US-CERT Warns CryptoLocker Infections on the Rise

CryptoLocker ransomware infections are gaining traction and victims are at risk of losing important business or personal files to the malware which seeks out documents on a number of network resources and encrypts them.

CryptoLocker is a devious evolution of now-familiar ransomware schemes in which the malware encrypts files it finds on a number of network resources and demands a ransom for the decryption key.

US-CERT issued an advisory today warning businesses and consumers of the risks presented by CryptoLocker, which has been on the radar of security experts since late October. US-CERT said infections are on the rise and urge victims not to pay the ransom, instead report it to the FBI’s Internet Crime Complaint Center.

Victims, meanwhile, have three days to make their payments to the attackers, either via MoneyPak or Bitcoin.

“Some victims have claimed online that they paid the attackers and did not receive the promised decryption key,” the US-CERT advisory said.

CryptoLocker is spreading via a number of phishing campaigns, including some from legitimate businesses, or through phony Federal Express or UPS tracking notifications. Some victims said CryptoLocker has appeared after a separate botnet infection, US-CERT said.

The malware sniffs out files in a number of network resources, including shared network drives, removable media such as USB sticks, external hard drives, network file shares and some cloud storage services.

“If one computer on a network becomes infected, mapped network drives could also become infected,” the US-CERT advisory warns, adding that victims should immediately disconnect their computers from their wired or wireless networks immediately upon seeing the red-screen notice put up by CryptoLocker that provides details on how to recover the encrypted files.

Once the malware latches on to a victim machine, it connects to the attacker’s command server and stores the asymmetric encryption key that would unlock the victim’s files.

Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, said CryptoLocker uses a domain generation algorithm giving the malware up to 1,000 possible domain names from which to connect to its command and control infrastructure. Raiu added that Kaspersky sinkholed three domains and monitored more than 2,700 domains trying to contact those domains during a three-day period in mid-October with most of the victims in the U.S. and Great Britain.

Malware such as CryptoLocker is not without precedent. The GPCode malware used RSA keys for encryption, starting with 660-bit RSA before upgrading to 1024, “putting it perhaps only in the realm of NSA’s cracking power,” Raiu said.

“CryptoLocker uses a solid encryption scheme as well, which so far appears uncrackable,” Raiu added.

Meanwhile, security blog Krebs on Security reported today that the attackers behind CryptoLocker may be softening on their imposed 72-hour payment deadline. Since the attackers require payment through third parties, options that victims may not be familiar with, it could be that the attackers are losing out on some money.

“They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back,” Lawrence Abrams of told Krebs. Abrams added that while CERT and some vendors may be advising victims not to pay, some are caving in because they cannot afford to be without their lost files for a significant amount of time.

Suggested articles