Digital Spy

Search Digital Spy
 

DS Forums

 
 

CryptoLocker - wonder when it'll hit here


Reply
Thread Tools Search this Thread
Old 29-10-2013, 13:28
Maxatoria
Forum Member
 
Join Date: Apr 2011
Posts: 5,835

Theres a new windows malware out there thats seriously nasty it encrypts your files with a key thats only known to the malware writers and is kept on a server somewhere out there so theres no way of recovering your data (within any reasonable timeframe)

It seems mainly to be coming in via emails at the moment so don't open those zipped up files pretending to be from HMRC etc as it could cost you 300 bucks/euro's or some bitcoins if you have those spare

and heres a video of it in action - http://www.youtube.com/watch?v=Gz2kmmsMpMI from Sophos

so make sure you have decent AV and have backed up your data as this is one sick puppy
Maxatoria is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 29-10-2013, 14:00
Smiley433
Forum Member
 
Join Date: Apr 2006
Location: Location: Location
Posts: 3,620
While I was watching that, there was a "recommended" video from MalwareBytes which shows how to remove the trojan - essentially install and run MalwareBytes.

But as you say, there's no way to decrypt the encrypted files so make sure you have a backup. As suggested in the video, you can use regedit to view which files the trojan has encrypted.
Smiley433 is offline   Reply With Quote
Old 29-10-2013, 17:33
killjoy
Forum Member
 
Join Date: Feb 2004
Posts: 2,231
Why cannot these people be caught by following the money trail ?
killjoy is offline   Reply With Quote
Old 29-10-2013, 17:41
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
i notice they have added malwarebytes to virus total.

i got something emailed this morning. only 3 on virustotal got it. one of which was malwarebytes.
flagpole is offline   Reply With Quote
Old 29-10-2013, 17:43
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,467
Why cannot these people be caught by following the money trail ?
Because they make you pay by bitcoin, and they use cryptographic algorithms to register domains.

With respect to "wonder when it'll hit here" - the internet doesn't respect geographical borders. This has been talked about for a couple of weeks now, the amazement is why we haven't seen more harmful malware until now. In fact we have seen this stuff many months ago, it just wasn't quite as sophisticated as this.

Usually the malware guys just steal games passwords, send spam, use your machine's processing power to take part in DDOS attacks or poison your search results / inject ads to generate them revenue, this ransomware in just an evolution of getting more money per infection.
Thine Wonk is online now   Reply With Quote
Old 29-10-2013, 17:46
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
this is by no means the first ransomware

first one goes back to 1989
flagpole is offline   Reply With Quote
Old 29-10-2013, 17:55
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
and heres a video of it in action - http://www.youtube.com/watch?v=Gz2kmmsMpMI from Sophos
just in terms of presentation that is one of the worst videos i have ever seen.
flagpole is offline   Reply With Quote
Old 29-10-2013, 19:48
s2k
Forum Member
 
Join Date: Apr 2006
Posts: 5,048
Saw this the other week. Luckily (when put into perspective) it was only on the 1 laptop where the user was checking her personal emails and opened a dodgy attachment. She rang up in tears after getting the message appear on screen. Unlike most other malware, the files are actually encrypted rather than just hidden or renamed. Whats worse was her only USB flash drive was also plugged in at the time and that got infected too and needed to be formatted. It didn't take long to get her laptop re-imaged and usable again but lessons were certainly learnt that day.
s2k is offline   Reply With Quote
Old 29-10-2013, 20:33
whoever,hey
Forum Member
 
Join Date: Mar 2006
Posts: 29,909
With respect to "wonder when it'll hit here" - the internet doesn't respect geographical borders. This has been talked about for a couple of weeks now, the amazement is why we haven't seen more harmful malware until now. In fact we have seen this stuff many months ago, it just wasn't quite as sophisticated as this.
I thought that OP meant DS as in here, not the UK?
whoever,hey is offline   Reply With Quote
Old 29-10-2013, 20:34
whoever,hey
Forum Member
 
Join Date: Mar 2006
Posts: 29,909
this is by no means the first ransomware

first one goes back to 1989
It is a first however with regards to how well it has been designed and written. Its cryptography meets cybercrime in the worst possible way.
whoever,hey is offline   Reply With Quote
Old 29-10-2013, 20:35
jenzie
Forum Member
 
Join Date: Nov 2001
Location: BUDDIETOWN
Posts: 16,933
same old crap from the same old criminals

someone should flood the net with worms that search out this rubbish and wipe it out PERMANENTLY!
jenzie is offline   Reply With Quote
Old 29-10-2013, 20:44
whoever,hey
Forum Member
 
Join Date: Mar 2006
Posts: 29,909
same old crap from the same old criminals

someone should flood the net with worms that search out this rubbish and wipe it out PERMANENTLY!
Same old crap?
whoever,hey is offline   Reply With Quote
Old 29-10-2013, 21:02
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
It is a first however with regards to how well it has been designed and written. Its cryptography meets cybercrime in the worst possible way.
It's quite impressive no doubt. using rsa2048 and storing the keys remotely is good infosec. It would be interesting to see how well it's implemented.

But the end result that you can't access your files without paying the man is not new.
flagpole is offline   Reply With Quote
Old 29-10-2013, 21:19
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,467
It's quite impressive no doubt. using rsa2048 and storing the keys remotely is good infosec. It would be interesting to see how well it's implemented.

But the end result that you can't access your files without paying the man is not new.
Law enforcement has already found and taken down some of the servers with the keys anyway. We'll see more like this, the surprise is that it has taken so long for this to be done fairly well.
Thine Wonk is online now   Reply With Quote
Old 30-10-2013, 08:36
whoever,hey
Forum Member
 
Join Date: Mar 2006
Posts: 29,909
Law enforcement has already found and taken down some of the servers with the keys anyway. We'll see more like this, the surprise is that it has taken so long for this to be done fairly well.
meaning people lose their data.
whoever,hey is offline   Reply With Quote
Old 30-10-2013, 09:10
s2k
Forum Member
 
Join Date: Apr 2006
Posts: 5,048
meaning people lose their data.
Apparently (according to the various reports) they would actually unlock the files if you paid the ransom. I would strongly advise against anyone doing this but I guess it is a tiny bit of hope if the data is really worth the money and you never bothered to make any backups.
s2k is offline   Reply With Quote
Old 30-10-2013, 12:36
Knarf44
Forum Member
 
Join Date: Jul 2004
Location: Back in Brazil
Posts: 3,783
If anyone is interested the guy behind the www.foolishIT.com website has come up with a small freeware program called Cryptoprevent. I've seen a demonstration of it on Youtube and it certainly does protect your system. Might be worth checking it out if you are seriously worried about being infected.

If anyone is worried about this guy's credentials, those of you who are in family or business IT support have probably heard of another of his malware removal programs called "D7".
Knarf44 is offline   Reply With Quote
Old 30-10-2013, 12:48
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,185
It's only a matter of time before some student claims they cannot present their homework because evil CryptoLocker encrypted it I think a prevention is relatively simple. It spreads via emails and uses social engineering rather than some sophisticated technical tricks to install. Have UAC set to maximum and do not click on links in email in unsolicited emails and be careful with the rest. Also have several backups on disconnected media that you check on another disconnected computer if they are still okay.
IvanIV is offline   Reply With Quote
Old 30-10-2013, 14:45
Popadopalous
Forum Member
 
Join Date: Jun 2011
Posts: 651
As far as malware goes, I'm actually impressed with CryptoLocker. It's very clean, simple and effective, as much as malware can be. It leaves system files alone, doesn't bog down the system with all sorts of malware crap, backdoors etc... it just very simply encrypts personal documents and then disappears after it has been paid (according to various reports).

It's obviously been well written but it's a shame the author isn't putting their skills to better use.
Popadopalous is offline   Reply With Quote
Old 30-10-2013, 14:50
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
It's only a matter of time before some student claims they cannot present their homework because evil CryptoLocker encrypted it I think a prevention is relatively simple. It spreads via emails and uses social engineering rather than some sophisticated technical tricks to install. Have UAC set to maximum and do not click on links in email in unsolicited emails and be careful with the rest. Also have several backups on disconnected media that you check on another disconnected computer if they are still okay.
Missing from the video in the OP because it was on XP was any reference to UAC.

though since it is only running from where it is and hitting my docs i guess it may not need the elevation.
flagpole is offline   Reply With Quote
Old 30-10-2013, 15:53
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,185
Missing from the video in the OP because it was on XP was any reference to UAC.

though since it is only running from where it is and hitting my docs i guess it may not need the elevation.
Possibly not. I thought it's a Trojan that sits and encrypts and decrypts on the fly, but that would probably be too clever. But UAC at maximum is always a good idea, IMO.
IvanIV is offline   Reply With Quote
Old 30-10-2013, 21:28
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,467
If anyone is interested the guy behind the www.foolishIT.com website has come up with a small freeware program called Cryptoprevent. I've seen a demonstration of it on Youtube and it certainly does protect your system. Might be worth checking it out if you are seriously worried about being infected.

If anyone is worried about this guy's credentials, those of you who are in family or business IT support have probably heard of another of his malware removal programs called "D7".
No, no no! What we should be telling people is to backup their data. If they do this the machine can be restored and the data can be put back on.

The only thing to bear in mind with this malware is not to backup to a mounted drive, which you shouldn't do anyway. A backup should ideally be offsite and offline from the machine, never permanently mounted or it is prone to the same destruction as system data.

You don't need freeware tools you just need to be educated about links in emails and to back up data. You still need a backup anyway in case of disk failure. I say to friends if you knowingly choose not to backup your data, it is obviously not important enough to you. If it's important then back it up, or you will lose it one day.
Thine Wonk is online now   Reply With Quote
Old 30-10-2013, 21:42
flagpole
Inactive Member
 
Join Date: Jan 2003
Posts: 43,524
No, no no! What we should be telling people is to backup their data. If they do this the machine can be restored and the data can be put back on.

The only thing to bear in mind with this malware is not to backup to a mounted drive, which you shouldn't do anyway. A backup should ideally be offsite and offline from the machine, never permanently mounted or it is prone to the same destruction as system data.

You don't need freeware tools you just need to be educated about links in emails and to back up data. You still need a backup anyway in case of disk failure. I say to friends if you knowingly choose not to backup your data, it is obviously not important enough to you. If it's important then back it up, or you will lose it one day.
Everyone backs up to a mounted drives.

The main reason you don't need this tool is because your av will catch it. Bit other than that there is nothing wrong with a tool that stood malware. Condoms v medication.
flagpole is offline   Reply With Quote
Old 30-10-2013, 22:17
Thine Wonk
Forum Member
 
Join Date: Mar 2009
Posts: 10,467
Everyone backs up to a mounted drives.

The main reason you don't need this tool is because your av will catch it. Bit other than that there is nothing wrong with a tool that stood malware. Condoms v medication.
If they dismount them afterwards and don't leave them running on the system that's fine, but leaving them in the same place as the system means the same fate could happen to the drive as the system, theft, flood, damage, malware.

There are plenty of cloud backup solutions that don't require the system to be permanently mounted, and if you use an external USB drive it should be stored separately from the system when not actively being used for backup. Personally I'd use Dropbox or something, but not mount it as a drive letter so malware cannot get at it or write to it should you click a malicious link etc.

Installing more bloat to the system to prevent against unique things is an unsustainable position, it doesn't guarantee it'll protect against the next malware coming along, better to just backup, and take general security measures.
Thine Wonk is online now   Reply With Quote
Old 31-10-2013, 11:14
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,185
Here's an article about detecting social engineering attacks by your browser. Looks like IE is quite ahead and Chrome and Firefox have some catching up to do.

Internet Explorer vastly superior at defeating social engineering attacks
IvanIV is offline   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT +1. The time now is 11:24.