Submitted by Charlton Stanley, Guest Blogger
“I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing; you’re screwed’.”
– Bruce Schneier
The quote by Professor Bruce Schneier at the top of this article is the unvarnished truth by one of the leading internet and cryptography experts in the world. Which brings us to the subject of this story. The latest threat to everyone’s computer is a form of malware called “Ransomware.” This is not new, having first appeared years ago. Those first attempts were clumsy, the software codes easily broken, and the perpetrators caught. However, in the past few weeks the threat is back, more sophisticated and more dangerous than almost any malware threat to date. Although often referred to as a virus, it is not a true computer virus, because it does not self-propagate. It is a Trojan. Ransomware does not try to steal your files, passwords or photographs. Rather, it holds them hostage until you pay a ransom. There are several ransomware viruses going around, but CryptoLocker is the one getting the most media attention. How it works is this; you click on a file that may have arrived by email. Sometimes it will arrive by clicking on a web page link. Possibly a PDF of some business letter or report. Shortly after clicking an infected link, the image at the left appears. You will have no warning until it is too late. When the warning box appears, your files are already encrypted. Follow me over the flip to see the message:
Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this. (it inserts a link to the encrypted files)
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.
Click <<Next>> to select the method of payment and the currency.
Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.
RSA is a type of encryption developed by three cryptographers in 1977; Ron Rivest, Adi Shamir and Leonard Adleman. The number following is based on the product of two large prime numbers with an added integer. So far so good, because that is the public key. However, a private key is needed to unlock the encryption, and that can be virtually unbreakable. Adding to the problem of any attempted decryption is the “dead man switch,” which causes the decryption key to destroy itself if any attempt is made to decrypt or lock out the ransomware. Additionally, ransomware usually has a time limit of about 72 hours, and there is a timer counting down showing you how much time you have left to pay the ransom. The countdown clock is on the left side of the warning image. The screengrab above shows fifty-six hours, sixteen minutes and twelve seconds left. When that timer reaches 00:00:00, the decryption key will self-destruct.
The files CryptoLocker infects have the following extensions:
????????.jpe, ????????.jpg, *.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odc, *.odm, *.odp, *.ods, *.odt, *.orf, *.p7b, *.p7c, *.p12, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.sr2, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.x3f, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx, img_*.jpg
The criminals even anticipated your anti-virus software removing CryptoLocker. You will get a screen instructing you to recover CryptoLocker from your anti-virus software quarantine, or go to an infected site and re-install CryptoLocker. Otherwise, you cannot even pay the ransom and get the private key. Your files are gone permanently. There is now a new twist to the scam, in that if the original decryption subroutine times out and is itself encrypted, for a punitive added fee, they will sell the victim a decryption key that allows access to the now-encoded decryption key. Currently, the going rate is five times the original ransom price.
There is an excellent description of this malware, and some of the ways to deal with it at bleeepingcomputer.com. There is also useful information at the Malwarebytes web site. First of all, look at the information at bleepingcomputer.com and Malwarebytes. Other antivirus companies have similar information and research them as well. Install the software you think will work best for you.
The University of Oxford Medical Sciences Division’s IT department has this advice:
“Make the “file extension” (.docx, .xlsx, .pptx) on users’ documents clearly visible on all Windows machines connected to our network. Recent Windows versions hide this by default – the CryptoLocker infected attachment uses this feature to masquerade as a PDF file, when in fact with the file extension visible, we can see that it actually has a double file extension in the format “.pdf.exe” and is therefore an executable program, which runs when you try to open the file.
Users are advised to be even more vigilant than usual when opening emails – and attachments, particularly if they appear to come from a well-known courier company, even one you or your group/department regularly use.”
It is a good idea to reset your computer so you can see the file extensions for the reasons given in this message from the University of Oxford. Instructions at this link.
CryptoLocker can install itself when a computer is in Safe Mode. That is a new twist as well.
When the virus first appeared a few weeks ago, the ransom was in Bitcoins, usually about two Bitcoins. At that time a Bitcoin was worth around a thousand dollars, so the hapless victim had to come up with a couple of grand in less than three days to pay the ransom. The price of Bitcoins has fluctuated recently, so the crew holding your computer hostage has come up with other ways for the victim to pay in more stable currency, although they have not abandoned Bitcoins.
The primary targets seem to be small to medium sized businesses and individuals. A few days ago, the Swansea, Massachusetts Police Department computers were hit, and they had to pay the ransom to preserve their database. That raises an interesting legal question. Any evidence stored in the computer system has now been compromised by a third party having access to it. Can it still be used in court?
All major law enforcement agencies recommend strongly against paying the ransom. Paying a ransom just further enables the thieves, enriching them and making them stronger. That can mean only one thing. In order to keep from having to pay to decrypt your files, you must have copies backed up in a separate location where the ransomware virus cannot get to it to infect it.
This is highly sophisticated software, and the people running these operations are not amateurs. Once the virus is on your computer, it spreads to other computers on your network, and even to your backup files. If it can access remote servers or your cloud storage, it will encrypt those files as well.
There are anti-virus programs being developed that help prevent the virus from spreading or getting on your computer in the first place, but there is no software which will decrypt the files. CryptoLocker is based on high level encryption, so it is unlikely any decryption software will ever be written that can undo the damage. Even if the ransomware Trojan is removed completely from the computer, the files are still encrypted, and are impossible to decrypt—they are gone.
After spending the past week researching this threat to all of us, I have one or two suggestions. My suggestions are based on the fact I have experienced both the “blue screen of death” and actual mechanical hard drive failure. When your hard drive suddenly begins to sound like a fifteen-year-old trying to drive a stick shift for the first time, you know nothing good will come of it. As is often said, “It is not a matter of if, but a matter of when.” If one looks at CryptoLocker as just another form of complete hard drive failure, then the alternative to paying ransom is more obvious. Back in the olden days of DOS, our office computer had a tape backup. It took close to an hour to back up the files, so the tape backup always started an hour before everyone left for the day. At my suggestion, we had two tapes, marked “1” and “2”. The odd number tape was used on odd numbered days, and the even numbered tape on even numbered days. That way, if we had a drive failure, we had the tape from the day before. Or as happened one time, the drive failed and the tape broke the same day. We still only lost two day’s work.
Many people back up constantly, or in some cases, several times a day. One of the things Professor Schneier does to isolate files and computers is keep what he calls an “air gap” between machines. I have not yet upgraded our system, because this new threat is so new. However, this weekend, I plan to buy at least one and possibly two large external hard drives for the main office computer. I have an external hard drive for the home computer, but it is over capacity and I need a new one anyway. They will not be plugged into the computer until it is time do do a backup. I will back up once a day. That way, if the computer becomes infected with CryptoLocker or any other virus–or a hard drive failure–I still have a backup. Experts on ransomware seem to be of a mixed mind with regard to cloud storage. Most cloud storage services claim to have strong virus protection, including protection against ransomware. However, as I said above, these crooks are pros, and Murphy’s Law is still operant.
Frankly, if any of my hard drives becomes infected with ransomware, I will never use it again. I am quite aware of the claims of ransomware being easy to remove, but I am also aware virus writers are busy making removal either difficult or impossible. I will take the hard drive out and destroy it, along with all other installed memory storage. All the top computer security experts are saying that since the current version of CryptoLocker and other ransomware is so profitable, there is no doubt newer, more powerful and more sophisticated versions are being created. The criminals know that every security agency in the world is working on ways to shut them down or destroy the Trojan before it reaches its target. Like every other internet threat, this virus will continue to evolve as long as there is money to be made.
CryptoLocker is not the only ransomware floating around. There is an FBI virus. That one pops up with an official-looking warning to the effect the FBI has been monitoring your browsing and have determined you are surfing child pornography sites or violating copyright laws. You are further informed your files are encrypted and you can only decrypt them by paying a “fine” of several hundred dollars within a specified time. Some of these warnings include the threat you will be arrested and jailed if you don’t pay they fine they demand. Different scenario, same kind of ransom extortion.
These threats are still evolving, and as fast as anti-virus software is written to protect the user, the criminals are keeping up. The only safe backup is one you manage yourself, offline. That is why I am getting my own external hard drive backup instead of relying on someone else’s servers in the so-called cloud.
I cannot and will not presume to tell anyone the best way to protect yourself. I have thrown out a few resources, and explained what I plan to do with my own system. If one is not an expert, the best plan is to consult with an expert. Additionally, I am not going to try to tell anyone there is a solution if your files are already encrypted by CryptoLocker or other ransomware. I wrote about encryption recently, mentioning TrueCrypt, a powerful asymmetrical encryption program similar to that used by these criminals. Once your files are encrypted, recovering them seems to be a lost cause other than paying a bribe. Personally, it seems more logical to spend the same amount, or less, on good backup hardware. I have provided several links below which should be a good start on making up your own mind on what will work best for you and your situation. These are current and working links at the time I am posting them.
PC Advisor: What you need to know about CryptoLocker and how to protect yourself from this ransomware
Matthew Hughes: CryptoLocker Is The Nastiest Malware Ever & Here’s What You Can Do
Naked Security: Destructive malware “CryptoLocker” on the loose – here’s what to do
CRN’s Robert Westervelt: Cryptolocker Attacks, Ransomware Target Small Businesses: Cisco
Larry,
By now, most good anti-virus and anti-malware programs can remove CryptoLocker. The problem is, the encrypted files will NOT be decrypted, and without the key from CryptoLocker, they cannot be unencrypted. If you delete CryptoLocker while your files are still encrypted, the crooks tell you to retrieve it from your anti-virus quarantine, or reinstall it from an infected site. At that point, they penalize you by charging five times the original ransom price to unlock your files.
I find a site that says it can remove CryptoLocker—-by downloading the ESET Rogue application remover
http://kb.eset.com/esetkb/index?page=content&id=SOLN3035
I already had the FBI virus happen to me. It was scary. I hadn’t done anything wrong, but it was scary because NOTHING I did got that damned thing off my screen. I finally got it off by rebooting my computer, tapping F8 until the screen came up that has “safe mode” on it appears and I chose the one that said it was a restore. It ran the restore and my computer was working normally again.
I knew the FBI thing was hoax almost immediately because it said it gave me 72 hours to purchase some kind of software at a local store and if I didnt pay it in 72 hours, the FBI would come take me away. I thought “if I was really in trouble and doing something illegal, the FBI would not give me a 3 day head start to flee—and I certainly would not be able to pay my way out of it”
Next up, the ransomware lies dormant until the second time you back up…
Guys, I’m aware of the NK/China politics and the difference between realpolitik and someone handing me the launch codes. Still, if I made a list of places to obliterate in order to effect regime change (and could be fairly certain of doing the job) Pyongyang is right up there.
Between the ever-filled work camps, previous an lingering famine death and death from disease and chronic malnutrition arguably the population (in numbers) of Pyongyang has already died, and there’s no relief for those folks in sight as long as their pain suits the Chinese politically and the ruling elite in NK can live like kings.
——-
“more worried about direct Chinese aggression in the region over the Senkaku islands. ”
Yeah, that’s heating up, they want the natural gas that is now in japan’s territorial waters.
Our government put a man on the moon many years ago. Our government sends drones over Afghanistan to kill tallybandits. Why can our government not find these computer punks and drone them?
LK,
NK is a stalking horse/regional proxy for the Chinese. So long as they provide an element of instability to threaten east Asia, they are serving their purpose for the Chinese. Or do you really think the Chinese would let an allegedly rogue nation with nukes on their border to act that way without simply invading them? The Kim family is nuts. No arguing that. Their regime is one of the most oppressive and cruel going, but other than sabre rattling, they keep their abusive nature largely domestic.But if they ever got too far out of line? They’d be out of power and replaced with a Beijing puppet in a metaphorical heartbeat. Personally, I’m more worried about direct Chinese aggression in the region over the Senkaku islands. That could get out of hand in a bad way.
lotta, first off – I don’t believe you. I don’t believe you would nuke Pyongyang. But if you insist…..what the hell. Is it getting too boring around here that we need to blunder into a war with the Chinese or something?
Secondly, I hope you will stop reading whatever it is that is telling you that we are sending 85 year old stick out like a sore thumb white men to spy or take pictures as clueless tourists. Just what the hell do you suppose he could take a picture of that drones or satellites or a turncoat Chinese can’t do a million times better?
Too damn much paranoia around here.
pdm, no American goes to NK unless our government wants to. No doubt the are given a briefing before they leave on how to take pictures of place and things of interest while appearing to be just clueless tourists. That is how it was done at the height of the cold war when we still had businessmen and capitalist functionaries visiting Russia. That is what I have read in any event.
The tourist in the above story is insignificant. He just reminded me of NK and the Kim dynasty. Linked below is my beef with NK.
You are a better person than I am, it’s that simple. I would nuke Pyongyang in an instant if there was a reasonable assurance of cutting the head off that snake of a government. I’d be hoping to get most of its military leaders too.
http://www.hrw.org/world-report/2013/country-chapters/north-koare
lottakatz, I’ve grown weary of the idjets who go to North Korea as a “tourists” or to sell bibles or something. And sorry, I’m not ready to blow several million little kids to kingdom come in order to get revenge for one incredibly stupid and addled old man.
Have you heard of the Lawnmower Man virus?
Samantha: “…if the NSA itself is behind this trojan, it would explain its inaction.”
I think it’s more complicated than that. This kind of thing brings up the unexplored concept of cyber-war, what it really is and how would one manage it. It’s easy to think that if NSA, FBI, CIA but really NSA was doing the job it’s supposed to be doing, they would have already localized the origin to some number of server farms, possibly governmental, and fried them by now. Yes, you can destroy equipment with programming as Stuxnet has shown.
And why not do that since it is war of a sort and could very well be considered an attack on the US’s business security. We have laws giving the above US agency’s a mandate for being in the cyber business that includes just that aim, protecting the national interest by fending off attacks to business (cyber) infrastructure. It’s why the FBI and Treasury Dept. round up hackers and whistleblowers and creative guys like Arron Swartz, RIP.
How do you manage a cyber-war when, if you fry server farms in NK or Belarus for the cryptowhatever of the day, they then might turn their attention to Wall Street, or your dam operations or your electrical grid or target a few nuclear power plants? I’m just paranoid enough to think that there are a new set of rules of engagement worked out among the worlds nations and just plain larceny is tolerated as background noise, to be handled through less intrusive means. Inaction may be agreed to response.
If there isn’t a new set of rules there sure needs to be because MADD is a serious consideration if a crypto-war goes hot. You don’t need nukes for other developed countries these days, everything is run by code. Any nation, IMO, could be seriously damaged by another, if not brought to its knees, by another country’s hackers/cyber warriors.
[ As for Pyongyang, if it was up to a vote i’d vote to turn it into glass, I have grown weary of the Kims. ]
http://www.rawstory.com/rs/2013/11/30/north-korea-extracts-apology-from-detained-american-korean-war-veteran/
@Otteray Scribe – My 2-cents (FWIW)? The two most likely suspects are either in Sofia Bulgaria or Pyongyang NK-DPRK (or a blend of both). Both of these uber-hacker groups are very capable of this type of cyber-attack. The Bulgarian one is “Cyber Warrior Invasion” recently busted by the Bulgarian feds in summer 2012 and the Kim Jung Un’s 3,000+ strong cyber unit “Cyber Command” are a force to be reckoned with. They clearly have “US” in their cyber-cross-hairs.
This is one of the MANY reasons why I think NSA (et al) is listening in so to speak. Not just apparent cyber-threats but other blended-threats not on the US Public’s radar yet. Maybe 60-Minutes will do a piece on it soon and people can start rethinking the NSA’s role in spying on “certain folks”. However, I’m not being an apologist for the CIA yet. They still have way too many complicated loyalty issues for my taste – ever since 1947 at their inception.
nick spinelli 1, November 30, 2013 at 10:17 am
Hookers For Hackers has been my proposed solution to all of these problems. Get these geeks laid on a regular basis and they won’t be doing this stuff. I’m down for $100.
================================
LOL.
Me too.
Otteray Scribe 1, November 30, 2013 at 2:37 pm
Most security people writing about this seem to think it is a Russian mafia operation. There has also been speculation it might be originating in China. The awkwardly constructed messages suggest they were not written by anyone for whom English is a first language.
At any rate, hardly the work of one person working out of his mama’s basement while he munches on Cheetos and cold pizza. Or from one fixed location either.
============================
All boogie men, since the incremental fear coup began decades ago, originate in the places the evil eye of Sauron is upon:
(On The Origin of The Bully Religion – 2, quoting 1944 book). You can tell where one’s ideology originates, its DNA if you will, by who they want us to fear.
Follow the money, follow the fear, and follow the immunity.
It leads to the sadomasochistic wizard of odds.
Most things like this do come out of eastern europe
@Samantha – It would depend on how you are backing up. If you are copying the files then yes you can move unusable files onto the drive. If you use something like Acronis it compresses and manages the archives (files backed up this way are less likely to get encrypted). For instance, its common to just back up the changes nightly and do a full backup every 7th day. More sophisticated tools allow multiple usb drives to be used for backups. For instance, its common in small business environments to back up to a USB hard drives. One is connected, one is next to the server and the 3rd is at home in a safe.
Most security people writing about this seem to think it is a Russian mafia operation. There has also been speculation it might be originating in China. The awkwardly constructed messages suggest they were not written by anyone for whom English is a first language.
At any rate, hardly the work of one person working out of his mama’s basement while he munches on Cheetos and cold pizza. Or from one fixed location either.
Samantha – You’re right – the NSA could easily take care of CryptoLocker, and it is a threat to national security. But the NSA doesn’t really care about our security; it’s all about their self-aggrandizement.
There is nothing preventing Cryptolocker from replicating itself to your backup drive, the minute you power it on. What amazes me most here, is that the government, with its vast NSA resources, can’t use its audit trail to find and locate these criminals. But then again, if the NSA itself is behind this trojan, it would explain its inaction. In the same way that the IRS had targeted Tea Partiers, victim demographics or political affiliation could easily point to the perpetrators.