encrypt your files and then demand payment before countdown clock expires.  See here what you need to know about Cryptolocker, including how to clean.  As a general security practice, never open any email with an attachment from unknown persons.  Also, be wary of clicking on links in emails from unknown senders that may direct you to an infected site.

From Sott:

It is being called the perfect crime and it has law enforcement around the globe baffled. 

It all starts with a simple email. "They are scared and they are angry. It is a real terrible experience for them." Joe Ruthaford is talking about computer users who mistakenly launched a potent internet phishing scheme. He recently saw one of those ravaged computers in his Beacon Hill repair shop. 

"It is extremely damaging. It is one of the worst ones." It's called cryptolocker ransomware. Kevin Swindon is with the FBI in Boston. "I would think about this particular type of malware as what would happen if your computer was destroyed," Swindon said. 

In the past 90 days, thousands of people worldwide have opened a seemingly innocuous link to track a holiday package. Suddenly, all the files on their computer are encrypted. 

Joan Goodchild is the editor of "CSO," Chief Security Officer magazine based in Framingham. "This is a criminal operation. They are holding your folders and files ransom. We call this ransomware because that is exactly what it is. You need to pay in order to have access to them once again." 

And that is exactly what happened last month at the Swansea Police Department. Cryptolocker ransomware took over the department's entire computer system and the police were forced to pay a $750 ransom to get back control. As the ransomware takes over your computer, a countdown clock appears and shows victims how long they have to pay up. That means purchasing a key, or software, to reverse the process. And victims must do that using the online virtual currency known as bitcoins. 

"Once you have purchased a bitcoin, then the transaction that you use that bitcoin in is encrypted, and therefore you cannot trace it," explained Goodchild. Swindon says it appears to be the perfect crime. The FBI tells WBZ-TV they are very worried about this spreading in 2014. The scheme could be the work of organized gangs overseas. So far, no one has been caught.

Cryptolocker Ransomware Being Described As ‘The Perfect Crime’ « CBS Boston

Cryptolocker Ransomware: What You Need To Know | Malwarebytes Unpacked

Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.
Just last month, antivirus companies  discovered a new ransomware known as Cryptolocker.
This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.
cryptolocker
Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.
Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.
The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.
Below is an image from Microsoft depicting the process of asymmetric encryption.
assemcrypto
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.
Currently, infected users are instructed to pay $300 USD to receive this private key.
Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.
Removal:
Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.
mbam-detect
In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).
While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.
Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.
To learn more on how Malwarebytes stops malware at its source, check out thisblog.