Forensics Method Quickly Identifies CryptoLocker Encrypted Files

A researcher may have found the quickest route to learning which files are encrypted in CryptoLocker ransomware infections.

If CryptoLocker is teaching enterprise IT and security people anything, it’s that backup is king.

The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts don’t advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.

However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.

The infection at this particular enterprise happened in October. A user fell victim to a phishing email and followed a link to a site where CryptoLocker awaited. The malware was detected within a couple of hours by the firm’s antivirus, but not before it had encrypted thousands of files on the local drive and drives mapped to the user’s laptop, and presented the user with the now-familiar bitmap image explaining the attacker’s demand for ransom.

The laptop was pulled from the network, wiped and analyzed. That’s when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged. He then compared those results to the Master File Table from the Windows file server as well, using a pair of tools, analyzeMFT and MFTParser, to go through close to 10GB of Master File Table data.

“Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified,” he wrote on his Security Braindump blog. “Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.”

Through this method, he was able to identify more than 4,000 files that had been encrypted by CryptoLocker and recover those files from backup.

He told Threatpost that he believes the malware uses a technique called File System Tunneling to avoid detection, and that’s what led him to find the encrypted files.

“In NTFS, if you delete a file and then recreate it with the same name in the same folder within 15 seconds, it takes on the attributes of the original files; all the file dates would match up,” he said. “I think that’s what we’re seeing. The only date that won’t change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and that’s what I’m seeing and that’s what I used to find these files.”

CryptoLocker, unlike other ransomware, encrypts files and then demands a ransom for the decryption key. It is spreading primarily through phishing campaigns heralding phony Federal Express or UPS tracking notifications. Victims are told they must make payments via MoneyPak or Bitcoin before a 72-hour payment deadline expires and the files are lost forever.

Bug_Bear called the attack straightforward, efficient and effective. He also said backup is a company’s best defense, along with a solid incident response plan.

“The only way I know of to find these files is what I used,” he said. “I’m thankful for other people out there writing these tools because if I didn’t have these tools, [parsing] 10GB of hexadecimal would be quite the chore.”

Suggested articles