Ask the Answer Guy – Are the Cryptolocker Crooks Demanding a Ransom?

Brent-Image1

Brent, I heard about Cryptolocker in the news this week. Is it true they are asking for a ransom to get your data back?

Yes, Crypto is a huge problem for many, many computer users. Anti-Virus programs detect Crypto by the name Troj/Ransom-ACP, because that's exactly what it does: holds your files to ransom.

Crypto hits all the file extensions that most people care about, from mp3s to Microsoft Word docs and Excel spreadsheets, to PDFs, and Quickbooks files. The only thing it doesn’t touch are system files and “.exes”—Crypto leaves those alone so that the targeted machine will operate well enough to pay the hefty ransom!

Crypto encrypts everything else with 2048-bit RSA keys that would take what seems like a zillion years to decrypt. Once the infection happens, it can infect files on shared servers. Even a home PC (using a VPN) to access a corporate network can infect every file on the company’s server, and that’s very scary!

Hefty Ransom

Here’s where the ransom comes in: The hackers that made Crypto are getting rich encrypting people’s data and, for $300, selling the encryption key to the victim in order to get their data back. I guess it could be said that these guys are “ethical extortionists,” meaning that in most cases, they DO give the encryption key, so you can get your data back. If you clean the virus off before paying, your files will still be useless; the only way to get your files back in original form is to pay the money. The crooks even give you a convenient web link that, if you click on it, you’ll re-infect yourself so that decryption key will work!

For payment they accept Bitcoin, which is a very interesting new currency that works like PayPal, but with absolutely no paper trail or way to reverse charges—the drug dealers love it. Incidentally, Bitcoin has been covered extensively by Wired and Fortune magazines, and I expect it to get HUGE since it is the closest thing to “cash” you can get without mailing actual cash around. The Crypto crooks also accept MoneyPak cash cards that you can pick up at CVS, RiteAid, or Walmart.

The guys behind Cryptolocker are making huge amounts of money, and the social engineering behind their emails is amazing. They have tricked some of our very sophisticated clients in surprising ways. In each case the person that got tricked was a CEO, CFO or other sophisticated user who is not known for getting tricked easily and not prone to getting prior viruses or other malware. These emails provide enough truth or relevance that make people trust the email enough to open it and therefore infect themselves.

We’ve taken the unprecedented step of blocking zip files from all mail servers because the AV and anti-spam content filters can’t figure it out. At $300 a pop, these guys can invest in increasingly better ways to deliver the malware and encrypt files.

The Crypto virus used to be delivered via zip files attached to emails. We learned Friday that Crypto is now being delivered by “conventional” malware botnets. That means machines infected over the last year are now delivering the Crypto payload. Infection via a botnet is a little different, since the crooks are using the fact that you are already infected with malware as a way to infect you with yet more malware.

This is because most bots—or zombies—once active on your computer, include a general purpose "upgrade" command that allows the crooks to update, replace, or add to the malware already on your PC.

Last week we learned of a new attack vector online. A machine got infected with a ZBOT Trojan originally installed in June. The infection happened when the user opened the email attachment of a fake Dunn and Bradstreet customer complaint. In other words, the ransomware hackers paid the Botnet "owners" to distribute their ransomware to infected machines. This is why the attack vector was not necessarily obvious and might have nothing to do with what the user did this week or last week.

Nearly 100% of DCG clients employ our image based backup product called Dependable SafeSTOR. None of our clients have lost any data because of the Crypto or any other virus problem, but we have had at least three clients get hit with Crypto. The malware encrypts all local data along with every file on any server share that person is connected to. On Friday, we had a company call us that had a user who was storing EVERYTHING on a local machine instead of their backed up server. To get Crypto off her local machine, we had no choice but to send her to CVS to buy a cash card and pay the ransom. She got her files back, but the process is not instant. It takes anywhere from five to 24 hours to get the encryption key while the Crypto guys make sure the payment is good. I think they are extremely busy.

How to protect yourself against CryptoLocker

DCG recommends that, for individual users who don’t have robust cloud based file storage/backup in place, they subscribe to a robust cloud based file sync utility like DCG Infinite Disk, or DropBox for Business.

Individual Windows users should check out Foolish IT, a small utility from John Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. (Yes, it is a really odd URL pronounced “Foolish IT dot com”.)

(Crypto Prevention Interface)

System admins should consider this comprehensive set of articles from thirdtier.net. The kit includes an article on cleaning up after infection, but more importantly provides materials and instruction for deploying a preventative block using software restriction policies via Group Policies. The articles provide instructions for installing them via GPO on domain computers and terminal servers, as well as non-domain joined machines. They also provide GPO settings that you can import into your environment. See more information and download the kit here.

Prevention, in this case, is significantly better than cure:

  • Stay patched. Keep your operating system and software up to date.
  • Make sure your anti-virus is active and up to date.
  • Avoid opening attachments you weren't expecting, or from people you don't know well.
  • Make regular backups, and store them somewhere safe, preferably offline.

Make it your task today to search out and destroy any malware already on your computer (use malwarebytes.org), lest it dig you in deeper still.


About Brent Whitfield

Brent Whitfield is CEO of DCG Technical Solutions, Inc., which provides IT Support in the Los Angeles area since 1993. DCG exists to help our clients choose, implement, and manage IT and cloud solutions that are cost effective and reliable. DCG's pro-active approach to IT is ideally suited for companies who depend on reliable IT infrastructure, but don't want to spend a lot of money to keep it that way. DCG was recognized among the Top 10 Fastest Growing MSPs in North America by MSP Mentor. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business.


Leave a comment!

You must be logged in to post a comment.