HKCert
Security Blog

Stay Alert for Ransom-ware "CryptoLocker"

Release Date: 11 / 10 / 2013
Last Update: 17 / 10 / 2013

HKCERT has received reports of incidents on a ransom-ware named "CryptoLocker". The malware attacks victims through phishing emails. Once infected, the malware encrypts not only the files located in the affected machines, but also the files shared on the network drive connected.

 

Fig 1) Screen of Phishing email

Fig 1) Screen of Phishing email

 

Fig 2) Screen of the malware demending ransom

Fig 2) Screen of the malware demending ransom

 

According to various information security websites and blogs around the world, there are large amount of infections reported. CryptoLocker spreads via scam mails with a malicious attachment. When users open the malicious attachment, CryptoLocker encrypts the local and network shared files with RSA asymmetric encryption. The file with the follow extensions are the encryption targets of the malware:

 

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx

 

After the files are encrypted, the malware creates a popup to request for ransom money (around 300 USD or 300 EUR or 2 BitCoin). It also threaten the victim to pay in a limited time, otherwise the only key used to decrypt the files will be deleted.

 

Fig 3) Screen of malware

Fig 3) Screen of malware

 

Until now, there is no effective way to decrypt the affected files. It can cause great impact to the victims. To avoid being infected, HKCERT advises user to:

  1. Beware of suspicious email. Do not open the attachment, especially compress files (.zip,.7zip) or executable files (.exe)
  2. Install Security software and update to the latest signature. #
  3. For enterprise or advance users, you may modify the Local Security Policy to avoid executable files run under %AppData% path, which is default path for CryptoLocker. Please refer to: http://www.alaska.edu/files/oit/services/antivirus-phishing/How-to-Modify-Windows-Local-Security-Policy-CryptoLocker.pdf
  4. Backup the important documents instantly and regularly. Keep the backups in a safe location to avoid being affected by the malware.

For the users already affected by the malware, HKCERT suggest:

  1. Isolate and disconnect infected machine immediately to avoid further impacts the malware may cause.
  2. Download Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/), and perform complete scanning to remove the malware.
  3. Restore the files and data from the backup.
  4. If no backup was done previously, we suggest not to restore the system to avoid losing information required for decryptions.

 

# HKCERT analyzed five sample of CryptoLocker, the result shows most of the security software is capable in detecting this malware. Links to the results are list below for reference: