If CryptoLocker is teaching enterprise IT and security people anything, it’s that backup is king.

The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts don’t advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.

However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.

The infection at this particular enterprise happened in October. A user fell victim to a phishing email and followed a link to a site where CryptoLocker awaited. The malware was detected within a couple of hours by the firm’s antivirus, but not before it had encrypted thousands of files on the local drive and drives mapped to the user’s laptop, and presented the user with the now-familiar bitmap image explaining the attacker’s demand for ransom.

The laptop was pulled from the network, wiped and analyzed. That’s when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged. He then compared those results to the Master File Table from the Windows file server as well, using a pair of tools, analyzeMFT and MFTParser, to go through close to 10GB of Master File Table data.

“Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified,” he wrote on his Security Braindump blog. “Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.”

Through this method, he was able to identify more than 4,000 files that had been encrypted by CryptoLocker and recover those files from backup.

He told Threatpost that he believes the malware uses a technique called File System Tunneling to avoid detection, and that’s what led him to find the encrypted files.

“In NTFS, if you delete a file and then recreate it with the same name in the same folder within 15 seconds, it takes on the attributes of the original files; all the file dates would match up,” he said. “I think that’s what we’re seeing. The only date that won’t change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and that’s what I’m seeing and that’s what I used to find these files.”

CryptoLocker, unlike other ransomware, encrypts files and then demands a ransom for the decryption key. It is spreading primarily through phishing campaigns heralding phony Federal Express or UPS tracking notifications. Victims are told they must make payments via MoneyPak or Bitcoin before a 72-hour payment deadline expires and the files are lost forever.

Bug_Bear called the attack straightforward, efficient and effective. He also said backup is a company’s best defense, along with a solid incident response plan.

“The only way I know of to find these files is what I used,” he said. “I’m thankful for other people out there writing these tools because if I didn’t have these tools, [parsing] 10GB of hexadecimal would be quite the chore.”

Categories: Malware

Comments (9)

  1. David
    1

    “followed a link to a site where Cryptolocker awaited”
    So I take it Cryptolocker can be contracted from opening/landing on a bad web page,doesn’t have to come from opening a .exe attachment or file?

    Reply
  2. Bugbear
    2

    David

    In this attack a malicious have applet was used. I verified this via timestamps in appdata\local\temp and the related idx file in java cache under appdata\locallow

    Not atypical these days. 99% of compromises I see in my enterprise happen this way. No local admin rights needed and with the onslaught of java vulnerabilities as if mate, often there is no intereaction required.

    If there is a security warning many users will just click thorough it.

    Reply
  3. Bugbear
    4

    David

    Most attacks I am seeing, including this one, are links to malicious Java Applets. You can often verify this with timestamps that line up with a Java tmp file in %userporfile%\appdata\local\temp and and idx file in the java cache located in %userporfile%\appdata\locallow (which will contain the url). With the many vulns in Java these days, a user may or may not be presented with a security warning (Newer versions of Java are better at this).

    Tim aka bugbear

    Reply
  4. Wayne Collier
    6

    The laptops we analyzed which were infected with Cryptolocker had a registry key under HKCU\Software\Cryptolocker with all the files it had encrypted. This listing also included the network shares that were encrypted, as well as, the local files.

    Reply
  5. Bob
    8

    Here is another person’s experience at finding what was encrypted.
    I just went into the log file for Cryptolocker (I think it was in programs etc) and there was a list of everything it had encrypted with file paths etc. No rocket science involved. So I was able to cheerfully tell the customer that YES it did affect “these” files on your network.

    Reply
  6. daniel
    9

    Everyone can put all data, before encrypting (72 hours) on a dvd or cd. After that can’t be encrypten. That can’t be posible even so the data have been virused.the time it is up.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>