CryptoLocker Ransomware Competitor May Have Fatal Flaw

CryptoDefense, a ransomware competitor to CryptoLocker, has an implementation flaw that could allow for recovery of the decryption key from the victim’s computer.

CryptoLocker certainly changed the ransomware game last year when it threatened its victims with the loss of important files if a timely ransom payment was not made. Reportedly, criminal gangs utilizing this dangerous type of ransomware were earning hundreds of thousands of dollars per month.

Naturally seeing the opportunity for financial gain, competitor pieces of malware are popping up and building on what CryptoLocker started.

The latest is a sample spotted by researchers at Bromium Labs that they’ve called CryptoDefense. Unlike CryptoLocker which spread primarily via phishing and spam emails, Bromium experts say CryptoDefense is compromising computers via drive-by downloads.

Victims are being popped by a Java exploit, which then downloads and executes the malware in stages. Eventually, the victim is presented with a message that files on the hard drive have been encrypted and they must pay a ransom by a deadline in order to have them decrypted, or the price goes up. If the ransom demand is ignored, the victim is threatened with permanent destruction of his files.

Bromium’s Vadim Kotov wrote on the company’s website that while CryptoDefense is a competitor to CryptoLocker, there are similarities between the two attacks, including payment methods (Bitcoin), public-key encryption used and that some of the same file extensions are targeted by both.

CryptoDefense, like CryptoLocker, will go after Office, photos and movie files, but it also targets source code files and SSL certificates. It also forces the victim to visit the attacker’s website in order to make ransom payments; CryptoLocker provides its own GUI for this purpose.

Kotov, however, did find an implementation flaw in CryptoDefense

Kotov, however, did find an implementation flaw in CryptoDefense that could allow for the decryption key to be found on the victim’s computer. The CryptoLocker key is stored on the attacker’s server, and the same is true for CryptoDefense.

“It’s a bad coding flaw. If you are aware of it, the private key is available on the hard drive,” said Rahul Kashyap, chief security architect at Bromium, who added that the bug will certainly be fixed in newer versions of the malware since it’s been outed. “If the victims are sophisticated folks, and understand technology and encryption, they can get the keys themselves.”

Several experts, meanwhile, figured out clever ways to find and recover the encrypted files targeted by CryptoLocker by using Windows shadow copies and system restore. Kotov said that method won’t work with this attack.

“It makes sure system tools cannot recover the files – the shadow copies are removed and system restore is disabled,” he said.

Bromium has been tracking CryptoDefense since February, Kotov said.

“It appears that by the end of March there were at least 11,000 detections (the real picture might be bigger already) and $34,000 were earned by the gang behind this,” he wrote. “In contrast, CryptoLocker has made millions of dollars already. So clearly, underground gangs are warming up to the idea of crypto-ransomware and we expect similar ransomware to come up.”

CryptoLocker infections began in earnest last fall. Victims have three days to make payments via MoneyPak or Bitcoin, though some victims reported having paid the ransom and did not receive a decryption key as promised, according ot a US-CERT advisory last November. Not only are local files encrypted, but CryptoLocker also looks for documents on shared network drives mapped to the victim’s computer, as well as removable media, external hard drives and even some cloud storage services.

Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said CryptoLocker uses a domain generation algorithm giving the malware up to 1,000 possible domain names from which to connect to its command and control infrastructure. Raiu added that Kaspersky sinkholed three domains and monitored more than 2,700 domains trying to contact those domains during a three-day period last October with most of the victims in the U.S. and Great Britain.

“We think this is going to become a pretty big problem, an underworld race of sorts,” said Kashyap. “CryptoLocker is supposed to have made $27 million, so copycat versions are coming. Criminal gangs see this as a way to make quick money. Now with this enormous currency in Bitcoin that’s being leveraged by the malware, we fear this is going to be a much bigger problem.”

This article was updated at 3:30 p.m. ET with additional comments from Bromium Labs.

Suggested articles