Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Cryptolocker Update, Request for Info InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cryptolocker Update, Request for Info

Published: 2013-10-22
Last Updated: 2013-10-22 14:09:38 UTC
by John Bambenek (Version: 1)
7 comment(s)

It was briefly mentioned in a previous posting, but the Cryptolocker ransomware is still going strong.  In essence, post infection is encrypts all of your "document" files based on file extension and then gives the user 72 hours to pay the ransom ($300 USD or 2 BTC).  It is one f the few pieces of ransomware that does encryption right so at present, short of paying the ransom, there is no other means to decrypt.  Bleeping Computer has a good write up, but below are the TL;DR highlights.

If you are infected and your files are encrypted (and you have no backups) there is a very limited means to restore files using Microsoft's Shadow Volume Copies (Windows XP SP2 or better).  In essence, previous versions of files still persist on a system and can be recovered manually or by using a tool like Shadow Explorer

Other than that, there is no means currently available for recovery (besides paying).  Reinfecting once the timer runs out does not reset the timer and there have been no reports of recovery after an appreciable amount of time has passed after the 72 hours.  (Some limited amount of clock games might help at the margins, but the bad guys say they delete and purge keys and there is no evidence this is not true).

There are some GPO settings you can deploy to prevent this kind of infection and for the most part, some of these settings are best practices independently of Cryptolocker.  Basically you can prevent execution of executibles in temp directories the details of which are at Bleeping Computer.

There are varying ways that systems become infected, at one point it was UPS/FedEx style spam, now it seems coming down with zbot and other associated tools.  At this point anti-virus has decent detection so keeping that up to date is a significant help.

Apparently the attackers are also paying attention to various forums but there is no direct way to communicate with them.

REQUEST: If you or your organization has paid the ransom to decrypt, we would like to talk to you (anonymously) about the experience.  Please write in directly to bambenek /at/

John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

7 comment(s)
Diary Archives