Created on Sunday, 13 October 2013 16:13
Malware Warning: "Cryptolocker" - a new malware 'extortion' strategy now in the wild.
What it does
Over the last few weeks, a new type of malware has been circulating which is potentially devastating to your personal files.
Although there have been types of "ransomware" circulating before, this new method/strategy is particularly nasty:
- "Cryptolocker" installs via the usual method (deliberate user interaction), and has been seen in email attachments, infected websites, and especially on social networks.
- Once a user has been tricked into clicking a link, or opening an infected attachment, the installation of the malware is silent; THIS IS WHERE THE NIGHTMARE BEGINS!
- What the malware does is different from most previous forms of malware; it seeks out all the useful files on all of your hard drives (and network shares) and ENCRYPTS them, making them private and inaccessible. The only way to gain access to them is using an encryption 'key', which would be generated by the malware as it encrypts your files.
- Once this process is complete, the malware makes itself known, and informs you what has been done to your files. It offers to remove the encryption for a payment of US$300. There is a timer which gives you limited time to pay the ransom; if the timer counts down, the malware removes itself, your files remain encrypted and there is virtually no chance you will ever decrypt them.
Why this malware is particularly BAD
- If the encryption process fails for any reason, you could lose your files (even if you pay the 'ransom').
- There is no guarantee that if you pay the ransom, that the decryption process will even work. Although it HAS been reported to work, the encryption keys are stored on a server somewhere, and this server could disappear at any time.
- If you remove the malware with an anti-virus or anti-malware program, you will lose the ability to ever obtain the encryption key, and you will lose access to your files.
- Network shares have been found to be encrypted, meaning that all the files which are shared within an office or business network could be at risk, just from one user/computer on the network.
- Once the encryption process begins, there is virtually no way to recover any encrypted files without the encryption key generated by the malware.
- The only way to get your files back is from a backup you have taken. HOWEVER, because the malware searches all hard drives AND network drives, your backups are likely to end-up encrypted as well, rendering them useless!
How to avoid becoming infected (prevention is DEFINTELY better than cure in this case!)
To put it simply; be careful!!! Having anti-virus software installed is NOT ENOUGH, because as with all malware, new variants are often 'in the wild' BEFORE anti-virus software can be updated to catch them.
The malware is installed by user interaction, meaning that you (or someone with access to your computer) has to instigate the installation of the program.
This could be by:
- Clicking on a link in an email, which leads to a malicious or compromised website that contains the malware. Depending on your web browser settings, you may or may not need to click on something else to install the malware once that website opens.
- Opening an email attachment which contains the infection.
- Clicking on a link or attachment in Facebook, Twitter etc, which leads to a compromised website, or an infected file.
* The fact that you know the sender of the email makes no difference.
* The fact that you know a person posting a message on a social network also makes no difference.
In both cases, their computers and/or accounts may have been compromised, and could well-be a source of infection. OR the person may have been tricked into sharing something with you, which appears harmless but contains the infection.
So how can I tell what is a source of infection, and what is not?
Most importantly, if you don't know or recognise the sender of the communication, then there is a good chance you are looking at spam. That being the case, everything in the message can be considered suspect (links, attachments, images) - DELETE IT. Do not open any attachments, do not click on any links, and in the case of email try not to 'show remote content' while viewing the message.
"Social Engineering" is the number one way that the makers and propagators of malware get you to install their junk. They will try to trick you by sending what appear to be legitimate communications, and entice you to click a link or open an attachment.
- Banking Emails are common, and often claim that your online banking access has been 'suspended' or 'limited', and ask you to fill out a form to fix the issue. The 'form' will either be a link or an attachment. NO BANK EVER DOES THIS! If you do have concerns about your bank accounts after receiving an email, contact your bank directly via phone.
- Lately, there have been Parcel Delivery emails, which claim that there is a parcel waiting to be delivered. They sometimes appear to come from high profile companies like UPS. As always, they will try to entice you to click a link or open an attachment. If you're expecting a parcel, you will usually know the details of the delivery - follow-up using that information, rather than information provided in any emails. Either visit their website directly (i.e. do not use a link in an email, open it in your web browser manually), or phone them.
- Any email which is telling you that a social networking account, or some other form of online sign-up, has been suspended or requires your action should be treated as suspect. Avoid links and attachments in the message, and if you are concerned about any accounts that you have, go and check them out manually by logging in via your web browser.
- There are many other email scams; use the same logic above to avoid being caught. Don't be quick to open an attachment or click on a link until you know that the communication is legitimate.
Because of the social nature of these sites, and the fact that they are often about sharing links to resources, it can be particularly difficult to identify bogus communications. KNOW YOUR FRIENDS!
- More often than not, malware will be spread through social networks by strangers; either people you have added without knowing who they are, or by users messaging you because your privacy settings allow it (i.e. users who are not on your friend list are allowed to message you).
- If you don't know the person, then treat the message the same as you would an email from a unexpected stranger; DELETE IT. If you think the message may be legitimate, you can try replying to the user to see how they respond, but do not click any links or open any attachments in their messages until you know they are legitimate.
- It is possible that people you know have had their social network account/s (or their computers) compromised. That being the case, it is possible that some of their posts and messages are not actually theirs, and are either spam or attempts to get you to install malware.
- If you know someone fairly well, it is often very easy to tell by their writing style if their communications belong to them or not. Think about what they have said or posted, and check if it is 'in character' for that person. If you think there is something off about their post or message, either avoid it altogether, or message them personally and check if their communication is legitimate (you may actually be doing them a favour if their account has been compromised!)
- Even friends whose accounts have not been compromised could be a risk. They may share something which seems innocent enough, but which is an attempt at social engineering. Always be cautious when clicking on external links.
- 'Apps' on sites such as Facebook have been known to spread malware. If you are installing an app, make sure you know what it does. If you're not sure if you need it, then you probably don't!
There are some social networking 'spam' examples on these pages, which are worth familiarising yourself with:
If you end-up with this infection, the chances are that the encryption process will have already run its course by the time you're aware; the malware only makes itself known after your files have been encrypted.
At that point, your only hope is to pay the ransom, or restore from a backup.
IF YOUR CURRENT BACKUP SYSTEM IS USING A PERMANENTLY ATTACHED DRIVE OR A NETWORK SHARE, YOU MAY NOT BE SAFE! This malware will target all data sources it can find and so your backups can end-up encrypted and useless.
- You can use an external hard drive for a safe backup location, BUT YOU MUST REMOVE THIS DRIVE WHENEVER A BACKUP IS NOT TAKING PLACE! If the drive is connected at the time of infection, chances are it will be encrpyted.
- If you use a network location to store your backups, review the user permissions you have on that location and make them read only. You should try to access the location with authentication from your backup software, each time a backup is performed (as opposed to having the location authenticated and open all of the time).
- Use an online backup storage service, but be wary if the software that comes with that services maps a drive letter to your cloud storage (if it does, it may be prone to infection from malware such as Cryptolocker). Dropbox is probably not a safe solution, as it synchronises files on your local drives in real-time, meaning that once your Dropbox folder has been encrypted, the encrypted files will be uploaded to Dropbox.
- Be cautious with automatic/synchronised backups; you may end-up backing up your files after they have been encrypted by malware!! You should take a backup of your backups once or twice a week, so that you have a 'window' from which to recover should this occur. OR you should be storing 'version chains' of your backups, so that you can go back a few days.
IN ANY CASE, YOU SHOULD ALWAYS CONSIDER MULTIPLE BACKUP LOCATIONS. HAVING ONE OFF-SITE BACKUP IS ALWAYS ADVISABLE.
If you would like someone to assess your computer, either to setup a new backup system or to assess an existing one, please contact us.
THERE IS MORE INFORMATION ON THIS THREAT AVAILABLE AT http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page-26#entry3165383