Advisories

MA-365.112013: MyCERT Alert - Recent Threats of CryptoLocker Ransomware
  •   26 Nov 2013
  •   Alert
  •   

1.0 Introduction

Recently, MyCERT had been receiving several incidents related to a ransomware threats from our constituency. The ransomeware known as CryptoLocker, is currently becoming a global threat especially in Europe, USA and pose serious impacts to affected computers/victims. CryptoLocker ransomware is a type of Trojan program that infects unprotected computers and attempts to extort money from victims and encrypting files or documents stored on it.

CryptoLocker is also detected by Sophos as Troj/Ransom-ACP. Normally ransomewares just locks an infected computer and demands money from the victim to unlock the computer. These threats can usually be unlocked without paying up, using a decent anti-virus program as a recovery tool. However, CryptoLocker ransomeware keeps the computer and software working, but personal files, such as documents, spreadsheets and images, are encrypted. The criminals retain the only copy of the decryption key on their server - it is not saved on the infected computer, so victim cannot unlock the files without the criminal's assistance.

2.0 Mode of Infection

CryptoLocker ransomware spread primarily through fraudulent emails that impersonate a legitimate email or via fake FedEx and UPS tracking notices. Once the user opens the message, CryptoLocker installs itself on the user's system, scans the hard drive, and encrypts the files. All files are rendered inaccessible to the user until they pays a ransom to receive a decryption key.

In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

3.0 Impact

3.1 The ransomware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

3.2 The ransomware then connects to the attackers' command and control (C&C) server to deposit the asymmetric private encryption key out of the victim's reach. Victim files are encrypted using asymmetric encryption in order to prevent access to the files.

3.3 The ransomware will demand victim to pay money within three days in order to receive the decryption key for the their files. The decryption key is unique to your computer, so you can't just take someone else's key to unscramble your files.

3.4 Though the CryptoLocker ransomware does not spread through network but it can affect a network, because it searches extensively for files to encrypt.

4.0 Affected Systems

The Ransomware infects Microsoft Windows operating systems as below:

4.1 Windows 8
4.2 Windows 7
4.3 Windows Vista
4.4 Windows XP

5.0 Preventions

5.1 Patch operating system and software. Users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational.

5.2 Regularly back up the data stored on you computer. If you become infected with a Ransomware, you will still have access to your personal files.

5.3 Use extra caution when opening email attachments as they may contain malware. This threat is often spread by malicious attachments in emails.

5.4 Do not pay any money. Even if the ransom is paid, there are no guarantees the criminals behind the Ransomware will provide the decryption key.

5.5 If you are a victim of Ransomware, report it immediately to the respective Law Enforcement Agencies or to relevant CERTs/CSIRTs for assistance.

MyCERT can be reached through the following channels for further assistance:

E-mail : [email protected]
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT email complaint to 15888
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my

6.0 References

Popular Advisories
Archives