Cryptolocker copycat ransomware emerges – but an antidote is possible

  • 13 December 2013
  • 27 replies
  • 33 views

Userlevel 7
Badge +54
Hot on the tail of devilish Cryptolocker comes a copycat software nasty that holds victim's files to ransom – but the newcomer's encryption is potentially breakable, we're told.

Security startup IntelCrawler claims a "large-scale distribution" of the new so-called Locker malware began earlier this month.

Locker, once it has infected a PC, copies and encrypts a victim's documents, adding a ".perfect" extension, and then deletes the original data. The trojan also places a contact.txt file in each directory containing contact details of the malware author – usually a throwaway mobile phone number or an email address.

Victims are warned that if they harass or threaten the extortionist, the decryption key to unlock the files will be deleted, revealing the mindset of the scumbags behind the scam.

IntelCrawler contacted a crook listed in the contact file, and was told someone would have to pay up $150 to a Perfect Money or QIWI VISA Virtual Card number to receive the decryption key needed to restore the information on a Locker-infected machines.

In order to decrypt, you need to provide an identifying code written in the “contact.txt” file, as well as the hostname of the compromised computer.
 
Full Topic
 

27 replies

Userlevel 2
Best defense is to have a backup plan. EVERY computer should be backed up daily or weekly. Use an external hard drive. Windows 7 & 8 have a great backup and disk imaging built in. You can also use a 3rd party backup and imgaing such as Easues Todo or Macrium Reflect. Both have free versions. Shadow Explorer and get your encrypted files back. 
Userlevel 3
Yes to backups! But make sure after each backup you detattch your external as it will jump to any mapped drive
Userlevel 7
Badge +56
I agree to Back up files and such but if we had a poll in this Community I would think 99% of the users don't do it and I haven't found a good imaging software in which doesn't mess up my SSD's but that was a few years ago but I haven't tried any since but do back up important files weekly and is Ideal for me and if need be I do a clean install of the OS when required.
 
TH
Userlevel 2
There are tons of great free imaging software that works perfect. Yes most people do not backup there pc. Here is a list of free imgaing programs:
 
1. Windows Backup & Recovery
2. Macrium Reflect
3. Paragon
4. Aomei
5. Easeus Todo (My choice) 
 
One thing to keep in mind is that you MUST make a recovery cd with each one of these. When your pc will not boot due to malware or an OS error you can boot off the cd and mount your stored image. 
Userlevel 7
Hi Daniel
 
I use AX Time Machine (www.ax64.com).  I am sure that you have seen the thread over at WIlders.  It is undergoing some changes due to a merger with RealCopy...but I have ditched ATI in favour of this and so far it has not let me down.  It is simple & easy to use...you can do both 'cold', i.e., full from outside WIndows & 'hot', i.e., incrementals from iinside Windows, restores so infact acts as both a basic imager AND a rollback app.
 
If you have not yet checked it out then I would heartily recommend it (plus the developer, Isso, offer absolutely first rate support both via his web site and the Wilders thread).
 
Hope that is of use?
 
Regards
 
 
Baldrick
Userlevel 2
Why spend $40 when I listed 5 FREE backup/imaging tools. Including Windows itself. Kinda like a paying for a defragger. 
Userlevel 7
With respect, based on that attitude, there would only be freeware and no paid software around.  The reason I have suggested it is because, the app IMHO is better than the freeware, and worth the money asked for by the developer. 
 
Also, none of the apps listed previously do what this one does...which as I said, is more than just plain imaging; it also does rollback, and I offered it up as an alternative.  I am not pushing it...in the same way that I do not push WSA. 😉
Userlevel 7
Admittedly there is a lot of decent freeware out there, but as Baldrick pointed out very often the paid verions have additional or enhanced features that can make the expense more than worth it.  The choice is up to the individual consumer, and which featureset will meet the specific needs.
Userlevel 2
Very true. But everything I listed can do anything a paid imaging software can do. Aoemi is a FULL featured free imaging tool with a PE recovery. Easeus Todo Free just lacks differential and a PE recovery. This is a great web site to visit. I use Easues Todo Backup Home which I got for FREE on Give-away-of-the-day. The notion that free software is inferior to paid software is absurd. 
 
http://www.techsupportalert.com/
 
Also keep in mind that free does not mean inferior. That's like saying avast Free or AVG Free have an inferior detection rate when compared to there paid counter parts. This is untrue. Lacking certain features yes. I believe in always telling people about free software. Just like using LibreOffice over Microsoft Office. Why spend $300 on Office when Libre is Free. I like to present my customers with free alternatives to everything. Money is tight for everyone now a days, including myself. WSA is the only software I have purchased and is well worth it. If Webroot offered a free version I would be using that instead. Thanks and have a great day.
Userlevel 7
Hi GTR707
 
Everything that you say is true and I like many others frequent Gizmo's web site (and have done for years ;)), and I also use free software (with the odd donation here and there usually when requested).  But as David said I personally believe that there is a balance to be struck (which will be different for each individual) in terms of functionality and cost...and that will heavily depend re. the latter on what one is looking for and re. the former on how much one is willing/prepared to pay...in otherwords what value the user places on the app/functionality.
 
Also, software developers (and here I am referring to the small, independant developers, of course) have to eat/live/feed families, etc., so I am not one to say 'free is best' always...so sometimes I will be perfectly happy with the free version/not need the additoinal functionality of the paid version...but buy it anyway...just to reward the developer for their efforts, etc...but as I said before...this personal choice.
 
But as I said to start with...everything you say is true.  Have a great weekend yourself. :D
 
Regards
 
 
Baldrick
Userlevel 7
Having your system backed up is important, but you also need versioning in your backup.
 
That way, in case a syste gets infected with something like Cryptolocker and their files get encrypted, there will be a known last-good version to go back to in case the backup system has started to backup the encrypted files.
Userlevel 2
Thats why you do differential and incremental backups. When one gets hits with the CryptoLocker ransomeware it makes ones pc unusable anyways. Thats why you need a good, clean disk image and a recovery cd. If I got the CryptopLocker ransomeware all I would do is boot off my Easeus Recovery cd. Mount my stored image and within an hour I am backup and running like nothing every happened. Woo Hoo!
Userlevel 7
Badge +56
Also note Webroot SecureAnywhere can revert  unknown variants of Cryptolocker by just by contacting the Support Inbox channel as said before by some of the Webroot Threat Researchers. Also I said that 99% of the users don't even do important file back ups never mind images and some also take that some PC manufacturers have a partition to restore there system but would be locked out from seeing it to be able to restore to the pre-infection state but WSA can. And this thread got way off topic long ago.
 
And also confirmed by Joe & Roy.
 
https://community.webroot.com/t5/Security-Industry-News/How-To-Avoid-CryptoLocker-Ransomware/m-p/64147#M2475
 
https://community.webroot.com/t5/Security-Industry-News/How-To-Avoid-CryptoLocker-Ransomware/m-p/66229#M2439
 
TH
Userlevel 2
No one is getting off topic. If you Google "prevent cryptolocker" 90% of what you will find is all about backing up. Just about ever new pc comes with a hidden recovery partition. That partition can be accessed upon bootup. Usually by tapping F11 or some other key. The hidden recovery will definetly remove the cryptolock ransomeware. But at the same time ANY of the users files and programs they added since the pc was new will be gone. A hidden recovery brings your pc back to the state it was when you first turned it on when it was new. But it does not save anything you added on. Thats why you need to backup which no one does anyways till its too late. 
Userlevel 7
Hi GTR707
 
I think that if you bother to take a look at post 1 and the context in which is was posted you will see where TripleHelix is coming from...the post was informational given that this is the Security Industry NEWS forum, and post here are generally related to the desemination of information...not that some light debate on the topic is not wlecome occassionally.
 
In terms of a final comment from me...I understand your stance...imaginging/backups are best.  I do not disagree that they are a KEY part of a defensive strategy against malware...but so is WSA and the journalling functionality that it provides once it spots an unknown program that could be malware, and then the rollback functionality that engages once the prgram is determined to be malevolent (as explained in earlier post...for your benefit).  And the benefit of the WSA appraoch is that it covers users who are not as learned as you, i.e., do not image/backup regularly, because the do not know any better or how.
 
The aim at this forum is to give a balanced, informed view rather than banging a drum.  Anyway, each to their own.
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
Do you understand what the subject line says? "Cryptolocker copycat ransomware emerges – but an antidote is possible" and it got way off topic as Back up is continuing to be said and resaid do you get the point this is the "Webroot SecureAnywhere Support Forum" and I as said that WSA will revert this infection like any other and you continue to argue when ever I say anything which your are "Killing the Mood" & "Buzz Kill". See Community Guidelines again Please: https://community.webroot.com/t5/Community-Announcements/Webroot-Community-Guidelines/td-p/2#.Uq3yybRlfK0
 
TH
Userlevel 2
No where did I doubt WSA's campability vs. CryptoLocker. But if none have you have seen this ransomeware in person then you would not know what it can do. Just about all ransware takes over your pc is soon as you bootup and or log in. So if the person cannot even use there pc and or login how can WSA and or any other antivirus help? It cannot. No antivirus can protect you against everything out there. Malware changes by the hour. So when your pc becomes unusable due to a ransomeware infection a good, clean disk image is the best alternative. I love WSA and just had my cousin purchase a 5 user license and remove Norton. 
Userlevel 7
Badge +56
I give up your to argumentative you don't listen to what anyone says to you!
 
I will leave this thread.
 
Daniel 😠
Userlevel 7
Everybody take a deep breath! It's all right.

Summary of this thread, which we all agree on:
Cryptolocker: Bad
Backup: Good
Webroot: Great
Userlevel 3
And actually wsa can run with randsomware on your computer, it's called safe mode with command prompt, activate your network drivers and then turn on webroot, done story.

I couldn't hold it in anymore, and lets all agree ANY backup is good, the users just have to use them.

sorry for putting in my two cents about it when the post has already went bad, I just couldn't hold my tongue.
Userlevel 2
Most ransomware disables safe mode so its not that easy. 
Userlevel 7
I disagree most ransomware dont disable Safe Mode, most will still run in safe mode usually Safe Mode with Command prompt is the way around them. 
Userlevel 7
@ wrote:
I disagree most ransomware dont disable Safe Mode, most will still run in safe mode usually Safe Mode with Command prompt is the way around them. 
@  In the event Safe Mode is disabled, don't I recall that Webroot Support has registry fixes available to re-enable it?
Userlevel 7
Yes we have the fixes and they are easy to run just double click 🙂
Userlevel 2
What about a way to get passed it WITHOUT having to call tech support. Some people do not wanna spend hours on the phone. Bitdefender gives you the option to tap F11 upon bootup which enables there Linux rescue system. Panda gives you a similar option once enabled. I just wish every reply did not consist of calling tech support. Cause when customers call me with a question about WSA I wanna be able to help them instead of making them make another phone call to Webroot. Hours on the phone is more time consuming and irritating for most. 

Reply