Code Exploit Cyber Security: Crypto Locker Ransomware Trojan Virus & Why You Should Pay Special Attention!

Widely believed to first appear on the internet on September 5 2013, Crypto Locker is a ransomware Trojan virus targeted at computers running Microsoft Windows® operating systems. Primarily propagated through infected email attachments, the virus uses existing botnets when activated to encrypt some types of files stored on the local disk drive and other mounted network drives, using RSA public-key cryptography. 

Attacks from CryptoLocker virus have sky rocketed since it first appeared online, causing damage and disruption to millions of personal and business systems, netting the hack perpetrators over $3 Billion in ransom from their victims in 2016.

The CryptoLocker virus takes users to ransom by hijacking non .EXE extension files and documents which could contain pictures, music, videos and word documents that would most likely be valuable to the users’ daily workloads.

The hackers then demand payment of a ransom of around $499, usually against a time scale of 96 hours in order to unlock the .7z encrypted files and folders. The encrypted digital currency Bitcoin is often the mode of ransom demand from the hackers, with a threat to destroy the private decryption key after the time has expired.

                                    Watch CryptoLocker In Action

Mode of Transmission of the CryptoLocker Virus

The main technique employed by hackers to perform this type of attack is social engineering, tricking the user to open a password-protected ZIP file attached to an email deceitfully claiming to originate from a logistics company.

Further proof of legitimacy of the email is implied when the hackers include the password required to open the file bundled in the email. CryptoLocker Trojan then takes advantage of Windows operating systems’ own defence mechanism of hiding file extensions from file names, in order to disguise the true .EXE extension of the malicious file.

All that is required from this stage is for the user to run the program and the Trojan becomes memory resident of the target machine. This causes the following actions to occur;

•            The malware is designed to save itself to AppData, LocalAppData folder located in the user’s profile.
• 
  
•          A special key is then added to the registry to ensure the malware runs every time the user starts up their computer.

§ To ensure the main process of the virus never gets terminated, the malware spawns two processes of itself with the second designed to protect the first against termination, making it a very dangerous virus indeed. 

Encryption Algorithm Deployed by CryptoLocker Trojan

A random symmetric key is generated by the Trojan for each file it encrypts, using AES algorithm. The random key is then encrypted using an asymmetric public-private key encryption algorithm (RSA), resulting in keys of over 1024 bits or in some cases even 2048-btt keys being added to the encrypted file.

This complicated encryption procedure ensures only the owner of the private RSA key can retrieve the random key used to encrypt the file. In addition, since the malware overwrites existing computer files, it is impossible to retrieve them with current data recovery forensic techniques.

Once the Trojan is activated, it quickly proceeds to obtain the public key (PK) from its C&C server by deploying a mass fixed domain generation algorithm (DGA) referred to as the ‘Mersenne Twister’, using the current system clock as seed to generate up to 1,000 different fixed sized domains every day.

      Domain Generation Algorithm (DGA) also known as the ‘Mersenne Twister’

After the Trojan has downloaded the Public Key, it invades your Windows registry to save the key as: HKCUSSoftwareCryptoLockerPublic Key. The virus then begins the process of encrypting files on the hard disk and along with any shared or mapped network drives. Below are some extensions CryptoLocker Trojan attacks;

The virus then saves a log of each encrypted file to registry as below;

HKEY_CURRENT_USERSoftwareCryptoLockerFiles

Once the encryption is complete, a splash screen is displayed to the user demanding a ransom payment of varying amounts against a time limit. The hackers typically threaten to delete the private decryption key they now hold on their servers.

Removing the CryptoLocker Trojan Virus and Restoring Encrypted Files

If the suspected computer infected with the Crypto virus is identified to be part of a network, all steps must be taken to isolate the PC from the rest of the network to stop the virus replicating.

Running an anti-malware program such as MalwareBytes® and Spy Hunter® on a full system scan can detect and remove the malware. It is advisable to run a similar scan on any other computers in the network connected to the source of the attack.

Downloading award winning BullGuard® anti-virus and running a second full system scan ensures your PC is free from malware and spyware, especially because they are memory resident. Manage firewall, check for vulnerabilities, scan your network and protect your online identity on banking and financial web applications. 

Recovery from a CryptoLocker Trojan Attack by Restoring Encrypted Files

If these types of attacks teach us one thing, it reaffirms the absolute importance of taking regular differential and full data back-ups with a strongly documented disaster recovery plan.

Unlike other types of attacks that aim to exploit your data and sell to cyber criminals, CryptoLocker Trojan attacks costs their victims a lot of productive hours by blocking access to your files; with the ultimate aim of extorting money from users through encrypted ransom demands.

Method 1:  Decrypt Encrypted Files on Android Devices with Avast® Ransomware Tool.

Good News! Android device users now have an effective anti-malware program in Avast Ransomware Tool.

The software itself is free on Google Play Store® as are many powerful Avast products, with the ability to power scan and decrypt any files that become encrypted with SimpLocker, CryptoLocker and other families of ransomware computer viruses.   
                                 

It is unclear if the anti-virus company have any plans to develop this decryption tool for PC and MAC. More information about this will be available on our Twitter page @ixploitcybersecurity when it becomes available.

Be sure to uninstall the app after decrypting your files to give you back control of your device. If you believe as an administrator the likelihood of an imminent attack from spam emails, Avast Internet Security 2016® offers an intelligent anti-virus that can detect malware, spyware, phishing attacks and ransomware.

A powerful firewall and a revolutionary sandbox lets you test downloaded software in a test environment, completely sealed off from the rest of your PC. A strong security standard is employed to ensure devices in your home are hidden from any hacker listening in on traffic on your network. 

Method 2:   This is where the practice of regular back-ups comes to the rescue. Many forms of back-ups exist such as Synology® drives or cloud back-ups from providers like Symantec, CloudBerry and Glacier storage vaults from Amazon Web Services (AWS). To avoid paying the ransom, the best way is to wipe the infected system and restore all files from one of your full back-ups. 

Method 3: Try using previous versions of Windows automatically saved as part of system restore. Learn more about this function here. 

Method 4: Using Shadow Volume Copies with Shadow Explorer:

• Download and Install Shadow Explorer , available with Windows XP Service Pack 2, Vista, Windows 7 and Windows 8. 
• 
  

•  Launch Shadow Explorer and select from the drop down list one of the available point-in-time Shadow Copies. Choose the drive and the latest date you want to restore from. 

•  Right-click on any encrypted file or even entire folders and begin to Export it. You will then be prompted to choose the location you would like the files restored to. This process may help you recover all the encrypted files or at least a percentage of them. 

             How to Avoid Infection from CryptoLocker Trojan Virus 

As already discussed above, the CryptoLocker malware is spread via email using social engineering techniques. Therefore, that should be your main point of defence against the Trojan. 

1.  Using powerful email filtering systems like Spam Arrest which you can try Free for 30 days, Symantec Message Labs® and Mimecast can help create strict rules for incoming and outgoing emails to limit the exposure of internal email addresses to potential hackers.



2. 
   
3. Limiting the range of company Wi-Fi signals to prevent hackers from gaining access to any resource on the network that may contain employee data information. In organizations where extreme security measures are of top priority, the SSID of the network could be hidden completely from all unauthorized external devices. 
4. 
   
5.  Carefully scrutinizing emails from unknown senders, especially those with attachments.
6. 
   
7. Disabling hidden file extensions in Windows also helps to recognize patterns of this type of attack.
8. 
   
9. Ensuring your back-up systems are up to date and keeping on top of regular maintenance. This helps with incidence response after an attack.
10. 
    
11. In the unfortunate event that your systems get infected and you find yourself without any back-ups, it is highly recommended not to pay the ransom. Not only does paying help fund the hackers’ business model, there have been reported cases where ransoms are paid using the Cryptocurrency Bitcoin and files still remain encrypted.

               Developing Global Ransomware Encryption Attack  
Friday 12 May, 2017 WannaCry ramsomware attack sent ripples through 150 countries encrypting over 230,000 computers. Systems in India, Russia, Ukraine, Spain, Taiwan, Germany and Britain's National Health Service (NHS) were most affected by the large scale attack. 

Microsoft has now released a security update on 14 March 2017 to patch the vulnerability which unknowingly got sink-holed when a cyber-security researcher registered a domain name, slowing down the ongoing encryption attack on organisations worldwide.

It is vital organisations still running Windows XP, Vista and Server 2003/2008 operating systems to install critical patch updates as variants of WannaCry also known as Wanna Decryptor, WannaCrypt, WannaCrypt0r 2.0 have reportedly emerged in many countries. 

Hope you enjoyed reading our article. Feel free to leave us any comments or make suggestions on how to prevent attacks from CryptoLocker Trojan Malware, via our email info@codexploitcybersecurity.com. Thank you for investing your time with us.

                                     

                                        Learn Data Backup on Sia Blockchain 

                  

By:codexploitcybersecurity.com    Twitter:@ixploitsecurity    Facebook: https://www.facebook.com/icybersecure

           Credits to all organisations and development teams at Relevant Organisations