DBSA:2013-0008
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Cryptolocker Malware Spreading
Keywords: Cryptolocker, Malware, Encryption, Corruption of user files, Data damage, Email, Infection, NCA, Windows, Microsoft
DBSA ID: 2013-0008
Regarding: Cryptolocker Malware Spreading
Writeup: Kradorex Xeron (talk) 14:56, 15 November 2013 (EST)
Date: 2013 11 15
Last Modified: 20131115152805 by Kradorex Xeron
Who should take note: Microsoft Windows users, administrators, companies operating Windows networks, et al.
Classification
Priority: HIGH
Rationale: Users and organizations must act to ensure their data is not damaged by this malware.
Severity: HIGH
Rationale: Systems infected by the malware can have data rendered irretrivable without payment of a ransom, essentially corrupting data.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All users of Microsoft Windows are suseptable.
Description
Cryptolocker is an item of malware that is delivered via official-looking emails. These emails can be sourced from potentially known shipping companies or financial institutions. Once executed, this malware proceeds to encrypt both local and all network drives that the current user has write access to. This malware has been known to have significant essentially irreversable impact to company networks as it may encrypt any hot backups in place.
After encryption is completed (often done slowly as so it isn't noticed until it is completed), the malware then presents a dialog box demanding ransom in roughly the amount of $600-800 at this time of advisory that may only be submitted by untracable means as per the demands. The malware claims to provide a decryption key to reverse encryption once the ransom is paid.
The encryption utilized is an advanced configuration that cannot be brute forced and the decryption key is hosted on a remote server and has a countdown clock until the key is destroyed (indicated by the 72 hour clock provided by the malware).
Mitigation/Solution
All affected parties are advised to be extremely suspicious of all attachments from shipping companies, financial institutions or other official emails. Confirm receipt of any email attachments using known good contact information. Do not use "Reply" or the "From:" email address to confirm. DO *NOT* OPEN ANY ATTACHMENTS UNTIL POSITIVE CONFIRMATION CAN BE MADE.
Offline, air-gapped (backups without any connection to active computers or networks) backups are strongly advised to be created and maintained as per good computing practices in the event of Cryptolocker execution.
The only stable remediation for a Cryptolocker infection is to treat an infected system as compromised and wipe and reload all files from offline backup. Any data on network shares corrupted must be deleted and restored from offline backup.
Organizations are advised to limit the scope of any employee and management access and/or seperate network file shares into multiple, smaller shares and only have shares activated when data is actively being utilized from the share the data is on in prevention if an infection occurs.
References
- The UK National Crime Agency (NCA) issued an alert on this issue: http://www.nationalcrimeagency.gov.uk/news/256-alert-mass-spamming-event-targeting-uk-computer-users
- http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/