Tips to Avoid Being Bit By Cryptolocker (and What to Do if You Are)

As early as 2007, if not earlier, Windows users encountered the very first rogue antivirus programs. Even today, end users are easily fooled by this vicious type of malware.

As early as 2007, if not earlier, Windows users encountered the very first rogue antivirus programs. Even today, end users are easily fooled by this vicious type of malware.

Developers of rogue antivirus programs usually put a lot of effort into creating GUIs that resemble legitimate antivirus programs or OS components such as Windows Defender.

Contrary to popular belief, rogue AVs aren't exclusive to Windows. In May 2011, the first rogue AV for Mac OS X was discovered. In June of this year, the first Android rogue AV was discovered. If rogue AVs for Linux distros, other Unix/BSD distros, iOS, BlackBerry and Windows Phone don't already exist, they're inevitable.

Because Mac users and mobile device users frequently believe that they're "immune" to malware, rogue AVs for those platforms may be even riskier than the first ones for Windows.

I've never encountered rogue AVs as a user. As an IT security expert, web developer, and occasional white hat "skiddie," (script kiddie) I should know better, so I do. I first encountered rogue AVs while providing remote support to Windows users all across the United States. And, oh boy, did I ever see them a lot back then. I swear, nearly a quarter of my support tickets involved ridding user machines of rogue AVs.

[Windows 8 security unshaken by antivirus vendor's claims]

They usually fooled my customers very well. Either the end user didn't know what AV software they were using, if any, or didn't think it was suspicious to see a program that looks like an antivirus program, but not their antivirus program. I said, umpteen times, "Just let me get rid of it for you, do not, whatever you do, input your credit card number!" "But I just want it to go away!" they'd cry.

Often, between calls, I'd hear my coworkers say the very same thing to customers.

You know what would have happened if my customers had done what the rogue AVs told them to do? The party behind the rogue AV would take their credit card number, validate it, then charge large amounts to it, fraudulently, even though the GUI would say the charge would be $19.99 or something like that. Then, the credit card number might be used for identity theft. On the end user's side, they wouldn't be rid of the rogue AV. In fact, I've had many customers say that after inputting their credit card numbers, their PCs would get even worse. Oh why didn't those customers call me or one of my colleagues before considering doing that?

The bigger picture is that, when end users fall prey to rogue AVs, they not only harm their PCs, mobile devices and themselves, but by making the people who write that sort of malware money, they're encouraging them to keep doing it. It's insidious.

Rogue AVs have been called "scareware" in recent years. Well now, there's a new type of scareware in town!

Introducing the very first rogue cryptography program, CryptoLocker! People discovered CryptoLocker on PCs running Windows XP, Vista, 7, and 8 in September 2013. CryptoLocker doesn't lie quite as much as rogue AVs do. A rogue AV will typically "discover" thousands of malware items on your PC that don't actually exist. "You must pay $19.99 for Antivirus Protector 2013 to protect your PC!" when "Antivirus Protector 2013" is itself the actual malware. CryptoLocker largely does exactly what it says it will do. It will gradually encrypt files and folders on your PC, without giving the user access to the decryption. If the infected PC is a client in a local network that shares files and folders, such as a library or office PC, the shared resources will be encrypted first.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

CryptoLocker will keep on encrypting files until you can't use your favorite applications and documents. Eventually, Windows won't even work properly, because essential OS files, such as dynamic link libraries will be encrypted. And it doesn't matter if you're using an admin account.

The solution, according to the CryptoLocker GUI, is to pay two Bitcoins to the makers of the program. To the uninitiated, Bitcoin is a digital currency that was founded in 2009. When I first checked Bitcoin exchanges in 2011, a Bitcoin was about $5.00 Canadian or $7.00 American. As of this writing in November 2013, a Bitcoin trades for $306.00 American or $323.00 Canadian, so it's a highly volatile currency and it may be continually rising in value. Oh, if only I bought Bitcoins in 2011! I don't think I could afford them now.

If you want to buy Bitcoins yourself, do note that they're perfectly legal to buy and use. Some mainstream banks will sell them to you, or alternatively, you could buy them online via PayPal or a credit card. The only element of illegality is that, because they aren't easily traceable like other methods of payment, they're popular for the use of buying illegal things. For example, the Silk Road was a popular eBay-like store for illegal drugs that existed only through the Tor network, under the .onion top level domain. I never bought anything there, but I took a look at the site for curiosity's sake. It was shut down by authorities as recently as a couple of months ago and the only currency allowed there was Bitcoins.

Now, the makers of CryptoLocker are using the currency. I imagine at this point, too many makers of rogue AVs have been caught by credit card companies, so the CryptoLocker folks have realized that Bitcoins are safer. Bitcoins can be bought with any major currency worldwide, but note that two Bitcoins are now over $600.00 in American or Canadian currency. Ouch!

Lawrence Abrams at Bleeping Computer has written an excellent guide to getting rid of CryptoLocker. Unfortunately, he offers paying CryptoLocker as one of the options for removing it. He even goes so far as to explain how to put CryptoLocker back on your PC if a legitimate AV shield has quarantined it, in order to make the payment. Although users have reported that CryptoLocker actually does decrypt files and goes away after payment, I strongly discourage you from paying them. As I've said about rogue AVs, it only encourages the bastards. If an organized crime member showed up at my apartment, demanding money to stop his gang from burning my building down, I wouldn't pay the gangster, I'd call the cops.

Now, the cops can't help you prevent or get rid of CryptoLocker, so I'll offer my two cents, a tiny fraction of a Bitcoin.

[Kaspersky aims to be 'big boy' of enterprise security world]

To prevent CryptoLocker, you've got to know how users acquire it in the first place. CryptoLocker's victims have reported that it usually starts by them receiving an email that appears to be from UPS or FedEx. Keep in mind, it's really easy to spoof emails if you know how to do it. I've done it myself. Depending on your email program, whether it's a client that runs in your OS, such as Microsoft Outlook or Mozilla Thunderbird, or webmail such as Gmail or Yahoo! Mail, the "from" field could very likely contain "@ups.com" or "@fedex.com" even though the sender doesn't have legitimate use of either domain name. The spoof email could be all text, with very official looking wording, or an HTML email, with very official looking graphics.

The spoof emails make it sound like they're related to tracking a package you're sending or receiving. For that reason, users get fooled most frequently as it gets closer to Christmas, hence CryptoLocker debuting in September 2013. The email will have a .zip archive attached to it, that the body of the email insists you open. When the archive is unzipped, the user will get a double extension file, .pdf.exe has been reported. The file will open in a PDF reader like Adobe Reader or Foxit Reader, but at the same time, a Windows executable will launch on the user's machine, which is the CryptoLocker malware. UAC (user account control) may or may not be triggered. The user's AV shield may or may not catch it. Even if UAC and the user's AV shield do something, the malware may still be installed on the user's machine.

The only thing about CryptoLocker that surprises me, a jaded malware expert, is why the makers bother to create a ZIP file containing a double extension Windows executable. The ZIP file is obviously to escape security components in email clients and webmail that blocks .exe files to prevent malware infection. But it's much easier to file-bind. I've done it myself. There are "skiddie" programs that will take your malware executable, for any platform, and merge it with a seemingly innocuous media file or document, such as a .pdf, a .jpg, or a .doc. If it's bound to a graphic, such as a .jpg, .png or .gif, it can open in an email client or webmail application as a picture in an email; if it's another type of file, like a .mp3, .doc or .pdf, it will launch in the user's default program for the file type in a perfectly normal way. The malicious executable will launch and run in the background, and the user won't notice that anything's wrong until their PC, smartphone, or tablet starts experiencing a problem.

In the case of transmitting the malware the CryptoLocker way, someone who knows more about security than a typical user can notice that something's up. But one of the clever things that CryptoLocker does, if it's true for everyone, is it really does decrypt and rid itself if the user pays the over $600.00 worth of Bitcoins. So, users can tell people in person and online, "Pay them! It worked for me!"

[Rise seen in use of Google service for mobile botnets]

The only way to directly decrypt CrptoLocker's AES and RSA encryption is to either have a supercomputer or computing cluster run a specialized cracking program for several weeks, or actually have the decryption keys that the CryptoLocker folks have. We're still looking for the computers that they use.

If you get infected with CryptoLocker, there are still alternatives to offering those crooks their ransom, because I strongly advise you not to give them money. If you're smart PC user, the contents of your hard disk partition that's infected and is being encrypted will have at least one uninfected back-up. It could be internal, like another disk in a RAID configuration; external, like on a USB, eSATA or FireWire connected external hard disk; or online, on a web-based back-up service, that's often referred to as a "cloud" back-up. I use Dropbox and Google Drive to back up my many documents and media files, but there are other, paid services to back-up actual hard disk partitions, including those that contain operating systems. If you use a web-based backup, you should also have an alternative form of backup on something that's physically in your control, like an internal disk, an external disk, DVDs, or USB flash drives. As trustworthy as Dropbox, Google and other third parties may be, what would you do if you had internet connection problems, or if one of those services loses your data or goes down? That sort of thing has happened, even with services people have paid good money for.

With your back-up in place and restorable, get rid of the CryptoLocker malware. Make sure your AV program has its most recent signatures, then use it to run a scan. Only stay connected to the internet long enough to download new signatures, because CryptoLocker keeps encrypting while you're online, and stops encrypting when you're offline. CryptoLocker has even been known to encrypt while transmitting data online before you've even logged into a user account.

After running your AV shield's scan, you'll probably want to run other removal programs. As with your AV shield, stay online only as long as it takes to download the programs. You'll probably want to boot Windows into safe mode before you run the programs. You can boot into safe mode either by hitting F8 while booting or rebooting Windows or, while booted into Windows, running msconfig to change boot settings. Msconfig can be launched by entering the exact name of the program ("msconfig") via run or cmd.exe. Check the associated checkboxes for safe mode, then reboot.

[Bad Kaspersky antivirus update prevents business and home users from accessing websites]

If you've booted into safe mode properly, your desktop wallpaper will be black with "Safe Mode" and the name of your version of Windows in white text in each of the four corners. Also, a help window will launch, "What is Safe Mode?" To be extra sure that CryptoLocker isn't continuing to run, don't choose "Safe Mode with Networking." Otherwise, you can unplug your Ethernet cable or turn off your WiFi.

The programs I recommend are in this list. Keep in mind, CryptoLocker only affects Windows so far, and these programs are only for removing malware in Windows. I've personally used them literally thousands of times for customers who've paid me to do the work:

ComboFix.

HijackThis. If you don't have lots of experience using HijackThis, choose the option to create a log file. Then copy and paste the log here. The result will tell you which items thousands of users consider malicious. Only remove those items if you want to make sure you don't remove anything that isn't malware.

Malwarebytes' AntiMalware. When I was a Windows remote support employee, we referred to it as MBAM. You will not only have to be online while downloading the program, you'll also have to be online while downloading the latest signatures. Make sure you're offline when you aren't doing either.

TrendMicro's Fake AV Removal Tool.

This story, "Tips to Avoid Being Bit By Cryptolocker (and What to Do if You Are)" was originally published by CSO .

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies