Possible help for victims of CryptoLocker ransomware

Possible help for victims of CryptoLocker ransomware

I hope that you have not encountered the devious CryptoLocker malware, but sadly, I know as a fact that many of you have been victimized by it. For those of you who are not familiar with CryptoLocker, it is a vile form of sophisticated malware, “ransom ware,” where the malware encrypts data on the hard drive (and possibly USB drives and other external media), and then charges the user a sizeable fee to get the decryption key. The quality of the encryption is excellent, possibly a variant of a Russian military encryption algorithm similar to those used by the American encryption company RSA, and virtually impossible for users to decrypt. If the ransom is not promptly paid to the miscreants, probably located in Russia or Eastern Europe, the encrypted data becomes virtually unrecoverable as the decryption key is erased.

While various forms of ransom ware have been around for several years, this particularly nasty CryptoLocker has been hijacking computers around the world since September 2013. The most common vector utilized to infect a computer is an e-mail attachment, typically appearing to come from a known acquaintance or business. Often not really coming from the known source, the victims’ e-mail address was probably among those stolen by other compromised computers in a botnet (network of compromises computers). Once the attachment, often appearing as a zip (compressed) file or a PDF file, is opened, the malware installs itself in the user’s profile folder and writes a registry key which will cause the malware to execute the next time the computer is booted. When activated, CryptoLocker contacts a “command and control” server, which generates a very secure 2048-bit RSA encryption key pair, sending one key to the infected computer, and sending the other key necessary for decryption back to the cyber crooks. The key going back to the bad guys is often sent through multiple servers scattered globally in order to make them almost untraceable.

The encryption key now on the victim’s computer encrypts files on the hard drive and any mapped network drives, including connected USB devices. A log is created in the computer registry listing the encrypted files, which may be recoverable after the ransom is paid. CryptoLocker does not encrypt all of the files on the hard drive, only selected data files including all Microsoft Office Files (Word, Excel, etc.), the European standard OpenDocument files, images (pictures), AutoCad files, and other important data files. After the encryption takes place, the computer is still functional, and programs will load and run as before, but none of the compromised data files will open as they are now completely inaccessible. CryptoLocker displays a large, colorful message notifying the user that the computer has been hijacked and that important data files have been encrypted. Recent versions of CryptoLocker have demanded a $400 payment within 72 hours (although some variants gave up to 100 hours); the payment can be made remotely through readily available, internationally accepted prepaid debit cards such as MoneyPak, or in the digital BitCoin currency. If an acceptable prepaid debit card is purchased, the debit card number is uploaded according to the included instructions, and hopefully (but not always), the 2048-bit decryption code will be sent, allowing the user to decrypt his critical data files. Often, if the ransom is not paid by the deadline, a second chance is sometimes offered via an online service, but at a much higher price typically paid in BitCoins. If the ransom is not paid by the final deadline, the decryption key will be destroyed, rendering the targeted data unrecoverable.

This is not just some little “script kiddy” writing and spreading this malware, but a highly sophisticated criminal organization that has collected huge amounts of ransom from its victims. In December 2013, the online technology new service ZDNet tracked some of the BitCoin addresses utilized by CryptoLocker victims, and calculated that victims had paid an aggregate of 41,928 BitCoins, worth about $27 million, during just a two month period between October 15 and December 18, 2013. A different survey, conducted by the University of Kent (UK), calculated that the criminals only extorted the paltry sum of $3 million.

While many of the anti-malware utilities could have blocked CryptoLocker from loading and executing, countless users are not utilizing comprehensive and updated security software. Still, once the computer has been compromised and the files encrypted, removing the CryptoLocker malware is a relatively simple process that can be accomplished by almost all major anti-malware utilities, but even though the malware is removed, the encrypted files remain inaccessible. This is again one of the many circumstances where a good contemporary backup of critical data files can be invaluable in restoring the encrypted data, allowing the victim to recover full functionality. For an individual victim, the unrecoverable data files may be aggravating and depressing, but often lead to relatively low financial losses. Business and commercial users might be fiscally devastated by the loss of critical data, possibly leading to financial losses, insolvency, or bankruptcy.

In May 2014, a consortium of private cyber security and software companies, along with multinational law enforcement agencies, in “Operation Tovar,” seized a network of computers that had been used to promulgate and control both the CryptoLocker malware, and the Zeus (GameOver) malware implicated in illicit transfers of funds from financial institutions using a form of identity theft. As the seizure was taking place, the cyber crooks tried to copy their extensive database to another location, but this was apparently foiled by the authorities. A Russian, Evgeniy Bogachev, has been charged by the FBI as the alleged leader of the cyber crooks operating both of these cyber scams; he is still at large. Analysis of the seized network and the data on that network revealed the scope of these financial cyber swindles, as well as data to enable the decryption of about a half-million computers compromised by CryptoLocker.

Earlier this month, a joint effort by the reputable cyber security companies FireEye and Fox-IT, both of which were involved in the takeover of the illicit network, created a free service “Decrypt CryptoLocker” which may enable up to 500,000 victims of CryptoLocker to freely decrypt their data, and possibly recover the otherwise unusable data files. While there is no guarantee that all files encrypted by CryptoLocker can be recovered, it is worth the effort to try the process; it is also possible that the files were encrypted with malware other than CryptoLocker, which this service cannot decrypt. The process is relatively simple and free for the victim; connect to the Decrypt CryptoLocker website at decryptcryptolocker.com, and submit an encrypted file of up to 16MB for analysis. The service explicitly requests that the encrypted files submitted to them for analysis not contain any highly personal or sensitive information. The encrypted file will be analyzed, and if a decryption key can be generated, the key along with a decryption utility will be e-mailed to the user. FireEye and Fox-IT have expressly stated, “E-mail addresses will not be used for marketing purposes, nor will they be in any way stored by FireEye or Fox‑IT.” There is also another reminder that says, “You should only upload encrypted files that do not contain any sensitive or personally identifiable information.”

Earlier this summer, prior to the availability of this Decrypt CryptoLocker service, I was called by an acquaintance who had the infamous CryptoLocker message displayed on his monitor. Flummoxed, his first and second chances at paying the ransom (initially $300 in his case) had expired, and he needed his critical data in order to operate his home-based business. Using a USB based anti-malware utility, removal of the CryptoLocker malware was simple, but his data was still encrypted. Using copies of his business data that he had e-mailed prior to the hijacking, I was able to get him back in business, but still countless other data files, as well as family photos and other documents, were still inaccessible. In the next few days I will go back to him, and show him how to use the free Decrypt CryptoLocker service; perhaps there is a chance that he will be able to recover all of his lost data files. Since the service is free, he does not have much to lose, but a lot to gain.

For a half-million other victims, this Decrypt CryptoLocker service might be a godsend.