CryptoLocker

Last updated
CryptoLocker
Classification Trojan horse
Type Ransomware
Subtype Cryptovirus
Isolation2 June 2014
Operating system(s) affected Windows

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, [1] and was believed to have first been posted to the Internet on 5 September 2013. [2] It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. [3] When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Contents

Although CryptoLocker itself was easily removed, the affected files remained encrypted in a way which researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.

CryptoLocker was isolated in late May 2014 via Operation Tovar, which took down the Gameover ZeuS botnet that had been used to distribute the malware. [4] During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan. Other instances of encryption-based ransomware that have followed have used the "CryptoLocker" name (or variations), but are otherwise unrelated.

Operation

CryptoLocker typically propagated as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by a legitimate company. [5] A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. CryptoLocker was also propagated using the Gameover ZeuS trojan and botnet. [6] [7] [8]

When first run, the payload installs itself in the user profile folder, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer. [1] [7] The server may be a local proxy and go through others, frequently relocated in different countries to make tracing them more difficult. [9] [10]

The payload then encrypts files across local hard drives and mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain extensions, including Microsoft Office, OpenDocument, and other documents, pictures, and AutoCAD files. [8] The payload displays a message informing the user that files have been encrypted, and demands a payment of 400 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or an equivalent amount in bitcoin (BTC) within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted down to 0.3 BTC by the operators to reflect the fluctuating value of bitcoin), [11] or else the private key on the server would be destroyed, and "nobody and never[ sic ] will be able to restore files." [1] [7] Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key. [7] Some infected victims claim that they paid the attackers but their files were not decrypted. [5]

In November 2013, the operators of CryptoLocker launched an online service that claimed to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline had expired; the process involved uploading an encrypted file to the site as a sample and waiting for the service to find a match; the site claimed that a match would be found within 24 hours. Once found, the user could pay for the key online; if the 72-hour deadline passed, the cost increased to 10 bitcoin. [12] [13]

Takedown and recovery of files

On 2 June 2014, the United States Department of Justice officially announced that over the previous weekend, Operation Tovar—a consortium constituting a group of law enforcement agencies (including the FBI and Interpol), security software vendors, and several universities, had disrupted the Gameover ZeuS botnet which had been used to distribute CryptoLocker and other malware. The Department of Justice also publicly issued an indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet. [6] [14] [15] [16]

As part of the operation, the Dutch security firm Fox-IT was able to procure the database of private keys used by CryptoLocker; in August 2014, Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool. [17] [18]

Mitigation

While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed. [19] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data. [20] [21] Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching. [1] [7] [8] [10] [21]

Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of current backups (offline backups made before the infection that are inaccessible from infected computers cannot be attacked by CryptoLocker). [5] Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a brute-force attack to obtain the key needed to decrypt files without paying ransom; the similar 2008 trojan Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted distributed effort, or the discovery of a flaw that could be used to break the encryption. [7] [13] [22] [23] Sophos security analyst Paul Ducklin speculated that CryptoLocker's online decryption service involved a dictionary attack against its own encryption using its database of keys, explaining the requirement to wait up to 24 hours to receive a result. [13]

Money paid

In December 2013, ZDNet traced four bitcoin addresses posted by users who had been infected by CryptoLocker, in an attempt to gauge the operators' takings. The four addresses showed movement of 41,928 BTC between 15 October and 18 December, about US$27 million at that time. [11]

In a survey by researchers at the University of Kent, 41% of those who claimed to be victims said that they had decided to pay the ransom, a proportion much larger than expected; Symantec had estimated that 3% of victims had paid and Dell SecureWorks had estimated that 0.4% of victims had paid. [24] Following the shutdown of the botnet that had been used to distribute CryptoLocker, it was calculated that about 1.3% of those infected had paid the ransom; many had been able to recover files which had been backed up, and others are believed to have lost huge amounts of data. Nonetheless, the operators were believed to have extorted a total of around $3 million. [18]

Clones

The success of CryptoLocker spawned a number of unrelated and similarly named ransomware trojans working in essentially the same way, [25] [26] [27] [28] including some that refer to themselves as "CryptoLocker"—but are, according to security researchers, unrelated to the original CryptoLocker. [29] [30] [28]

In September 2014, further clones such as CryptoWall and TorrentLocker (whose payload identifies itself as "CryptoLocker", but is named for its use of a registry key named "Bit Torrent Application"), [31] began spreading in Australia; the ransomware uses infected e-mails, purportedly sent by government departments (e.g. Australia Post to indicate a failed parcel delivery) as a payload. To evade detection by automatic e-mail scanners that can follow links, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded. Symantec determined that these new variants, which it identified as "CryptoLocker.F", were not tied to the original. [29] [25] [32] [33] [34] [35]

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the code changes itself every time it runs, but the function of the code stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different machine code in a CPU. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Cryptovirology refers to the study of cryptography use in malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

<span class="mw-page-title-main">Computer Crime and Intellectual Property Section</span> United States federal law enforcement agency

The Computer Crime and Intellectual Property Section (CCIPS) is a section of the Criminal Division of the U.S. Department of Justice in charge of investigating computer crime and intellectual property crime. They are additionally responsible for prosecuting privacy invasions by criminals such as hackers, cyberstalkers, and purveyors of mobile spyware, and specializing in the search and seizure of digital evidence in computers and on networks.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

<span class="mw-page-title-main">KeRanger</span> MacOS ransomware

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

TorrentLocker is a ransomware trojan targeting Microsoft Windows. It was first observed in February 2014, with at least five of its major releases made available by December 2014. The malware encrypts the victim's files in a similar manner to CryptoLocker by implementing symmetric block cipher AES where the key is encrypted with an asymmetric cipher.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

<span class="mw-page-title-main">Kirk Ransomware</span> Ransomware malware, discovered in 2017

Kirk Ransomware, or Kirk, is malware. It encrypts files on an infected computer and demands payment for decryption in the cryptocurrency Monero. The ransomware was first discovered in 2017, by Avast researcher Jakub Kroustek.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Cryptojacking is the act of exploiting a computer to mine cryptocurrencies, often through websites, against the user's will or while the user is unaware. One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown. The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. 1 2 3 4 Goodin, Dan (17 October 2013). "You're infected—if you want to see your data again, pay us $300 in Bitcoins". Ars Technica. Archived from the original on 23 October 2013. Retrieved 23 October 2013.
  2. Kelion, Leo (24 December 2013). "Cryptolocker ransomware has 'infected about 250,000 PCs'". BBC. Archived from the original on 22 March 2019. Retrieved 24 December 2013.
  3. "CryptoLocker". Archived from the original on 14 September 2017. Retrieved 14 September 2017.
  4. "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge – Krebs on Security". 2 June 2014. Retrieved 5 September 2023.
  5. 1 2 3 "Cryptolocker Infections on the Rise; US-CERT Issues Warning". SecurityWeek. 19 November 2013. Archived from the original on 10 June 2016. Retrieved 18 January 2014.
  6. 1 2 Krebs, Brian (2 June 2014). "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge". Krebs on Security. Archived from the original on 4 June 2014. Retrieved 18 August 2014.
  7. 1 2 3 4 5 6 Abrams, Lawrence. "CryptoLocker Ransomware Information Guide and FAQ". Bleeping Computer . Archived from the original on 17 November 2013. Retrieved 25 October 2013.
  8. 1 2 3 Hassell, Jonathan (25 October 2013). "Cryptolocker: How to avoid getting infected and what to do if you are". Computerworld. Archived from the original on 2 April 2019. Retrieved 25 October 2013.
  9. Ducklin, Paul (12 October 2013). "Destructive malware "CryptoLocker" on the loose – here's what to do". Naked Security. Sophos. Archived from the original on 8 May 2017. Retrieved 23 October 2013.
  10. 1 2 Ferguson, Donna (19 October 2013). "CryptoLocker attacks that hold your computer to ransom". The Guardian. Archived from the original on 5 March 2017. Retrieved 23 October 2013.
  11. 1 2 Blue, Violet (22 December 2013). "CryptoLocker's crimewave: A trail of millions in laundered Bitcoin". ZDNet. Archived from the original on 23 December 2013. Retrieved 23 December 2013.
  12. "CryptoLocker crooks charge 10 Bitcoins for second-chance decryption service". CSO. 4 November 2013. Archived from the original on 19 January 2021. Retrieved 5 November 2013.
  13. 1 2 3 Constantin, Lucian (4 November 2013). "CryptoLocker creators try to extort even more money from victims with new service". PC World. Archived from the original on 30 April 2017. Retrieved 5 November 2013.
  14. Storm, Darlene (2 June 2014). "Wham bam: Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet". Computerworld. IDG. Archived from the original on 3 July 2014. Retrieved 18 August 2014.
  15. "U.S. Leads Multi-National Action Against "Gameover Zeus" Botnet and "Cryptolocker" Ransomware, Charges Botnet Administrator". Justice.gov (Press release). U.S. Department of Justice. Archived from the original on 3 September 2014. Retrieved 18 August 2014.
  16. Graff, Garrett M. (21 March 2017). "Inside the Hunt for Russia's Most Notorious Hacker". Wired. ISSN   1059-1028. Archived from the original on 5 January 2020. Retrieved 18 January 2020.
  17. Krebs, Brian (15 August 2014). "New Site Recovers Files Locked by Cryptolocker Ransomware". Krebs on Security. Archived from the original on 7 June 2017. Retrieved 18 August 2014.
  18. 1 2 Ward, Mark (6 August 2014). "Cryptolocker victims to get files back for free". BBC News. Archived from the original on 13 January 2020. Retrieved 18 August 2014.
  19. The Yuma Sun, on a CryptoLocker attack Archived 8 October 2017 at the Wayback Machine : "... was able to go undetected by the antivirus software used by the Yuma Sun because it was Zero-day malware"
  20. Cannell, Joshua (8 October 2013). "Cryptolocker Ransomware: What You Need To Know, last updated 06/02/2014". Malwarebytes Unpacked. Archived from the original on 27 September 2022. Retrieved 19 October 2013.
  21. 1 2 Leyden, Josh (18 October 2013). "Fiendish CryptoLocker ransomware: Whatever you do, don't PAY". The Register. Archived from the original on 18 October 2013. Retrieved 18 October 2013.
  22. Naraine, Ryan (6 June 2008). "Blackmail ransomware returns with 1024-bit encryption key". ZDnet . Archived from the original on 3 August 2008. Retrieved 25 October 2013.
  23. Lemos, Robert (13 June 2008). "Ransomware resisting crypto cracking efforts". SecurityFocus . Archived from the original on 3 March 2016. Retrieved 25 October 2013.
  24. "Results of online survey by Interdisciplinary Research Centre in Cyber Security at the University of Kent in Canterbury" (PDF). kent.ac.uk. University of Kent in Canterbury. Archived from the original (PDF) on 8 March 2014. Retrieved 25 March 2014.
  25. 1 2 Budmar, Patrick (3 October 2014). "Australia specifically targeted by Cryptolocker: Symantec". ARNnet. Archived from the original on 7 October 2014. Retrieved 15 October 2014.
  26. Kirk, Jeremy (1 April 2014). "CryptoDefense ransomware leaves decryption key accessible". Computerworld. IDG. Archived from the original on 3 July 2014. Retrieved 7 April 2014.
  27. Thomson, Iain (3 April 2014). "Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive". The Register. Archived from the original on 26 December 2016. Retrieved 6 April 2014.
  28. 1 2 Pichel, Abigail (26 December 2013). "New CryptoLocker Spreads via Removable Drives". Trend Micro. Archived from the original on 28 December 2013. Retrieved 18 January 2014.
  29. 1 2 "Australians increasingly hit by global tide of cryptomalware". Symantec. Archived from the original on 29 March 2016. Retrieved 15 October 2014.
  30. "Cryptolocker 2.0 – new version, or copycat?". WeLiveSecurity. ESET. 19 December 2013. Archived from the original on 22 November 2016. Retrieved 18 January 2014.
  31. "TorrentLocker now targets UK with Royal Mail phishing". ESET. 4 September 2014. Archived from the original on 21 October 2014. Retrieved 22 October 2014.
  32. Turner, Adam (15 October 2014). "Scammers use Australia Post to mask email attacks". Sydney Morning Herald. Archived from the original on 16 October 2014. Retrieved 15 October 2014.
  33. Staff. "Cryptolocker Ransomware attack" . Retrieved 27 June 2023.
  34. Staff. "Ransomware attack" . Retrieved 21 July 2023.
  35. Ragan, Steve (7 October 2014). "Ransomware attack knocks TV station off air". CSO. Archived from the original on 12 October 2016. Retrieved 15 October 2014.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.