Clever Geek Handbook
📜 ⬆️ ⬇️

Cryptolocker

CryptoLocker ransomware attack - a cyber attack using the CryptoLocker ransomware program that occurred from September 5, 2013 to the end of May 2014. As a result of the attack, a Trojan was used that infects computers running the Microsoft Windows operating system [1] , and, as expected, this program was first posted on the Internet on September 5, 2013 [2] . The Trojan spread through infected email attachments, infected sites, and through an existing botnet on a user's computer. When a computer is infected, the malware encrypts certain types of files stored on local and connected network drives using the RSA public key cryptosystem , and the private key is stored only on the malware management servers. Then the malware displays a message that offers to decrypt the data if the payment (via bitcoins or a prepaid cash voucher) is made within the specified time period, and the user will be in danger of deleting the private key in case of expiration. If this deadline is not respected, the malware offers to decrypt the data through the online service provided by the malware operators for a significantly higher price in bitcoins, while there is no guarantee that payment will lead to decryption of the content.

Cryptolocker
Type oftrojan program , ransomware
Year of appearanceSeptember 5, 2013
Symantec Description

Although CryptoLocker itself can be easily deleted, the affected files remained encrypted in a way that the researchers considered impossible to decrypt. Many believe that the ransom should not be paid, but there is no way to restore the files; others claim that ransom payment is the only way to recover files that have not been backed up . Some victims claimed that ransom payments do not always lead to file decryption.

CryptoLocker was isolated at the end of May 2014 as a result of , and the botnet, which was used to distribute malware, was also captured. During the operation, the security company involved in this process received a database of private keys used by CryptoLocker, which, in turn, was used to create an online tool for recovering keys and files without paying a ransom. It is estimated that CryptoLocker operators successfully received a total of about $ 3 million from victims of the trojan. Other instances of the ransomware encryption programs listed below used the name (or variants) of CryptoLocker, but otherwise they are not related.

Content

Work

CryptoLocker is usually distributed as an attachment to a supposedly harmless e-mail message, which looks like a departure from a legal company [3] . The mail file attached to the e-mail contains an executable file with the file name and icon disguised as a PDF file: thus taking advantage of the default behavior of Windows to hide the extension from file names in order to hide the real extension - .EXE. CryptoLocker was also distributed using the Gameover ZeuS trojan and botnet [4] [5] [6] .

At the first start, the trojan’s payload is installed in the user profile folder and adds a key to the registry, which forces it to start when the computer starts. He then tries to contact one of several designated command and control servers; after connecting, the server generates a pair of 2048 bit RSA keys and sends the public key to the infected computer [1] [5] . Servers can be local proxies and pass through other servers, often move in different countries to make it difficult to track them [7] [8] .

Then, the payload encrypts the files on the local hard drives and connected network drives with the public key and registers each file, encrypting them in the registry key. The process only encrypts data files with certain extensions, including Microsoft Office , OpenDocument and other documents, images, and AutoCAD files [6] . The payload displays a message informing the user that the files have been encrypted and requires payment in the amount of 400 US dollars or euros through an anonymous prepaid cash voucher (for example, MoneyPak or ) or the equivalent amount in Bitcoin (BTC) during 72 or 100 hours (starting from 2 BTC, the buyback price was adjusted by operators to 0.3 BTC to reflect the oscillatory value of bitcoin) [9] , or the private key on the server will be destroyed and “no one will ever be able to restore files” [1] [5] . The ransom payment allows the user to download the decryption program, which is preloaded using the user's private key [5] . Some infected victims claim that they paid the attackers, but their files were not decrypted [3] .

In November 2013, CryptoLocker operators launched an online service that allows users to decrypt their files without CryptoLocker and purchase a decryption key after the deadline; the process included uploading the encrypted file to the site as a sample and waiting for the service to find a match; The site claimed that the key would be found within 24 hours. After detection, the user can pay for the key online, but if the 72-hour deadline has passed, the cost increased to 10 bitcoins [10] [11] .

Delete and restore files

On June 2, 2014, the US Department of Justice officially announced that last weekend, , a consortium of law enforcement agencies (including the FBI and Interpol ), security software vendors, and several universities, was The botnet, which was used to spread CryptoLocker and other malware, was captured. The Ministry of Justice has also publicly indicted Russian hacker Yevgeny Bogachev for his alleged involvement in the botnet [4] [12] [13] .

As part of this operation, the Dutch company Fox-IT was able to obtain a database of private keys used by CryptoLocker. In August 2014, Fox-IT and another company, FireEye, introduced an online service that allows users with infected computers to retrieve their secret key by downloading a sample file and then receiving a decryption tool [14] [15] .

Mitigation

Although security software is designed to detect such threats, it may not detect CryptoLocker at all during encryption or after it has been completed, especially if a new version is distributed that is unknown to security software. If an attack is suspected or detected in the early stages, the trojan needs more time to encrypt: immediate removal of malware (a relatively simple process) before it is completed will only limit its data corruption [16] [17] . The experts suggested precautions, such as using software or other security policies to block the CryptoLocker payload [1] [5] [6] [8] [17] .

Due to the nature of the operation of CryptoLocker, some experts were reluctant to suggest that paying a ransom is the only way to restore files from CryptoLocker in the absence of current backups (offline backups made before the infection occurred, inaccessible from infected computers, cannot be attacked by CryptoLocker) [3] , due to the length of the key used by CryptoLocker, experts considered it almost impossible to use the brute force to obtain the key needed to decrypt files without paying a ransom; the same Trojan of 2008 Gpcode.AK used a 1024-bit key that was considered long enough that it was impossible to calculate the key, without the possibility of coordinated and distributed efforts, or to detect a gap that could be used for decryption [5] [11] [ 18] [19] . Sophos security analyst Paul Ducklin suggested that CryptoLocker’s online decryption service includes a dictionary attack against its own encryption using its key database, explaining the requirement to wait until 24 hours to get the result [11] .

Redemption Paid

In December 2013, the ZDNet website tracked four Bitcoin addresses hosted by users whose computers were infected with CryptoLocker, in an attempt to estimate the costs of the operators. These four addresses showed a dynamics of 41,928 BTC from October 15 to December 18: about $ 27 million US dollars at that time [9] .

According to surveys of researchers from the of 41 , 41% of those who claimed to be victims said they decided to pay the ransom: the share of those who paid the ransom was much higher than expected. Symantec estimates that 3% of the victims paid, and Dell SecureWorks estimates that approximately 0.4% of the victims paid [20] . After closing the botnet that was used to distribute CryptoLocker, it was estimated that around 1.3% of those infected had paid a ransom; many of them were able to recover files using backup, while others are believed to have lost a huge amount of data. Nevertheless, it is believed that the Trojan’s operators managed to get a total of about $ 3 million [15] .

Clones

The success of CryptoLocker spawned a series of unrelated and similarly named Ransomware Trojan programs that work essentially the same way [21] [22] [23] [24] , including some that call themselves “CryptoLocker,” but according to researchers security not related to the original CryptoLocker [21] [25] [26] .

In September 2014, clones such as CryptoWall and TorrentLocker (whose payload identifies itself as “CryptoLocker” but is named to use a registry key called “BitTorrent Application”) [27] began to spread in Australia. The ransomware program uses infected emails allegedly sent by government departments (such as Australia Post to indicate unsuccessful package delivery) as a payload. To avoid being detected by automatic email scanners that can track links, this option was designed to require users to visit a web page and enter the CAPTCHA code before the actual download. Symantec determined that these new variants, which he identified as “CryptoLocker.F”, were not associated with the original [24] [26] [28] [29] .

Notes

  1. ↑ 1 2 3 4 Dan Goodin. You're infected - if you want to see your data again, pay us $ 300 in Bitcoins . Ransomware comes of age with unbreakable crypto, anonymous payments . Ars Technica (October 18, 2013) . Date of treatment June 1, 2017.
  2. ↑ Leo Kelion. Cryptolocker ransomware has 'infected about 250,000 PCs' . BBC (December 24, 2013). Date of treatment June 1, 2017.
  3. ↑ 1 2 3 Ryan Naraine. Cryptolocker Infections on the Rise; US-CERT Issues Warning . SecurityWeek (November 19, 2013). Date of treatment June 1, 2017.
  4. ↑ 1 2 Brian Krebs. 'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge . Krebs on Security (2 June 2014). Date of treatment June 1, 2017.
  5. ↑ 1 2 3 4 5 6 Lawrence Abrams. CryptoLocker Ransomware Information Guide and FAQ . Bleeping Computer (October 14, 2013). Date of treatment June 1, 2017.
  6. ↑ 1 2 3 Jonathan Hassell. Cryptolocker: How to avoid getting infected and what to do if you are . Computerworld (October 25, 2013). Date of treatment June 1, 2017.
  7. ↑ Paul Ducklin. Destructive malware “CryptoLocker” on the loose - here's what to do . Naked Security (October 12, 2013). Date of treatment June 1, 2017.
  8. ↑ 1 2 Donna Ferguson. CryptoLocker attacks that hold your computer to ransom . The Guardian (October 19, 2013). Date of treatment June 1, 2017.
  9. ↑ 1 2 Violet Blue. CryptoLocker's crimewave: A trail of millions in laundered Bitcoin . ZDNet (December 22, 2013). Date of treatment June 1, 2017.
  10. ↑ Ms. Smith. CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service . Network World (November 4, 2013). Date of treatment June 1, 2017.
  11. ↑ 1 2 3 Lucian Constantin. CryptoLocker creators try to extort even more money from victims with new service . PC World (November 4, 2013). Date of treatment June 1, 2017.
  12. ↑ Darlene Storm. Wham bam: Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet . Computerworld (2 June 2014). Date of treatment June 1, 2017.
  13. ↑ US Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator . US Department of Justice (June 2, 2014). Date of treatment June 1, 2017.
  14. ↑ Brian Krebs. New Site Recovers Files Locked by Cryptolocker Ransomware . Krebs on Security (August 6, 2014). Date of treatment June 1, 2017.
  15. ↑ 1 2 Mark Ward. Cryptolocker victims to get files back for free . BBC (6 August 2014). Date of treatment June 1, 2017.
  16. ↑ Joshua Cannell. Cryptolocker Ransomware: What You Need To Know . Malwarebytes (October 8, 2013). Date of treatment June 1, 2017.
  17. ↑ 1 2 John Leyden. Fiendish CryptoLocker ransomware: Whatever you do, don't PAY . The Register (October 18, 2013). Date of treatment June 1, 2017.
  18. ↑ Ryan Naraine. Blackmail ransomware returns with 1024-bit encryption key . ZDNet (June 6, 2008). Date of treatment June 1, 2017.
  19. ↑ Robert Lemos. Ransomware resisting crypto cracking efforts SecurityFocus (June 13, 2008). Date of treatment June 1, 2017.
  20. ↑ Julio Hernandez-Castro, Eerke Boiten and Magali Barnoux. Results of online survey by Interdisciplinary Research Center in Cyber ​​Security at the University of Kent in Canterbury (inaccessible link) . University of Kent. Date of treatment June 1, 2017. Archived on August 24, 2017.
  21. ↑ 1 2 Abigail Pichel. New CryptoLocker Spreads via Removable Drives . Trend Micro (December 25, 2013). Date of treatment June 1, 2017.
  22. ↑ Jeremy Kirk. CryptoDefense ransomware leaves decryption key accessible . Computerworld (April 1, 2014). Date of treatment June 1, 2017.
  23. ↑ Iain Thomson. Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive . The Register (April 3, 2014). Date of treatment June 1, 2017.
  24. ↑ 1 2 Patrick Budmar. Australia specifically targeted by Cryptolocker: Symantec . Security vendor finds the latest variant of the cryptomalware . ARNnet (October 3, 2014) . Date of treatment June 1, 2017.
  25. ↑ Robert Lipovsky. Cryptolocker 2.0 - new version, or copycat? (eng.) . WeLiveSecurity (December 19, 2013). Date of treatment June 1, 2017.
  26. ↑ 1 2 Australians increasingly hit by global tide of cryptomalware . Symantec (September 26, 2014). Date of treatment June 1, 2017.
  27. ↑ Marc-Etienne M. Léveillé. TorrentLocker now targets UK with Royal Mail phishing . WeLiveSecurity (4 September 2014). Date of treatment June 1, 2017.
  28. ↑ Adam Turner. Scammers use Australia Post to mask email attacks . The Sydney Morning Herald (October 15, 2014). Date of treatment June 1, 2017.
  29. ↑ Steve Ragan. Ransomware attack knocks TV station off air . CSO Online (October 7, 2014). Date of treatment June 1, 2017.

Links

Source - https://ru.wikipedia.org/w/index.php?title=CryptoLocker&oldid=98603256


More articles:

  • One More Time (Daft Punk song)
  • Adad-Nirari II
  • Rock-a-bye Baby
  • 68th Army Corps (Russian Federation)
  • Ananyins
  • McGrath, Paul (actor)
  • Startsev, Peter Nikolaevich (bard)
  • Discography Shadows Fall
  • Legislative Assembly (Suglan) of the Evenki Autonomous Area
  • Beijing International Auto Show

All articles

Clever Geek | 2019