DBSA:2014-0014

From Digibase Knowledge Base
Revision as of 01:05, 7 August 2014 by Kradorex Xeron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Cryptolocker Decryption Available

Keywords: Cryptolocker, Malware, Encryption, Corruption of user files, Data damage, Email, Infection, NCA, Windows, Microsoft

DBSA ID: 2014-0014

Regarding: Cryptolocker Decryption Available

Writeup: Kradorex Xeron (talk) 01:38, 7 August 2014 (EDT)

Date: 2014 08 07

Last Modified: 20140807010537 by Kradorex Xeron

Who should take note: All individuals and organizations with outstanding Cryptolocker infections.

Classification

This is unrated as this is an update to DBSA:2013-0008. The original ratings shall remain in place as malware should be approached with caution.

Description

See DBSA:2013-0008 for the original published advisory.

Cryptolocker is an item of ransomware malware that, when installed it covertly, encrypted user data and attempted to extort a sum of money through untrackable money transfer methods. Its mode of operation was to trick a user to open a link in an email or via similar measures to install the trojan. From there it would start encrypting user data mostly through a background program. When complete it would transmit the encryption key (password) to a remote server and there would be no local key. It would then display a warning message extorting money providing a countdown until the remote encryption key would be deleted permanently. This used to mean that data could not be recovered.

Mitigation/Solution

Users with outstanding Cryptolocker infections or files still inaccessible are strongly advised to attempt utilization of the self-serve web tool located at:

This tool's page contains instructions on its usage.

The prior advisory's Mitigation/Solution section stands on all counts as this tool does not work on all ransomware. It is still strongly advised to maintain offline, disconnected backups of data that cannot be accidently altered or corrupted. It is further advised not to open email attachments or links without confirmation that they originate from the true source. Do not simply "Reply" to such mailings but rather use an alternate communication method or failing that use a known good source for the original sender's email address to confirm. Always be cautious and don't open unexpected attachments.

References