CryptoLocker is a type of “ransomware” that encrypts the data on an infected computer so that it can’t be read and then demands payment to decrypt it.
A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.
After the initial infection a message is normally displayed to the computer user informing them to pay to gain access to their files.
At this point your files; Normally the target files are office document files and photos as they are deemed very important to individuals.
It targets files with the following extensions:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When it finds a file matching that extension, it encrypts the file using a public key and then makes a record of the file in the Windows registry under HKEY_CURRENT_USER\Software\CryptoLocker\Files
CryptoLocker typically propagates as an attachment or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection.
To protect yourself you should always keep your systems up to date, be vigilant when opening email attachments and when dealing with sites that attempt to download these infections to your computer.
Most CryptoLocker infection do not require a user to have elevated rights on the machines as it targets anything the local users has access to.
The only way to recover form being infected is to restore the machine and its files from a clean backup.
I suggest using a real-time backup solution such as CrashPlan for something such as this as it supports version controls and point of time backup restoration.
I also suggest using Malwarebytes : Free Anti-Malware to aid in cleanup of the infection; however this does not give you access to files that have already become compromised.
Additional Notes:
CryptoLocker does not need Administrator privileges to run so don’t think you’re safe just because none of your users are domain/local admins. The CryptoLocker.exe is placed in the user’s %appdata% and/or %localappdata% folders which runs under the user’s context and doesn’t require privilege escalation.
What could be done here is to add restrictive policies on the %appdata% and/or %localappdata% folders.
To do this
- Open the Group Policy Editor
- Computer configuration
- Windows settings
- Security settings
- Software Restriction Policies
- Right click and create new
- Go tin click additional rules
Create new path rules for the following
%appdata%\*.exe – Security Disallowed
%localappdata%\*.exe – Security Disallowed
Also message to my fellow systems admin’s:
If you are smart you will also block all executable attachments along with zips that are in emails. This will effectively reduce the footprint of possible infections, via email.
Communicate this with your management;
If they choose not to entertain alternative ways for transfer files then you can rest that you know you’ve taken the proactive and security measures you know, and are confident are best.
Links: