main

Cryptolocker Infection – a case history

The Trap – a plausible spoof email

In early October 2013, one of my clients who runs a small company, received an official-looking email like from Companies House much like this:

spoof-email

The actual text of the message was this:

This message has been generated in response to the company complaint submitted to Companies House WebFiling service. (CC01) Company Complaint for the above company was accepted on 06/09/2013. The submission number is KA8BS2L6K0C7MN3. Please quote this number in any communications with Companies House.  All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.

Having had recent dealings with Companies House, my client had no reason to suspect anything.

He opened the attached zip file, which didn’t appear to contain anything, so he forgot about it.

Cryptolocker infection

He left his laptop running for several hours and went out. On returning he was greeted with this message:

cryptolocker

The text of the warning was this:

Your personal files are encrypted!

Your important files encryption produced on this computer: photos, videos,documents, etc. Here is a complete list of encrypted files, and you can personally verify

this. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet, the server will destroy the key after a time specified In this window. After that, nobody and never will be able to restore files. To obtain the private key for this computer, which will  automatically decrypt files, you need to pay 300USD/300 EUR/similar sEnilar amount ii another currency.

Click Next to select the method of payment and the currency. Any attempt to remove or damage this software w lead to the immediate destruction of the private key by server.

He called me about this, and also reported that his co-workers were having difficulty opening files.

Since he was sharing a 200gb Dropbox with his coworkers, and it turned out that no not only were his files (photos, videos, word/excel documents, Zip files, PDFs etc) were all encrypted on his computer, but these were steadily being uploaded to Dropbox and overwriting the previous good copies of the documents.

Investigation

At first this appeared to be normal “Scare-ware” where the main effect of the virus is to scare the user into paying some money. It seemed unlikely that the encrypted files would be un-encryptable, as in previous cases a computer infected scareware can quite easily be cleaned and restored to normal.

However it turns out that Cryptolocker is a very different kind of virus:

  • The files were indeed encrypted (in this case 25,000 documents
  • The encryption could not be broken, so
  • The files could not be unencrypted with any available virus recovery tools

Recovery

Firstly we disconnected the infected machine from the internet, as the encrypted files were being slowly uploaded to Dropbox. My client had noticed that the Dropbox notification icon – which normally showed that it was uploading just a few files – showed that Dropbox was busy uploading 19,000 files. dropbox-uploading

Since of the most valuable files, most were contained in Dropbox. With Dropbox you can roll back to previous versions of files, so theoretically any damage that had been done could mostly be undone.

We purchased a subscription to Drobox’s “Packrat” – which keeps previous versions indefinitely.

With the probability of recovering everything I then removed the virus and cleaned the machine using Combofix and Malwarebytes – cleaning Cryptolocker is relatively straight-forward. We were not going to need to pay the extortion fee to recover the files

I consulted the forums on Bleepingcomputer.com where Cryptolocker was being discussed (this was a breaking situation) and to assess the extent of the damage I downloaded the ListCriLock programfrom bleepingcomputer.com which lists the files which have been encrypted. It appeared that approximately 25,000 files had been encrypted, and so approximately 6,000 of these had been uploaded to Dropbox.

drobox-previous-versionsSo at least, when someone encountered an encrypted file,  it was possible to log into Dropbox on the web and restore the previous version of the file. However this is a slow process.

shadow-explorerAs the Dropbox was synchronised on two computers, we were able to use Shadow Explorer to recover the contents of Dropbox as it had been the previous day. The recovered Dropbox directory was copied onto the desktop of each PC, so that when users encountered an encrypted file they could easily replace it with a good copy, which would then be uploaded to Dropbox and be available to all users

Inoculation

As a precaution against further infection all machines were inoculated using the Cryptoprevent tool

cryptopreventResources:

 

No comments yet.

Leave a Reply

Share