Protect Your Computer From CryptoLocker Ransomware Malware

CryptoLocker

CryptoLocker Ransomware is a new type of malware that was first discovered in September of 2013.  When a victim loads the malware on their system by clicking on an infected link in bogus email messages the program encrypts all of your personal files on your system and then essentially makes your system unusable until you pay a ransom in the amount of 2 Bitcoins, the equivalent of over $1,000USD on current Bitcoin trading values.

bitcoin-imageOnce your system becomes infected you only have 72 hours to come up with the ransom before the system permanetly deletes the encryption key needed to decrypt all your files.  Once that happens you may as well go out and buy a new computer.

The malware ends up on your computer in the same manner that all malware arrives, by clicking on attachments in email messages that are disguised as something else. Like a personal letter from the finance minister of Nairobi or Airline Tickets to Tropical destinations.  After all who doesn’t have the finance minister of Nairobi on their personal email list and airlines routinely email tickets to random people that didn’t buy them.

The point of the preceding paragraph is to highlight the fact that the vast majority of the time, infections of malware on your system can be prevented by following a few common sense precautions.  Don’t open email attachments from people or businesses you don’t know.  Just use your head.  If a deposed prince from some far off country really were trying to sneak hundred’s of millions of dollar’s out of his country would his adviser really give him your email address and say “This is the guy you need to talk to.”?

What Is CryptoLocker?

Cryptolocker

CryptoLocker Ransomware gets installed when a user clicks on a malicious attachment within an email message and opens the hidden file.  After installation it immediately adds itself to the Startup folder with a random name.  CryptoLocker will only install on a windows system as the program is incompatible with Macintosh or Linux systems.  Once installed it then tries to establish a connection with the remote command and control server where it sends info about your system.

Once it makes a successful connection, the remote command and control server generates a pair of 2048-bit encryption keys, one public and one private, as well as a newly created bitcoin address.  The public key, version number with new bitcoin address, and the command and control server address in an encrypted form are then stored in the system registry at:

HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\

It then begins encrypting any files on local and network drives which are in any of these formats:

.odt .ods .odp. odm .odc .odb .doc .docx .docm .wps .xls .xlsx .xlsm .xlsb .xlk .ppt .pptx .pptm .mdb .accdb .pst .dwg .dxf .dxg .wpd .rtf .wb2 .pdf .mdf .dbf .psd .pdd .eps .ai .indd .cdr???????? .jpg???????? .jpeimg_ .jpg .dng .3fr .arw .srf .sr2 .bay .crw .cr2 .dcr .kdc .erf .mef .mrw .nef .nrw .orf .raf .raw .rwl .rw2 .r3d .prx .pef .srw .x3f .der .cer .crt .pem .pfx .p12 .p7b .p7c


The public key is stored along with the encrypted files on the local computer but the private key is stored on the remote command and control server.  You are then told to pay 2 bitcoins for the command and control server to upload the private key which is required to begin the decryption process.

CryptoLocker payment

Users either pay up or lose access to everything on their computer forever as analysts have stated that due to the huge size of the key used decrypting files without the key is virtually impossible.  Take for example banks which use a 248 bit encryption which is considered very secure, CryptoLockers key is 2,048 bits.

If after 72 hours payment has not been made then the private key is deleted from the command and control server and you can say good bye to ever seeing what was in the encrypted files again.

Once you make your payment to these criminals to regain access to your computer and all it’s files you are requested to enter your transaction ID and then verification of payment is made.  Once confirmed the private key is sent by the remote command and control server and it is added to the registry and the decryption process begins.

What To Do If Your Computer Is Infected?

Currently there is nothing you can do to decrypt your files without purchasing the decryption key.  Trying to brute force a file that’s been encrypted with 2048 bit encryption is pretty much impossible.  If you get infected and don’t pay the ransom you will lose everything on your computer you spent years working on and you will lose it forever.

So instead of trying to get your files back, let’s try and not get your system infected in the first place.  Here are a few things you can do to prevent infection by CryptoLocker and pretty much any other form of malware.

  • Viruses and malware are most often loaded by opening infected attachments in spam emails. So don't open attachments from unknown sources, especially if they are zip or rar files.
  • Keep your operating system and software up-to-date. There's a reason they push out these updates and that is to close vulnerabilities that get discovered.
  • Use an up-to-date anti-virus program.
  • And make sure you have a back-up of all your files unless you don't really care if anything happens to all your stuff

CryptoLocker Specific Prevention

There are a few free tools that are now available online to help prevent getting infected by CryptoLocker.  These are;

1. CryptoPrevent tool

cryptopreventWhat this tool does is applies settings that will prevent the CryptoLocker ransomware from being able to execute.  Because of the way it works it also prevents a wide range of malware from being able to execute on your computer so it’s not just for CryptoLocker.

2. HitmanPro.Alert 2.5

HitmanPro-Alert

This tool has a feature called CryptoGuard which monitors your file system for suspicious activity.  When it detects the changes that CryptoLocker attempts to make it deletes the process and protects your files.

This threat has been spreading virally throughout the world so do yourself a huge favour and be extra vigalant online.  Remember, the simplest possible way to stay uninfected by this is to simply make sure you know what a file is you are opening before you open it.

Tell me what you think of this new threat in the comments below.

About Scott

Scott runs iBizz Marketing Solutions designing websites and social media pages for a wide range of clients. He has held a fascination with computers and programming specifically since grade 8 when the first Commodore Pet PC's were installed in his classroom and he realized he could program them to create just about anything. When not working for clients he works on his own websites teaching others how to use WordPress to build dynamic websites and secure them from hackers. If you're interested in learning how to Build your own websites check out WordPressMastersAcademy.com. You can also find him on Google+

 

Thoughts and Comments