Uncracking Cryptolocker

By on

This article appeared in the December 2013 issue of CRN magazine.

Subscribe now

Uncracking Cryptolocker

As someone who works in IT, I have lost count of how many times I have told people “If you receive an email from an unknown person with an unknown attachment, don’t click it.”

Malware and virus writers are after the low-hanging fruit: those who are naive or haven’t heard these warnings enough. The wild mouse clickers. Humans are curious. We all like to think we are invulnerable, but no one is truly safe.

As IT professionals, we are responsible for getting the message out. We install antivirus for clients, harden firewalls, write policies and restrict permissions. There are many strings to our bows. However, don’t forget that the weakest link in your network is the living, breathing part sitting behind the keyboard. 

I recently investigated how a client of mine caught the Cryptolocker virus. This event ultimately cost the client in excess of $4,000 in support services, five days leave for all staff, lost business and many hours of heartache. 

The client’s server had every network share’s business data encrypted – 64,004 encrypted files – and the workstation that started the infection was also covered in password-grabbing Trojans.

Instead of holding back and carefully checking before clicking, a staff member opened an attachment on a suspicious email. The email address was clearly fake (the domain name was misspelt). The email contained spelling errors and contained crudely grabbed low-resolution images. The attachment was a zip file. Nothing about the email appeared safe, yet the person opened it and then, without special permissions and without violating any network policies, they ran it successfully. The malware looked at every data-related file this person had rights to – and encrypted it.

This infection was so new that the packet inspection firewall let it through. The antivirus let it through. Nothing detected it. Even when we had the infected virus executable and passed it through www.virustotal.com for online scanning and 15 offline scan engines of our own, we found nothing. 

The attachment was called “Invoice_7679236 (2).zip”. Inside this, the user ran “Invoice_092513.exe”. After this, multiple files executed from a website, the local temp directory, the temporary internet folders and from the user’s local profile Appdata folder. These files all downloaded more malicious items and embedded themselves to start at the next boot via the registry.

As double clicking appeared to do nothing, the user went to the next email and got back to work. A few minutes later, up popped the full screen warning and time counter.

Sure enough, within a few minutes, all documents on the local machine and the business-shared network server were encrypted with a very powerful encryption. They were rendered useless. 

The client contemplated paying the ransom, however, after a little research they found that the encryption key that would have been sent off to the hacker’s web servers, was never sent. The hacker’s servers had been taken offline. Even if they had been able to pay the ransom, would the hackers unlock it? Would they attack again later? The hackers now own this server.

After several lengthy phone calls with many antivirus companies, specific executables on the workstation were removed. That led to the next rather unpleasant warning.   

Cleaning up the workstation and solving the problem at the server became two separate issues. The workstation could be sacrificed but the data on the server was important for this business to continue trading.

The fastest method of individual file recovery was to use the Microsoft Volume Shadow Copy recovery process. As the shadow copies are designed to contain bit-level data incrementals of file changes, we would normally be able to select any version of the file for recovery, going back numerous days.

Unfortunately in this case, as 64,004 files had been altered, there were a large number of bit level changes. Therefore, the volume shadow copies ended up being nothing more than a large backup of the recent data change from the encryption process. The server had made room for the latest revision of the incremental data by deleting all the old backups.

The result was that the server performed a clean-up and only left us with the recent encrypted files in the backups. Anything older was deleted from the system and was not recoverable. Unfortunately, another frailty of humankind snuck in. The receptionist could not wait for the backup to complete on the last known backup date, and pulled out the USB drive early. This left us with an older backup on another drive. This client was going to feel pain because there were many proposals and quotes that could not be recovered. 

We managed to get the system recovered and back into the hands of the owner, but at great expense and emotional cost. We had an unknown virus, unknown payloads (beyond the encryption), antivirus that could not detect the virus and lots of files to recover. We ended up with a server you could not trust. All because someone opened a file that should have felt suspicious. Here are just some of the ways to prevent this happening again: 

• Stop executables running from the profile Appdata folder

• Stop zip files in email 

• Lock down what shares people can access. 

The reality is that this attack got in due to a bad human decision and many of these preventative measures will not always help. The core issue is with the human traits in all of us. We are all low-hanging fruit.

Next breed of threat

I view Cryptolocker as the start of the next breed of threats: malware that uses our weaknesses to lock up what we view as precious and then make us pay to get our lives back in order. 

While an antivirus now detects and prevents Cryptolocker from spreading, the next threat is just around the corner. There are thousands of threats, or mutations of threats, discovered every hour. Do you update your antivirus and patches every minute? No? Then we need to train people to be safe.

So why does Cryptolocker get past us and what does it actually do?

Cryptolocker is a breed of ransomware that uses social media or email as attack vectors. Email users can receive messages purported to be from FedEx, UPS, Intuit etc with a tracking notice or invoice. The enticement for a user – especially a business who ships things using these carriers or is waiting on invoices – is that it is a real business document and they open it. They are now infected. 

The malware looks at the local and network drives and shares and will encrypt files matching a set of extensions for common business applications. This includes office applications (Excel, Word, PowerPoint, WordPerfect), some image files, business certificates and databases such as Access and FoxPro.

Sophisticated strike

When this virus struck our client, it was sophisticated enough to understand and bypass current anti-virus and anti-malware software. Cryptolocker does not require administrative or elevated privileges. It does not need permission to run and encrypt your files. The executed malware has access to any file that the user has rights to for encryption operations.

Cryptolocker is now even more dangerous as it has been recently updated to attack in more ways. Now it just has to trick the user into going to an infected website. If the user has a vulnerable version of Flash, Reader, Java, or Windows, which is not up to date, Cryptolocker will get in. No clicking anywhere needed other than to click on a link (see box on the left for three infection vectors).

Internet providers have now started blocking the known command and control servers for these types of malware. This might halt this kind of attack, but this is a double-edged sword. In this specific malware attack, there would be no way to get the encryption key back even if you should pay the ransom.

As Cryptolocker merely encrypts data files the user has rights to write to, it highlights a major problem with identity-based protection, such as limited user rights. Every user has the right to modify data and access the internet, so these methods do not protect against data loss or leakage. 

As skilled malware writers can usually quickly churn out variants of malware that are not detected readily, we as IT professionals need to think about security differently. Remember that this malware doesn’t need to exploit any vulnerabilities to execute, it just tricks users into running an executable, so there’s no patch or setting for us to rely on.

We need to take this new ransomware on head-to-head and educate users. We need to plan for the worst to happen. You need to make sure that you and your clients are prepared, and make sure you are covered with insurance to cover the cost of downtime, network rebuild, document and data restoration and loss of business. Think about taking a customer’s previous night’s backup devices offline from the server and away from the network. Archival or disconnected backups – or full images – would be our only real protection for business continuity. Make sure there is a disaster recovery plan in place. Place a copy of key files – note the word ‘copy’ – of key business files in the cloud. 

The reality is most of these attacks are looking for low-hanging fruit. If a user is targeted, there is very little they can do to defend against it that is not cost prohibitive. As an IT professional, all you can do is try and advise on common sense.  We need to promote ‘stop the mindless clicking’. It might just save someone’s business. It might even save yours.



Has your company undertaken an IT project that you’d like to see featured in CRN? Please contact the editor via skiernan@crn.com.au

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?