Cryptolocker Update, Request for Info

Published: 2013-10-22
Last Updated: 2013-10-22 14:09:38 UTC
by John Bambenek (Version: 1)
7 comment(s)

It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong.  In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC).  It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt.  Bleeping Computer has a good write up, but below are the TL;DR highlights.

If you are infected and your files are encrypted (and you have no backups) there is a very limited means to restore files using Microsoft's Shadow Volume Copies (Windows XP SP2 or better).  In essence, previous versions of files still persist on a system and can be recovered manually or by using a tool like Shadow Explorer

Other than that, there is no means currently available for recovery (besides paying).  Reinfecting once the timer runs out does not reset the timer and there have been no reports of recovery after an appreciable amount of time has passed after the 72 hours.  (Some limited amount of clock games might help at the margins, but the bad guys say they delete and purge keys and there is no evidence this is not true).

There are some GPO settings you can deploy to prevent this kind of infection and for the most part, some of these settings are best practices independently of Cryptolocker.  Basically you can prevent execution of executibles in temp directories the details of which are at Bleeping Computer.

There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help.

Apparently the attackers are also paying attention to various forums but there is no direct way to communicate with them.

REQUEST: If you or your organization has paid the ransom to decrypt, we would like to talk to you (anonymously) about the experience.  Please write in directly to bambenek /at/

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

7 comment(s)


Yesterdays (21 Oct 2013) "message from corporate scanner" exe, once executed, downloaded and started checking in with cryptoblocker IPs.
The default ruleset for Suricata in my Security Onion caught the traffic and I ran down and shut down the machine before much had been encrypted.
This should concern anyone who has mapped network shared drives with write access.
Even though our security products and appliances have definitions for Cryptolocker, I came across a neat little application for blocking it entirely. The application is very small and works very well, and allows for whitelisting existing applications as well as adding others in the future so you won't be breaking anything that is needed. Details here -

In tests so far, it works very well and I plan on installing it network wide tomorrow after a final verification that our other apps run properly and are not affected in any way.
It's worth mentioning that during testing I found that the mitigation strategy from bleepingcomputer that utilizes Microsoft Software Restrictions doesn't block executables that are extracted from compressed files into %TEMP% on XP SP3 machines. It does however work for the ZBOT executable and Cryptolocker executables in %appdata%. Everything works fine on Windows 7.
That website trips McAfee Site Advisor red.

('When we visited this site, we found it exhibited one or more risky behaviors.')
Looks like SRP does not expand the %Temp% variable. Instead you should use the following for the path:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\
Path if using Windows Vista/7/8: %LocalAppData%\Temp\

I have updated the guide at BC to include this update.
That is a known false positive from McAfee and it has been reported - McAfee is supposedly working on it.
Even the sharks have parasites sticking to them; A friend in the local computer repair business got a machine brought in this weekend with this supposed exact issue; After poking at the drive hooked up to another machine, deleting a few recently created dll files and removing some associated entries in the registry which caused the computer to fail to boot, he found that the machine's supposedly encrypted files were not, they had just had their extensions changed.

He then backed up those files and did a wipe and reinstall. (His customer was a business and he has a policy that businesses do not get 'virus cleaning', businesses get 'data recovered as much as possible followed by OS rebuild'.

He has seen the real deal before, none of his customers have paid the fees however. I did ask him if he sees it again to save the fake!cryptolocker files rather than deleting them for submission to various security peoples.

Diary Archives