From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Cryptolocker Malware Spreading

Keywords: Cryptolocker, Malware, Encryption, Corruption of user files, Data damage, Email, Infection, NCA, Windows, Microsoft

DBSA ID: 2013-0008

Regarding: Cryptolocker Malware Spreading

Writeup: Kradorex Xeron (talk) 14:56, 15 November 2013 (EST)

Date: 2013 11 15

Last Modified: 20131115162911 by Kradorex Xeron

Who should take note: Microsoft Windows users, administrators, companies operating Windows networks, et al.


Priority: HIGH

Rationale: Users and organizations must act to ensure their data is not damaged by this malware.

Severity: HIGH

Rationale: Systems infected by the malware can have data rendered irretrivable without payment of a ransom, essentially corrupting data.


Rationale: All users of Microsoft Windows are suseptable.


Cryptolocker is an item of malware that is delivered via official-looking emails. These emails can be sourced from potentially known shipping companies or financial institutions. Once executed, this malware proceeds to encrypt both local and all network drives that the current user has write access to. This malware has been known to have significant essentially irreversable impact to company networks as it may encrypt any hot backups in place.

After encryption is completed (often done slowly as so it isn't noticed until it is completed), the malware then presents a dialog box demanding ransom in roughly the amount of $600-800 at this time of advisory that may only be submitted by untracable means as per the demands. The malware claims to provide a decryption key to reverse encryption once the ransom is paid.

The encryption utilized is an advanced configuration that cannot be brute force. The only known decryption key is hosted on a remote server and has a countdown clock until the key is destroyed (indicated by the 72 hour clock provided by the malware).


All affected parties are advised to be extremely suspicious of all attachments from shipping companies, financial institutions or other official emails. Confirm receipt of any email attachments using known good contact information. Do not use "Reply" or the "From:" email address to confirm. DO *NOT* OPEN ANY ATTACHMENTS UNTIL POSITIVE CONFIRMATION CAN BE MADE.

Offline, air-gapped (backups without any connection to active computers or networks) backups are strongly advised to be created and maintained as per good computing practices in the event of Cryptolocker execution.

The only stable remediation for a Cryptolocker infection is to treat an infected system as compromised and wipe and reload all files from offline backup. Any data on network shares corrupted must be deleted and restored from offline backup.

Organizations are advised to limit the scope of any employee and management access and/or seperate network file shares into multiple, smaller shares and only have shares activated when data is actively being utilized from the share the data is on in prevention if an infection occurs.