The US Government's Computer Emergency Readiness Team (US-CERT) has warned of an upsurge in the CryptoLocker ransomware virus.
CryptoLocker, which was first spotted in September, is a Trojan that is spread mainly through fake emails that mimic the look of legitimate businesses or via phony FedEx and UPS tracking notices. According to US-CERT, some users have also become infected following a previous botnet attack.
The agency said CryptoLocker “is associated with an increasing number of ransomware infections”.
The virus infiltrates then encrypts files in the user's computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days. Victims who pay the ransom receive a key that unlocks their encrypted files. According to the Bleepingcomputer.com IT support service, the ransom is currently two bitcoins or roughly £250.
However, on 1 November, the CryptoLocker developers twisted the knife by letting users recover beyond the three-day time limit - at a cost of 10 bitcoins or over £1,300.
US-CERT urges “users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident”, adding that anyone infected should immediately disconnect that system from the network and change all passwords once the malware is removed.
British security expert Mike Auty, senior security researcher at UK-based MWR InfoSecurity, confirmed that CryptoLocker is particularly virulent.
“It does have strong encryption,” Auty told SC Magazine UK. “The way that they have designed it makes it infeasible to recover from. They definitely took the time and effort to design it well. They haven't made any obvious mistakes.”
Auty said the security community had not yet tracked down the virus authors “because they are using an anonymising service to publish the website that you visit to be able to gain access to it”.
Asked about the choice of paying up or not, Auty said that it was, “…a very tough line. First off the decryption doesn't always work. And secondly it is extortion and if you allow yourself to be extorted there is nothing to stop them upping the price or doing it again to you.”
Auty suggested the best way to prevent infection was to have a good backup system. But he also said that, before it starts encrypting, the virus has to communicate with its command and control server using a domain it invents, but whose name relates to the time when the infection occurred. Knowing the time of the infection, an enterprise could identify the domain name and block traffic to it.
Otherwise, Auty said, because “so far the virus only stores itself in very specific, fixed, predictable locations”, domain administrators could apply software policy rules to stop unknown programs in that particular directory being run.
After infection, there is nothing you can do except pay the ransom or restore from backup, he said.
Auty said good technical write-ups on the ransomware are available from the Bleepingcomputer.com website and from Emsisoft, who were one of the first companies to analyse the ransomware when it first appeared in September.
In a 6 November blog post, security expert Brian Krebs called CryptoLocker “a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc — as well as any files on attached or networked storage media.”