Sophos Cloud Optix
We’ve seen a resurgence in interest in the CryptoLocker ransomware, not least because the UK’s National Cybercrime Unit (NCU) put out a warning about it yesterday.
The NCU burst onto the cybercrime fighting scene as part of the UK’s newly formed National Crime Agency (NCA), which became operational just a month ago, on 07 October 2013.
The NCA is part of the UK’s effort to tackle organised crime, including crimes launched by electronic means.
And CryptoLocker has been a strange baptism of fire for the agency dubbed by some “the British FBI.”
What CryptoLocker does
If you’ve been following the story, you’ll know that CryptoLocker is malware that deliberately scrambles your precious data files, such as documents and spreadsheets, and offers to sell you a decryption key to get them back.
The price the crooks are charging is currently hundreds of pounds.
Of course, if you have a decent anti-virus, you’re unlikely to get infected in the first place, and if you have a decent backup you should be able to recover your data even if the worst happens.
But if you don’t, then you’re stuck.
As far as we can tell so far, the crooks who are operating the CryptoLocker crimeware haven’t left any holes or backdoors by which you can recover your data without paying up:
- The decryption key is different for each victim, so you can’t share your key with the next guy.
- The encryption used is strong enough that it can be considered impossible to crack.
- The crooks don’t let your key out of their sight until payment is received.
- No-one, to the best of our knowledge, has been able to get into the crooks’ own network to recover the keys.
Why the risk is high
Even though CryptoLocker is already well known, having made headlines for several weeks, and and tips on how to avoid it have been widely publicised, things may yet get worse.
The NCA’s recent alert warns that emails containing infectious attachments “may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular.”
The attachments are often disguised, warns the NCA, as files that sound important enough to open, but not of a sort usually associated with viruses and malware, “for example, a voicemail, fax, details of a suspicious transaction or invoices for payment.”
Of course, crooks have known for years that attachments can be made to look like images, or audio files, or documents, by giving them names like VOICEMAIL.MP3.EXE or INVOICE_SCAN.JPG.EXE.
You see VOICEMAIL.MP3, which seems innocent enough, but Windows sees VOICEMAIL.MP3.EXE – in other words, an executable file, better known as a program.
So instead of firing up your media player, opening the attachment runs the malware.
How you can help
Even if we can’t find the crooks to stop the ransom process and get back all the keys created so far, we don’t have to be victims.
If you are the go-to IT expert for your friends and family, you can help:
- Warn your friends about the dangers of unsolicited email attachments.
- Check that they have a proper anti-virus and are keeping it up-to-date.
- Show them how to make backup copies of their precious files and to store the backups safely.
- Make sure they keep up-to-date with patches for their operating system and software.
- Get them to read up about CryptoLocker so they are in no doubt about the risk.
- Use CryptoLocker as evidence why prevention is better than cure.
GET INFORMATION AND ADVICE
If you are looking for useful material to use in advising your friends and family, Naked Security has the following excellent resources at hand:
• CryptoLocker prevention, cleanup and recovery.
• A video showing CryptoLocker in action.
• Five tips for protecting against ransomware
Remember: an ounce of prevention is worth a pound – in this case, hundreds of pounds – of cure.
Are spam filters able to scan inside of a zip for an exe?
A decent one will be able to (Sophos’s certainly can). In addition, you probably also want to block so-called double extensions, thus automatically treating files that end “.doc.exe,” or something similar, as suspicious.
Are there any innocent uses of double extensions? Would it not be more sensible to treat *.*.exe as suspicious? (where * is a wildcard)
We should teach people not to make malware rather than blame victims imo :\
I think they know, Fem; they just don’t care. For them it’s about the money and probably a bit of power-trippin when they make some. Teaching victims and potential victims is about the most we can do to diminish the bad guys’ returns.
Surely the software is transmitting the details to a server? Why ha sthis not been tracked down? Or at least. why has the proxies not been tracked down, torn apart and then traced the next server?
If you look at the “how it works” article you’ll see that the server chosen by each victim is rather a moving target. the malware tries a whole list of server names each day until it gets through, and if ever it can connect, the damage is done. (There’s only a small exchange needed to generate the locking key – that’s why the crooks don’t upload your data, which could take a long time and be error prone, just scramble in it situ.)
And one additional measure: disable the default “Hide extensions for known file types” check box in Explorer. I still consider this one of the stupidest moves MS ever made in Windows.
I’ll see your “Hide Extensions” and raise you “AutoRun” 🙂
(Many OSes have some sort of file and name hiding by default. In Unix, for instance, the ls command that lists directories suppresses by default any filenames starting with a dot. So this kind of “file system dishonesty” has a long history. And doesn’t that make the crooks laugh?)
And in Windows 7, hiding/showing file extensions is done via Control Panel>Folders>Options>view.
How are ransom payments made?
Why are they not traceable?
Moneypak or Bitcoins. That’s why the payments aren’t (easily) traceable. Or, more importantly for the victims, reversible.
Does Sophos A-V detect and avoid this malware?
Yes. (With the usual caveat that no anti-virus can guarantee to detect all possible future variants of any malware.)
See:
http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/
“SophosLabs has asked us to remind you about a destructive malware threat that calls itself CryptoLocker. Sophos Anti-Virus detects it by the name Troj/Ransom-ACP, because that’s exactly what it does: holds your files to ransom.”
Thanks, Paul.
Apologies for being ignorant, but I would have thought that any attachment that carries a .exe file extension should be detected by the ISP and ought not to be transmitted or the recipient warned not to open same.
As several comments seem to engender a “showing file extensions will deliver us from evil” mindset, I’d like to throw in a reminder about the encrypted, executing, ZIP file. (Extension will be “.zip”, or “.doc.zip”, “.pdf.zip”, etc.)
With these, the e. mail text tells you the password for the ZIP file, but the mail scanners haven’t been made so complex as to sniff it out to be able to recognise the malware within the attachment.
Using your AV for a manual scan of the ZIP file is also unlikely to raise the red flag.
The ZIP files are mailed out with very many random passwords used for their encryption, meaning there’s no signature common to them (or even a practical subset of them).
Once you’ve typed in the password, I think AV on-access scanning has the opportunity to detect the malevolence of the temporary, unencrypted, file that drops from the ZIP file, and thwart the attack. But you shouldn’t have let things go that far, of course!
Does anyone know anything about the email attachment? What is the naming convention used? What are the typical subjects for the emails?
I’d like to know so I can see whether our email filtering system is picking up any of these emails, and hence the problem is “knocking on our door” so to speak.
I know Sophos should block the attachment, and our application control should also block execution of the program, but I’d like to know whether my company is under threat from this malware.
Thanks,
Steve