Guide for your staff

Adapted from the Australian Government CERT recommended security guidelines.

Prevention (i.e. avoiding infection in the first place) is the best antidote. Use of virus and spam filters and being cautious when opening emails, and especially attachments, is critical.

The ways you may be infected by these types of malware quickly become complex, but the same common sense applies to avoiding these threats, as to any malware. If you continue to do these things, you will greatly reduce the chance of infections.

 

  • Email is the most common source of infections for businesses:

    • Do not open suspicious (or frivolous) emails and attachments or links.
    • Be very cautious with emails and attachments - cyber criminals have become very clever with 'phishing' emails, and they may appear to be from people you know, or from Australian organisations that you do business with, or even government organisations such as the ATO or Australia Post. The emails may contain the correct logo and even a genuine link to their website.  
    • They will also include either an infected attachment, or a link to an infected website.
    • IF IN DOUBT, CALL THE SENDER FOR CONFIRMATION

 

  • Infections within websites is extremely common.
    • This happens when a website is hacked and malware is installed into the website.  Usually this is due to a security flaw within the software of the website.
    • The owner of the infected website usually does not know it is infected.  
    • Your own company website could even be infected if you do not keep it up to date.


  • Make sure you are using a reputable security anti-virus / anti-malware software. 
    • This helps, but does not guarantee the prevention of malware.  These softwares work by recognising known virus 'patterns', and vendors update their products with hundred or even thousands of new virus patterns every month. A new virus may not yet be detected by your security product.
    • Make sure the security software is up to date.
    • Run a full scan of your computer regularly.


  • Anti-spam software is not a perfect science. It will often detect and quarantine phishing emails when they become known spamming attacks, but in the first hours of a new email, they may not always be detected by anti-spam software.  Anti-spam products have to tread a line between allowing too much spam through, versus blocking all spam but also blocking legitimate email which you need to see.  Thus there is never a perfect middle ground.  

 

  • Make sure your operating system and applications are up to date and fully patched.  Security flaws are regularly found within software products, and thus they must be patched regularly. Critical security flaws should be patched weekly, and other patching donw monthly.  Cross-checking to ensure patches have been applied and reboots conducted to embed those patches is also recommended monthly.

 

  • Set and use strong and unique passwords.

 

  • Set passwords on all your hardware devices (modems and routers) - do not leave default passwords.

 

  • Back up your data.  Every few years a new kind of virus emerges for which there was no effective prevention (eg Cryptolocker, Blaster).  Having good backups minimises losses in these scenarios.

 

Have a high quality firewall or gateway appliance. This provides an additional layer of protection, where viruses and bad website links can be stopped before they interact with your network.  

  • There is a big difference between a consumer grade firewall and a business grade firewall. 
  • The best firewalls have active security subscriptions which are updated constantly according to emerging threats - like antivirus software.
  • IT Leaders recommends the WatchGuard appliances. 

 

 

The information below is regarding the most recent insidious virus attack. It has been compiled by a third party provider, with the assistance of IT Leaders and many other IT professionals from around the world.  The information was first published on the site www.bleepingcomputer.com 

 

CryptoLocker Ransomware Information Guide and FAQ

By  on October 14, 2013 @ 03:09 PM | Last Updated: October 16, 2013 |

Table of Contents

  1. The purpose of this guide
  2. What is CryptoLocker
  3. What should you do when you discover your computer is infected with CryptoLocker
  4. Is it possible to decrypt files encrypted by CryptoLocker?
  5. Will paying the ransom actually decrypt your files?
  6. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!
  7. How to increase the time you have to pay the ransom
  8. How to restore files encrypted by CryptoLocker using Shadow Volume Copies
  9. How do you become infected with CryptoLocker
  10. How to generate a list of files that have been encrypted
  11. How to determine which computer is infected with CryptoLocker on a network
  12. How to prevent being infected by CryptoLocker

The purpose of this guide

There is a lot of incorrect and dangerous information floating around about CryptoLocker. As BleepingComputer.com was one of the first support sites to try helping users who are infected with this infection, I though it would be better to post all the known information about this infection in one place. This guide, or Frequently Asked Questions, will unfortunately not help you decrypt your files as there is no way to do so. Instead, this FAQ will give you all the information you need to understand the infection and possibly restore your files via other methods.

In many ways this guide feels like a support topic on how to pay the ransom, which sickens me. Unfortunately, this infection is devious and many people have no choice but to pay the ransom in order to get their files back. I apologize in advance if this is seen as helping the developers, when in fact my goal is to help the infected users with whatever they decide to do.

All of this information has been compiled from my own experimentation with this infection, from Fabian Wosar of Emsisoft, and through all the consultants and visitors who contributed to our 48 page CryptoLocker support topic. Big thanks to everyone who contributed information about this infection. This guide will continue to be updated as new information or approaches are gathered. If you have anything that you think should be added, clarified, or revised please let us know in the support topic linked to above.

Info: There is a very active CryptoLocker support topic, which contains discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by CryptoLocker. If you are interested in this infection or wish to ask questions about it, please visit this CryptoLocker support topic. Once at the topic, and if you are a member, you can subscribe to it in order to get notifications when someone adds more information to the topic.

What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 3 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

CryptoLocker payment screen 
CryptoLocker payment screen
For more screen shots of this infection click on the image above.
There are a total of 3 images you can view.

When you first become infected with CryptoLocker, it will save itself as a random named filename to the root of the %AppData% path. It will then create the following autostart entries in the registry to start CryptoLocker when you login:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"

Please note that the * in front of the RunOnce value causes CryptoLocker to start in Safe Mode.

The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm. Some examples of domain names that the DGA will generate are lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate with it and receive a public encryption key that will be used to encrypt your data files. It will then store this key along with other information in values under the registry key underHKEY\Software\CryptoLocker. Unfortunately, the private key that is used to decrypt the infected files is not saved on the computer but rather the Command & Control server.

CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY\Software\CryptoLocker\Files Registry key.

When it has finished encrypting your data files it will then show the CryptoLocker screen as shown above and demand a ransom of either $100 or $300 dollars in order to decrypt your files. This ransom must be paid using Bitcoin or MoneyPak vouchers. It also states that you must pay this ransom within 72 hours or the private encryption key will be destroyed on the developer's servers.

Warning: If you enter an incorrect payment code, it will decrease the amount of time you have available to decrypt your files. So if you plan on paying the ransom, please be careful as you type the code.

More technical details about this infection can be at this blog post by Emsisoft.

What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

 

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if have System Restore enabled. More information about how to restore your files via Shadow Volume Copies can be found in this section below.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

Will paying the ransom actually decrypt your files?

Paying the ransom will indeed start the decryption process of the CryptoLocker infection. When you pay the ransom you will be shown a screen stating that your payment is being verified. Reports from people who have paid this ransom state that this verification process can take 3-4 hours to complete. Once the payment has been verified, the infection will start decrypting your files. Once again, it has been reported that the decryption process can take quite a bit of time.

Be warned, that there have been some reports that the decryption process may give an error stating that it can't decrypt a particular file. At this point we have no information as how to resolve this. Visitors have reported that the infection will continue to decrypt the rest of the files even if it has a problem with certain files.

What to do if your anti-virus software deleted the infection files and you want to pay the ransom!

As many anti-virus programs would delete the CryptoLocker executables after the encryption started, you would be left with encrypted files and no way to decrypt them. Recent versions of CryptoLocker will now set your Windows wallpaper to a message that contains a link to a decryption tool that you can download in case this happens. There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.

How to increase the time you have to pay the ransom

When the CryptoLocker is first shown, you will see a timer that states you need to pay the ransom within 72 hours. Some people have reported that you can increase the the time by rolling back the clock in your BIOS. So to increase the timer by 10 hours, you would change your clock in your BIOS to 10 hours earlier.

How to restore files encrypted by CryptoLocker using Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8. In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called Shadow Explorer. It does not hurt to try both and see which methods work better for you.

Using native Windows Previous Versions:

To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.

Previous Versions Tab for a file

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.

This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.


Using Shadow Explorer:

You can also use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

Restoring files with Shadow Explorer

To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection. You will know you are infected with Zbot as there will be a registry key in the form of:

HKCU\Software\Microsoft\<random>

Under these keys you will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch it.

An example Zbot/CryptoLocker email message is:

-----Original Message-----
From: John Doe [mailto: This email address is being protected from spambots. You need JavaScript enabled to view it. ]
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.

Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool that I have created:

http://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files found under the HKCU\Software\CryptoLocker\Files key. Once it has completed it will automatically open this log in Notepad.

Another method is to use the Windows PowerShell (thanks prsgroup):

For systems with PowerShell, you can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode

Make sure to include the "-Encoding unicode" parameter to ensure that filenames with Unicode characters are preserved.

 

How to determine which computer is infected with CryptoLocker on a network

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.

 

How to prevent being infected by CryptoLocker

You can use the Windows Group Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths used by this infection and its droppers are:

C:\Users\<User>\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

In order to block the CryptoLocker and Zbot infections we want to setup Path Rules so that they are not allowed to execute. Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block CryptoLocker executable

Path: %AppData%\*.exe 
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block Zbot executable

Path: %AppData%\*\*.exe 
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

You can see an event log entry and alert showing an executable being blocked:

Event Log Entry

Executable being blocked alert

If you need help configuring this, feel free to ask in the CryptoLocker help topic.