Cryptolocker ransomware

There's a big threat on the Internet right now: A particularly nasty piece of ransomware called Cryptolocker.
This program encrypts your computer files with a public encryption key and then threatens to destroy the decryption key in four days if a bitcoin or prepaid card payment of hundreds of dollars is not sent to the author of the malware.

The virus hides in an attachment to a phishing message, one that claims it's from a business copier service like Xerox that is delivering a PDF of a scanned image from a major delivery service like the UPS or FedEx offering tracking information or from a bank letter confirming a wire or money transfer.

More information can be found here: http://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_?source=CTWNLE_nlt_pm_2013-10-25

Yeah ransomware alright. I've had run ins with it on other people's computers. Usually it just annoys you until you pay the price to buy a program to remove it. Cryptolocker is worse since there's a deadline.

My gf opened one of them from 'UPS' since she always orders shit for delivery. Macs were unaffected.

This is one of the most beautifully sadistic pieces of malware ever. Not only does it silently encrypt your personal files, it also looks for any network drives or external drives that the user has access to. Did you back up your files to an attached drive? Maybe you are in Accounting with access to a bunch of network drives with company finances? Too bad, it's all encrypted now!

Since it only messes with files that the user has permissions to there is no jailbreak needed to elevate privileges. The ransom amount of 300 USD is low enough that it won't impact a small business' bottom line any. Even if there are unaffected backups, the cost to restore the data (due to loss of productivity and IT personnel time) is far higher than the ransom. Breaking the encryption is basically impossible since they used a 2048-bit RSA key.

I'm surprised something like this hasn't happened sooner.

Yeah, my mother's laptop succumbed to this. It was pretty sinister; the friendly nag screen informing her of what had happened seemed impossible to shift also.
In the end I formatted C and reinstalled Windows. On the plus side, it convinced her to stop using McAfee and to try some other AV software.
Thankfully it wasn't her work laptop, so none of the data on there was especially sensitive, and what stuff there was - mostly pictures - is backed up.
Still, pain in the arse.

Encrypting the disk's contents and having you hanging on a whim isn't new -there were several older viruses that did this. I wonder how a major government would react if this affected ANY government service computer though -after all, this one even leaves a trace for the payments....and encryption? Ouch. Would the malware's authors be labelled international terrorists?

With Windows' hidden extensions feature, the sender simply adds ".pdf" to the end of the file (Windows hides the .exe) and the unwitting user is fooled into thinking the attachment is a harmless PDF file from a trusted sender. It is, of course, anything but harmless.

Ok, seriously now. Fucking. Seriously. Is THIS still a viable tactic for viruses in 2013?! I thought this belonged to 1999 along with all the IE5 and Windows 98 crashing office jokes.

A thing I wonder about is this though: how quickly does the malware perform encryption in order to put the user before a fait accompli, before he/she has time to react and simply shut the computer down? Reading a file and then writing it back while encrypting is not exactly something you can easily do in real time, even today. It should also be pretty noticeable. E.g. if I put a very large file with random garbage data to be first in a directory just to fuck with it, which would require e.g. 5 minutes just to copy it over to another disk at full speed, won't it be noticeable?

Probably the analysts at antivirus companies will get down to the facts, but my guess is that it actually does some or all of the following;

• Merely locks/hides the files, without actually encrypting them.
  
• Only encrypts a small portion of each file, e.g. its header.
  
• The "encryption" used must actually be pretty weak, much weaker than the 2048 bit figure would suggest. Perhaps even just a one-time pad or an ECB substitution.
  

Format your disks. Don't give money to those fuckers. It ain't worth it.

Hopefully you got backups and file history of your data.

Maybe everyone should have counter viruses that would fly back to the sender's computer and literally blow it up or something. Granted, after a while maybe they would create some shield to bounce the counter virus back to some random computer and before you knew it computers everywhere would be going up in smoke as viruses and counter viruses fly back and forth in a never ending war.

Maes said:

Ok, seriously now. Fucking. Seriously. Is THIS still a viable tactic for viruses in 2013?! I thought this belonged to 1999 along with all the IE5 and Windows 98 crashing office jokes.

No kidding, though it shows what a terrible idea hiding extensions was and still is. Next we'll be hearing about people getting infected from britney_spears_nude.jpg.scr or something.

A thing I wonder about is this though: how quickly does the malware perform encryption in order to put the user before a fait accompli, before he/she has time to react and simply shut the computer down? Reading a file and then writing it back while encrypting is not exactly something you can easily do in real time, even today. It should also be pretty noticeable. E.g. if I put a very large file with random garbage data to be first in a directory just to fuck with it, which would require e.g. 5 minutes just to copy it over to another disk at full speed, won't it be noticeable?

I'm assuming the same people who would still fall for a false extension attachment are the same people who wouldn't notice or think much of a bunch of sudden disk activity. Also from the link it sounds like a lot of this is targeted at corporate computers, where such things might be less noticeable.

Interestingly, Sophos has a video which shows the virus running in a controlled environment:

It does appear to have two vulnerable phases: the first occurs if you kill its processes before it makes contact with its server (or disable internet access before it manages to do so), then it cannot proceed to encrypt anything (apparently), because the part about it using public/private keys seems to be the real deal (?). Keep in mind, there are trojans like the "metropolitan police" ransomware that CLAIM to have done nasty things to your computer, yet are trivially simple to remove (and don't do anything).

The second phase is once it has obtained said keys and starts encrypting. On the Sophos demo video, it only had 4 small files to encrypt, so it was pretty quick (but noticeable in task manager), so with a larger job it will presumably be slow enough to notice. It's known to target only certain kinds of files (e.g. it won't go after AVIs), mainly productivity stuff (documents, program etc.), and probably it has safeguards against tackling too large files. If you simply unplug the computer when it has started doing that, the damage will be limited, and you can remove it from your system with a LiveCD.

plums said:

No kidding, though it shows what a terrible idea hiding extensions was and still is. Next we'll be hearing about people getting infected from britney_spears_nude.jpg.scr or something.

This raises even more questions: on most non-Windows platforms, executable files are not marked by ANY special extension, not even .BIN, .PRG, .APP or .RUN. Unix, notably, lacks any specifically mandated extension for its executables, as does MacOS (before it became UNIX based, too). And yet you don't hear shit like that happening on those platforms.

Also, after all those UAC restrictions, user content warnings, double and triple "are you sure you want to open file XXX as an executable?" warnings that pop up now (even with extensions disabled, even IE now has the decency of warning you against THAT!), is it still fucking possible that people click fucking YES?!

geo said:

Yeah ransomware alright. I've had run ins with it on other people's computers. Usually it just annoys you until you pay the price to buy a program to remove it. Cryptolocker is worse since there's a deadline.

A friend got one, I guess two years back, that simply hid all of the his files. So if you had hidden files set to show, you'd see everything was still there. That was pretty funny to me, got it cleaned up in no time, but he was ready to buy the "anti virus" program to fix it before I took a look at it.

Dragonsbrethren said:

A friend got one, I guess two years back, that simply hid all of the his files. So if you had hidden files set to show, you'd see everything was still there. That was pretty funny to me, got it cleaned up in no time, but he was ready to buy the "anti virus" program to fix it before I took a look at it.

Malware writers, just like any other "craftsmen", criminals and conmen, can get lazy and cut corners, and will prefer using cunning and misdirection than resorting to actual "violence". Most will simply be copycats and stick to apply "tried and true" schemes for a one-off affair, just like real conmen.

Why bother devising an exotic and sophisticated inconveniencing system when most users will fall for a simple trick or even the mere threat of loss?

Of course, the creators of Cryptlocker apparently chose to go the full nine yards and immediately put a very real (cyber)knife to your throat, but only they know if it's more effective in bringing them profits than just faking it. The weakness of the system is that they require a central server to keep it going, other than a payment recipient (simpler scams need just a payment recipient), and that it might be intercepted or hindered in certain environments.

plums said:

No kidding, though it shows what a terrible idea hiding extensions was and still is. Next we'll be hearing about people getting infected from britney_spears_nude.jpg.scr or something.

If something like that ever happens to me, I swear I burn my PC.

Maes said:

This raises even more questions: on most non-Windows platforms, executable files are not marked by ANY special extension, not even .BIN, .PRG, .APP or .RUN. Unix, notably, lacks any specifically mandated extension for its executables, as does MacOS (before it became UNIX based, too). And yet you don't hear shit like that happening on those platforms.

I have no idea if extensions have something to do with this, but I heard a couple of years ago that there are just a handful of virus for MacOS, compared to the thousands that exists for Windows, am I right?

Zed said:

I have no idea if extensions have something to do with this, but I heard a couple of years ago that there are just a handful of virus for MacOS, compared to the thousands that exists for Windows, am I right?

This is simply a case of "demand" (the large number of Windows computers) driving the "offer": virus writers will preferentually target the most chunky part of the "market", and not a platform used by 1% of the users. In other words Macs might enjoy a form of security by -relative- obscurity (though I'd rather call it security-by-nobody-giving-a-flying-fuck-about-them), but this is not a sufficient condition for them to be technically more secure.

In fact, I've not yet seen a fully development technical argument claiming that it would be more difficult to write an equally pestering virus for MacOS (especially for CLASSIC Mac OS, which was MUCH more riddled with stability problems and potential overflow abuses than Windows). Amiga and Atari ST had their own disk-based viruses of course, but neither of these machines really made it deep into the Internet era to be fully put to the test on equal terms with PCs and Macs.

UNIX-like systems however have a different usage pattern and their average user is not likely to click on an executable attachment without thought (and even if they do, different handling of permissions will not allow an e-mail attachment to be executed without an administrator explicitly setting it to be an executable once downloaded). Since modern Mac OS (any version from X and afterward) is UNIX-based, it also inherits great part of this security, so probably it would not be so easy for a mail attachment to execute at all, and even if it did, it would not easily have access to user files. To do so, the user would have to be goaded to run it as a super-user.

Also: technically, programs like Cryptlocker spread based on user consensus/approval (even if not obvious), not thanks to some automated mechanisms, so technically they are not viruses, and Mac can still get them. However that asking for administrator permissions should raise some flags...

Edit: apparently NOW it's possible, through a very convoluted and roundabout process, for a trojan to infect Macs. But trojan != virus. So technically, Macs still have no viruses ;-)

I saw this the other day. A fascinating and rather terrifying piece of malware, and I'm sure over time we'll see more of this kind of thing appearing. In retrospect I'm almost surprised that it hasn't been done before.

The part that seems oddest to me is how straight-up and honest it is. I'm so used to seeing malware that tries to disguise itself as something else - pretending to be an antivirus, for example - that it's almost weird to see something that openly identifies itself and explains exactly what it's done. There's also something slightly surreal about a user-friendly wizard that helps you through a ransom process.

I remember reading from a virus that made you play poker with it and if you lost, it destroyed everything on your computer

fraggle said:

The part that seems oddest to me is how straight-up and honest it is. I'm so used to seeing malware that tries to disguise itself as something else...

Heh, indeed. When I was dealing with my mother's laptop - which was presented to me simply as having 'a virus', with no other information - I immediately noticed the Cryptolocker nag screen, but didn't bother to read it because I automatically assumed that it would be some promotional bullshit, trying to get the user to click through to something dangerous. I took a bunch of more or less standard steps to get rid of it, and only after these failed did I actually take the time to read them damn thing. It contained, to my surprise, genuinely useful information!

fraggle said:

A fascinating and rather terrifying piece of malware, and I'm sure over time we'll see more of this kind of thing appearing. In retrospect I'm almost surprised that it hasn't been done before.

This reminds me of a story I read a while ago. I don't know if it's for real, but it can become a really serious issue, especially if we talk about Brain Implants. For now this isn't a problem, of course, but in the future it might have serious consequences. Now, I don't want to sound like a paranoic. Is this really possible?

fraggle said:

I saw this the other day. A fascinating and rather terrifying piece of malware, and I'm sure over time we'll see more of this kind of thing appearing. In retrospect I'm almost surprised that it hasn't been done before.

I often wondered the same about other mechanisms -namely, the autorun viruses. While the feature existed ever since Windows 95, it was relatively unused for years (I mean, what's the worst thing that could happen? A CD-ROM full of warez would try installing the Yankee Doddle virus on your PC?). It only came in full force when portable thumb drives became commonplace, so until 2005-2006 they were virtually unheard of. Strangely, floppies were "immune" from them despite having been the #1 vector of viruses in the past, because autorun never worked automatically with them, while it did so with CD-ROMs and flash drives...and hard disks...and network drives. Ouch.

So the mechanism was there, but another factor was needed too. Now, if you sit and analyze each part of Cryptlocker separately, none of it is really innovative. Encrypting viruses? Those existed on MS-DOS. Viruses fucking with you/blackmailing you for your data?



You bet. But those viruses didn't have access to a reliable internet connection, nor could they contain complex instructions on how to reach an elusive secret server (I doubt it's one single IP or URL).

Also, they didn't run on computers powerful enough to apply such a powerful encryption in real time to a large set of files without the user noticing (though I'd find this hard to believe that's it's possible even today). Finally, there were no convenient ways to discreetly ask victims for money and serve them an actual cure remotely....put all of these elements together, and a "feat" like Cryptlocker becomes feasible.

Zed said:

This reminds me of a story I read a while ago

I would bet on a buffer overflow scenario there, where a deliberately malicious RFID Tx in the implant would screw up the comms module of the Rx with badly shaped/oversized data packets (those systems are not exactly built to withstand inpredictable internet-like traffic), thus not technically a virus, but rather an exploit. The key element here is the simplicity of both the transmitter and receiver, if they are able to the screwed up that easily.

Zed said:

This reminds me of a story I read a while ago. I don't know if it's for real, but it can become a really serious issue, especially if we talk about Brain Implants. For now this isn't a problem, of course, but in the future it might have serious consequences. Now, I don't want to sound like a paranoic. Is this really possible?

I recently read a story called "Insignia" were there're soldiers with computers implanted in their brains that can be infected with programs that can essentially brainwash them.

Nobody writes viruses for mac because that niche is already completely cornered given that a mac is essentially a big sophisticated virus already.

fraggle said:

There's also something slightly surreal about a user-friendly wizard that helps you through a ransom process.

And who has a history of creating dumbed down bloatware for the masses and thus most likely to create such a wizard and be the authors of this virus? Many would answer: Adobe. They have already used the IRA inspired mass lawsuit tactic to make people pay a settlement amount for allegedly pirated software (and any legitimate first sale doctrine 2nd hand sale counts as piracy by their definition) or "bad things would happen" like being sued. And what was that amount? About 300 dollars, the same amount in this virus ransom. This could be an evolution of that business model. Its just more anonymous and the bad things are having your files inaccessible rather than a lawsuit threat. They probably have an unethically obtained software patent on "1" itself, so maybe merely think of it as collecting their just dues. Anyway the above is just what I read somewhere on the internet and paraphrased. I do not personally have an opinion on adobe.

Maes said (of Windows' hidden extensions feature):
Ok, seriously now. Fucking. Seriously. Is THIS still a viable tactic for viruses in 2013?! I thought this belonged to 1999 along with all the IE5 and Windows 98 crashing office jokes.

As part of a social engineering exercise, it'll work if the covering email is convincing enough. I've encountered a few attachments like that this year but had learned long ago not to trust file extensions.

I go back up my wads.

Memfis said:

I go back up my wads.

Don't bother, they are not targetted by Cryptlocker.

GreyGhost said:

As part of a social engineering exercise, it'll work if the covering email is convincing enough. I've encountered a few attachments like that this year but had learned long ago not to trust file extensions.

I guess it will never be possible to fully educate people against computer scams, just like they can't be fully educated against real-life scams: there's just too many of them, gullible people exist and some scams are pretty damn convincing. I think the only scam most people would recognize is the three-card monte since it's in virtually EVERY movie depicting "lowlifes", but they would still fall for it.

Maes said:

You bet. But those viruses didn't have access to a reliable internet connection, nor could they contain complex instructions on how to reach an elusive secret server (I doubt it's one single IP or URL).

The Cryptolocker operators seem to be at least savvy enough to accept Bitcoin, which definitely gives them some advantages for staying hidden, I wonder if it's not implausible that they've integrated Tor into their malware and operate the server(s) via a hidden service.

I had an infection somewhat similar to this a year or so ago. It seems to have been injected through a banner ad and somehow bypassed UAC (fat good that does then, right?), so it wasn't even anything I did to activate it. Gave me this big "FBI WARNING!" screen hijacking my desktop and wanted me to pay some exorbitant fine to unlock my machine. Fortunately was able to boot into my Ubuntu partition and get on the interwebs to figure out how to get rid of it, but was still pretty spooky at the time.

Nomad said:

but was still pretty spooky at the time.

Heh you thought you were busted :P

printz said:

Heh you thought you were busted :P

There are variants of that malware targetted at different demographics and countries, but all of them play on the recipients' fear of punishment and the sense of guilt for "being caught doing something wrong". They accomplish that by posing as something that the recipient will consider authoritative, punitive and all-mighty (as well as credible in a "cyber police" role), and even give you a "reason" for your "punishment": e.g. watching porn, gambling, or downloading warez, along with the usual "we logged your IP" tirade (wow, REALLY "cyber"!).

For example, Brits get the Metropolitan Police. Yankees get the FBI, and Greeks get the SDOE (something akin to the USAs IRS). Many people actually panick and don't sit to think that an official police force in a Western nation would never proactively hunt down individual citizens and lock their computers in this way (I believe), let alone ask them to pay a "fine" through a sketchy online money transfer service with no due process and not a single official notification.

But in contrast with Cryptolocker, that malware is actually easily defeatable even with a boot in Windows' Safe Mode, and does not really "lock" anything: it relies more on social engineering/psyops than "cyber power", so to speak. It was also proven that the scammers bahind all variants were based in Ukraine or somesuch.

Maes said:

So the mechanism was there, but another factor was needed too. Now, if you sit and analyze each part of Cryptlocker separately, none of it is really innovative. Encrypting viruses? Those existed on MS-DOS. Viruses fucking with you/blackmailing you for your data?

[[Casino virus]]

I always wondered if that virus actually included the guy's phone number.

[edit] Apparently it doesn't; according to "YouTube virus historian" danooct1:

danooct1, 1 year ago
If you land on the phone number symbols it says something about "I'm punishing you for trying to trace[sic] me down!" and then deletes the FAT, same as the losing payload.

Maes said:
This raises even more questions: on most non-Windows platforms, executable files are not marked by ANY special extension, not even .BIN, .PRG, .APP or .RUN. Unix, notably, lacks any specifically mandated extension for its executables, as does MacOS (before it became UNIX based, too). And yet you don't hear shit like that happening on those platforms.[/B]

Instead of being an extension (that might be hidden by Microsoft's annoying fuckheadery), they rely on a flag set in the file's metadata. If the "x" bit is missing, the file cannot be run, regardless of its format.

ssssh, stop poking holes into Maes's logic.