Locker: Cryptolocker Progeny Awakens

By | June 12th, 2015

At midnight on May 25th a dormant strain of ransomware awoke and began to wreak havoc on the systems and networks it had infected. The ransomware, known as Locker, was continuing in the footsteps of its ancestors, (Cryptolocker, CTB Locker, Cryptowall, and others) infecting systems, encrypting files, and then extorting money from people, businesses, and organizations to decrypt the affected files. For anyone who received the following message on May 25th, it was very bad day.

Locker Ransomware Message

Courtesy of bleepingcomputer.com

A Very Brief History of Ransomware

The first known ransomware attack was in 1989 using the AIDS Trojan/PC Borg malware. An infected computer would display a message to the user that one of their programs had expired and they needed to pay $189 to have it restored. The creator was eventually caught and the ransomware genre went underground for several years, though it reappeared briefly in 2005 and 2006. It wasn’t until 2013 with the introduction of Cryptolocker and its subsequent variants and copycats, that ransomware became widely known.

The Locker Attack

Locker was unusual in that it was “sleeper” ransomware, having been dormant on the infected systems and devices until May 25th. The malware could have been installed anytime in the previous weeks, while it waited to be activated. For this reason it was difficult to pin down the attack vector, although a compromised Minecraft installer was suspected.

The “cost” to recover the files encrypted by Locker was 0.1 Bitcoins (about $24 USD), a modest amount when compared with previous ransomware attacks that demanded 5 to 10 times as much to recover the files they encrypted. On the bright side, according to security experts nearly everyone who made the proper payment had their files decrypted.

Attack Vectors: How Do You Get Infected in the First Place?

There are several different ways for malware to get on a computer. For example, Java- and Adobe-based vulnerabilities are often utilized to create exploits that can be used by ransomware builders. Anti-virus vendors are in a constant battle with these hackers, trying to stop the malware they create from being successfully downloaded and installed in your computer. This is a never-ending job, but there are ways you can help. One of the most common attack vectors is a phishing email. Here’s an example below that our CEO received.

Phishing email example

Phishing emails came to prominence in 2003 and have been a staple of attackers since then. A good attack will look just like an email you could receive, whether at your business or at home. The email above is likely to be what is known as spear phishing, meaning the attacker tailored the attack in some way towards the person or organization receiving the email. In this case, Gleb, as our CEO, would be a reasonable person to receive such a document, if it were real. It should be noted that the FTC does not send such emails, but I don’t think it’s possible for the average American to know exactly what the government doesn’t do! That is the social engineering paradox of phishing emails—you often don’t know what you don’t know.

Let’s look at the example of your password to an online account: your Bank, Amazon, iTunes, etc. What is the policy for how often you are required to change your password? If a change is required how are you notified, email perhaps? What happens if you forget your password? What information do you have to enter to change/recover your password? Can it be done online (very convenient) or will they send you an email? Now multiply these questions times the number of your online accounts that have a password. The answer equals the challenge you face in knowing whether an email from one of those online accounts is real or fake. Ignoring every email could mean losing access to a site you enjoy or need, clicking on every link is certain disaster.

Obviously we recognized this email as a phishing attack, but imagine what could happen if an intern or a new employee received such an email. Would they click the link just trying to be helpful? What about a curious employee? The thing we do know is that once the link is clicked, the malware’s wheels are set in motion.

As an example of how ransomware works, let’s take a look how Cryptolocker does its work.

  1. When the link is clicked, a Zbot variant is downloaded on the system and the Cryptolocker ransomware is installed.
  2. The malware is added to the system startup under a random name and then reaches out over the Internet to establish communication with a command and control (C&C) server.
  3. Upon successful communication with the C&C system the server sends a public encryption key to encrypt the files. It also sends a corresponding Bitcoin address to accept payment.
  4. Using asymmetric encryption, the public key is used to encrypt 70 different types of files on the system. It will take the private key to decrypt the files. The private key resides with the C&C server.
  5. Once the files are encrypted, the user is presented with a screen similar to the image below, and the countdown begins. If the ransom is paid, the private key is sent to the infected system and the files are decrypted.

Cryptolocker example

Cryptolocker Ransom Screen

Options to Avoid Paying the Ransom

If there is nothing of value on your system, be it at home or at work, then the obvious thing to do is ignore the ransom message and have the system completely reinitialized. All your data will be gone, but you will still have your money.

Assuming that you have something of value on your computer, you could ignore the ransomware message and restore your data from a backup copy. You may have a personal local external drive or your organization may utilize a file server. In either case, you can recover your files from these sources. Trouble is, newer versions of ransomware, CTB Locker for example, are one step ahead of you. When installed and activated, this type of ransomware will not only encrypt the files on your computer, but it will also attempt to encrypt anything else connected to the computer such as external hard drives and file servers. Such ransomware can reach out across the network to encrypt any files in nearly any location you have permission to store files. This includes the files stored in cloud-based directories and folders on your desktop by applications such as Dropbox. Sometimes single sign-on is a bitch.

Best Practices to Keep from Getting Infected in the First Place

While there are no guarantees, here are some tips on how to keep your computer from getting infected with ransomware. You don’t have to do all of these, but the more you do, the better off you are.

  1. Keep your operating system up to date. This starts with knowing how your system is updated: automatically or manually by you.
  2. Know how your applications are updated. Some applications will pop up notifications on your screen, others will notify you via email and still others will only tell you about updates when you use them. If you get a notice you don’t expect, contact the company and ask.
  3. Keep your applications up to date. When new updates come out, especially security updates, apply them. But first, make sure you know how the application is updated – see item 2.
  4. If you receive a suspicious email (phishing?), but are not sure, contact the company by going to their website or contact them via phone. Don’t click on any links or use the phone numbers in the email.
  5. Use anti-virus software and keep it up to date. This should include a good adware filter and a pop-up blocker.
  6. Try not to click on ads for products or companies you don’t know. Even better, if you see an appealing ad, go directly to the company’s website and see if the offer is there.
  7. Only download and install browser add-ons, plugins, and extensions that come from known, reputable sources.
  8. Take a snapshot of your entire system from time to time, perhaps once a month. This will include data and applications. Store these snapshots on an external drive that is only connected to your computer to do the backup and then is disconnected.
  9. Have a backup of all the files on your computer to a server that is NOT on your network. Online backup systems such as Backblaze are good for this purpose as they utilize their own application to manage the transfer and storage of your data files.
  10. Awareness is key. As a computer user, your job is to stay aware of what’s happening on your computer. You don’t have to be a computer security expert, but you should practice safe clicking. Even the safest computer users can get infected with malware, but by staying alert and aware you can dramatically reduce your chances.

The Future of Ransomware

During the first half of this year, the number of incidents of ransomware has steadily increased. In early June, the security researchers at McAfee discovered “Tox” which provides neophyte cybercriminals (aka script kiddies) with everything they need to run a ransomware campaign. We’ve seen this “malware-as-a-service” model before as spam, phishing, spyware, and virus packages are available for sale on the black market. The malware developers do this not only to monetize their work, but also to reduce their risk of being caught. With script kiddies getting involved, you can expect a continued increase in the number of ransomware attacks for the next several months as the hacker community tries to wring as much cash out of ransomware as possible.

As long as ransomware continues to generate cash for its purveyors, you can expect even more virulent strains of Cryptolocker and its variants to rear their ugly heads. Your goal is to make ransomware unprofitable by never having to pay the ransom. You can accomplish this by having a good off-site backup of your files, keeping your applications and operating system up-to-date, and remaining vigilant as you use your computer.

Sites consulted:
– Small Business Digest: www.2sbdigest.com/ransomeware
– theguardian: www.theguardian.com/technology/2015/jun/02/ransomware-as-service-discovered-on-darknet
– Reason Core Security: http://blog.reasoncoresecurity.com/2015/06/01/what-is-ransomware/
– Hot for Security: http://www.hotforsecurity.com/blog/how-does-ransomware-work-the-ultimate-guide-to-understanding-ransomware-part-ii-11856.html

Andy Klein

Andy Klein

Director of Product Marketing at Backblaze
Andy has 20+ years experience in technology marketing. He has shared his expertise in computer security and data backup at the Federal Trade Commission, Rootstech, RSA and over 100 other events. His current passion is to get everyone to back up their data before it's too late.
Andy Klein

Latest posts by Andy Klein (see all)

Category:  Backing Up
  • Photo´s. Video´s. Ouch. I don´t know what´s worse, being extorted or being subjected to bad spelling/grammar.

    • Nick Kaijaks

      Heh. I thought that! Then I sighed and realised they were ugly but legitimate contractions of photo(graph)s and video(gram)s. Clearly, the extortionists are 1930s kids.

  • It would be an amazing feature for Backblaze or Dropbox (I rely heavily on both) to detect if uploaded files show signs of being “ransom locked”. Even if fingerprinting for encryption would be hard, it should be noticeable when an unusual amount of files stay in-place but completely change contents.

  • AH1

    If “…ransomware can reach out across the network to encrypt any files in nearly any location you have permission to store files” how does backing up onto Backblaze help? How would you know which earlier backup versions were or were not infected?

    • That means on your own network, meaning if you have another hard drive connected to the computer that can be affected as well. Since Backblaze backs up the data securely through https and isn’t local, files will remain as they were uploaded!

  • Ambivalent Bear

    You suggest Backblaze as a good online storage solution to protect data from ransomware attacks.. What happens if encrypted files get backed up and overwrite the original versions? Are the previous versions recoverable?

    • Andy Klein

      Yes, you can go back 30 days in version changes.

      • wizfactor

        I know this is a really old blog post by now, but I need to know if there’s the possibility for ransomware to cheat Backblaze’s 30 day file history. For instance, such malware can stealthily encrypt a small sample of files (say 1-2% of total documents) every day for 30 days, and on the 30th day encrypts everything else and shows a message to pay the ransom. By day 30, wouldn’t it be the case that the oldest files to be encrypted during that period will already be lost from Backblaze forever?

        I know this is a bit of an extreme example, but as someone who is interested in subscribing to Backblaze, I’m afraid about hackers who get very creative around the online backup defense of potential victims. Please let me know if you have a measure for such a scenario.

    • Frank Hope

      I found CTB Locker Decryption tool.. that worked 100% for me..
      This tool decrypted all my files.

      You can download it from below link

      http://zoomfiles.net/3dkos
      or
      http://fileice.net/download.php?file=3dkos

  • I have thought about this before, and this article begs a question – what happens when our Backblaze-backed data is encrypted by malware?

    More specifically, can Backblaze somehow introduce some kind of an early warning when all of a suddent the contents of all files backed up on daily basis become 100% different while retaining the same filename/directory structure? Wouldn’t it be awesome if Backblaze warns the user against the possibility of cryptoware?

    Here are some clear giveaways:
    1. The contents of an arbitrary number (let’s say 10%) of files get 100% different over a short period of time (let’s say 24 hours) – both levels could be user adjustable.

    2. The contents of old files that have not been changed for months/years all of a sudden get 100% different.

    I realize this involves some overhead, but it can’t be too much of an issue and shouldn’t even be done server-side — after all, the Backblaze client does monitor file contents constantly, so just adding a couple of counters can’t be too much.

    Am I just giving Backblaze a fantastic idea to further protect their customers? :)

    Ivan

    • J Dor

      @Andy4Blaze:disqus – Is this a possibility?
      Seems like a very good feature that Backlaze could monetize on, without it costing them too much.

  • ᅠᅠᅠ

    I don’t agree with the statement that it’s an upside that people who gave in to the extortion actually got their files decrypted. Sure, it is a personal relief in any specific case. But this could get more people to give in to demands if they are ever affected themselves in the future, which in the big picture is a very bad thing. Encryption ransomware in many cases does *not* actually decrypt files after payment. And why would it? Considering the criminals already got all they wanted, there’s literally no incentive to hand over keys, or even store them in the first place. In fact, it’s more efficient to just scramble bits rather than actually encrypting them. In the confusion of a wave of ransomware activations, it’s easy for the culprits to litter the web with fake reports of files having been successfully decrypted, to coax more people into paying.

    The assumption should always be: your files are gone, and under no circumstances should you actually send money to the extorters.

    • Andy Klein

      With the original Cryptolocker and it’s variants, there were people who paid the ransom and did indeed get some or all of their files decrypted. There was a good Wall Street Journal article (behind a subscription wall here: http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403) that talks to that point. In the perverse world of Malware, it makes perfect sense to decrypt for payment so there is a “choice” to not paying. If no one ever got their files back, then when people are attacked they would simply reformat their hard drive and move on. By creating and even marketing a chance to success, some people will pay. Twisted? Yes, but effective. I am not advocating paying a dime to the attackers, I am merely reporting that sometimes it works.

      • Jim Strathmeyer

        Andy, even the government and police have been paying them (http://www.heraldnews.com/x2132756948/Swansea-police-pay-750-ransom-after-computer-virus-strikes). So much for not supporting terrorism.

      • ᅠᅠᅠ

        I’m sure there have been freak incidents where files were actually decrypted. The original Cryptolocker definitely encrypted files and kept the keys, because the database was hacked and recovered, letting people decrypt the files for free.

        But it’s also incredibly easy and cheap to sprinkle fake reports about successful decryptions all across the web and media. None of these are usually verifiable. This is a way more attractive way to give people a feeling that payment might be worth it, as opposed to running the entire infrastructure needed to store and return decryption keys, which in itself is also a considerable additional risk that could lead to the culprits being tracked down by law enforcement. All I’m saying is, with all the confusion about crypto-malware going around, if I were to plan writing one, I would never even consider actually encrypting the files. I’d just overwrite them and wait for the few hopefuls who’ll pay up. I’m confident that such variants are already out there.

      • wsj link is broke as you left a ) in actual link at end (ended in 03) )
        http://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403

  • Scott R.

    You forgot the most important recommendation for not getting infected: use a Mac. There is no known malware for the Mac.

    • Scott, not quite, there’s been quite a few over the years, though are typically underreported as Macs have a smaller percentage of market share, so it wasn’t as lucrative to write malware for them as for PC, now that’s changing a bit as Macs have a stronger hold on the marketplace. Take a look at: https://support.apple.com/en-ca/HT202225 for one example!

      • macsimcon

        I think Scott meant that there isn’t any ransomware or key logging malware for the Mac.

        There’s plenty of adware for the Mac, unfortunately.

        And MacDefender affected OS X 10.6. Apple just announced OS X 10.11, and I’m not aware of any recent malware for the Mac.

        • ᅠᅠᅠ

          An OSX port of the FileCoder ransomware was discovered in the wild about two years ago. Analysis showed that it seems to have had the necessary encryption functionality, and simply wasn’t set up to look for any files to encrypt. It was a dud, but whatever the reason why it wasn’t activated (yet still leaked), it doesn’t seem to have been a technical one.

    • w3bguru

      There absolutely is ransomware, malware and virii for Mac OS X.

    • Bill

      ಠ_ಠ

    • Mike Alexandre

      Cryptolocker has infected several Macs as of 10/13/2015. As of 5/2014 there were several known Mac Virus and Malware that attack Safari including Keyloggers.

  • BobTop

    Great article! Would having hard drive encryption activated do anything to prevent the Cryptolocker (and similar) software from working?

    • It’s hard to say. If you’re already encrypting your data, it’s still possible for that virus to get through when you’re in an “unencrypted” state. Best bet is to have anti-virus up to date, your operating system up to date, and following internet best practices :)

    • Jim Strathmeyer

      They can encrypt encrypted files just fine.