Knowledge Base

CryptoLocker Malware: What you still need to know

  • 21 November 2013
  • 15 replies
  • 147 views
CryptoLocker Malware: What you still need to know
Userlevel 7
  • Retired Webrooter
  • 1455 replies
 

What is CryptoLocker?

CryptoLocker is most often spread through booby-trapped email attachments and uses military grade encryption. The malware can also be deployed by hacked and malicious web sites by exploiting outdated browser plugins. 
 

Webroot's Threat Brief on CryptoLocker

 

Can Webroot Protect Customers Against It?

 
Encrypting ransomware (Cryptolocker, CTB Locker, Crtroni, Cryptowall, ect.) is a very difficult infection to remediate because it uses the RSA public-key encryption algorithm to encrypt user files using unique encryption keys for each computer. Once a user’s files are encrypted this way, it is next to impossible to decrypt them without access to the private key that is stored on the remote servers in use by the malware author(s). There are no tools currently that are capable of decrypting these files without the private key.

As long as SecureAnywhere is installed prior to infection, All encrypting ransomware should be detected and removed before it is allowed to make any changes on the computer. Threat Research has many rules in place already to detect the known variants of Cryptolocker at or before execution, but it is important to remember that malware is constantly changing and we cannot guarantee that we will initially detect all new variants.
 
For best practices on securing your environment from encrypting ransomware please see our community post:
https://community.webroot.com/t5/Webroot-Education/Best-practices-for-securing-your-environment-against/ta-p/191172
 
 
 

Read more about CryptoLocker in these posts on the Webroot Community:

Additional Conversations About CryptoLocker CryptoLocker malware targeting the UK - comment from Webroot  NCA warns UK of mass CryptoLocker ransomware attacks - comment from Webroot

This topic has been closed for comments

15 replies

Userlevel 3
I do have one update I am trying to post everywhere possible, cryptolocker has been putting exe's and inf's onto any USB HDD, cd's, and flash drives, (not SD cards so far) and making it look as if those are not infected in any way and even hiding those. This is a danger that definitely needs to be taken care of. Because once that media gets put into another computer it will download a different public key and use a different private key. This means it will make you pay double, I think we root needs to try and override windows from scanning hardware before it does as it will happen before we root catches it and I'd rather not have to rely on the journaling only for protection in that instance.
Userlevel 2
Badge
<p>Imagine this scenario:</p><p> </p><p>We have 2 machines: a Windows Server with Webroot running and a Windows client with Webroot running.</p><p> </p><p>The client gets infected by CryptoLocker 2.0 that then will encrypt files that are on the shared folder of the Windows Server mapped as drive X: on the client.</p><p> </p><p>As <em>Joe Jaroch, Webroot VP of Engineering</em> said above:</p><p><em>&quot;WSA currently doesn't reverse the changes on a network drive because of the risk with data loss if another user changed a file. The best scenario would be to install WSA everywhere, including the system hosting the network drive if possible. Even if gigabytes of data are encrypted, WSA will continue happily journaling it.&quot; - Joe Jaroch, Webroot VP of Engineering</em></p><p> </p><p>We know that CryptoLocker 2.0 is not going to infect the Windows Server machine So CryptoLocker will stay running on the client only. But running on the client it will encrypt files on the mapped drive.</p><p> </p><p><strong>So what is the meaning of installing Webroot on the Windows file server in this scenario? Will that be able to roll back encryption of the files changed by a CryptoLocker running on another machine?<br></strong></p><p><strong> </strong></p><p>Kind regards,<br>Gyozo</p><p><em> </em></p><p><em>Webroot Ambassador &amp; Community Guide</em></p><p><strong><em> </em></strong></p>
Userlevel 3
It would still have to run a service to encrypt it so I'd assume so.... But I honestly would not like to try
<p>how webroot saves from crytolocker malware?</p>
Userlevel 7
Badge +56
<div class="lia-message-template-content-zone"> <div class="lia-message-template-content-zone"> <p>Watch the video I posted here: <a href="/t5/Introduce-yourself-to-the/cloud-computing/m-p/85695#M2238" target="_self">https://community.webroot.com/t5/Introduce-yourself-to-the/cloud-computing/m-p/85695#M2238</a> also they keep updating the client to protect Generically:<a href="/t5/Release-Notes/PC-Release-Notes-8-0-4-61/td-p/83417#.UxIy4oVnCSo" target="_self"> https://community.webroot.com/t5/Release-Notes/PC-Release-Notes-8-0-4-61/td-p/83417#.UxIy4oVnCSo</a></p> <p>&nbsp;</p> <p>So you are well protected there is one more Video but you would have to join BrightTalk to watch and it's by <font color="SeaGreen"><strong>Grayson Milbourne</strong></font> Director, Security Intelligence Webroot also <u><strong><a href="https://www.brighttalk.com/webcast/8241/95617" target="_self">CryptoLocker: Your Money or Your Life</a></strong></u></p> <p>&nbsp;</p> <p>Cheers,</p> <p>&nbsp;</p> <p>Daniel ;)</p> </div> </div>
Userlevel 6
<p>Regarding GyozoKs comment; I also thought about this topic. Would Webroot be able to roll back a Cryptolocker infection on a server caused by a client? I would say no, because for the server it's just a normal rw-access to its network share and I don't think that Webroot would track such actions. Otherwise every changed file would be journaled. </p><p> </p><p>I'm rather relying on a good backup plan/solution to recover from a Cryptolocker infection, which should already be in place regardless of Cryptolocker. </p>
Userlevel 7
<p>I could well be wrong, but I believe the rollback will only work on computers that have WSA installed.&nbsp; If the server also has WSA installed (A server running a version of Windows compatible with WSA), then it should be covered.</p> <p>&nbsp;</p> <p>If the server does NOT have WSA installed, then I do not believe the rollback could work.</p> <p>&nbsp;</p> <p>I am far from being highly knowledgeable in this area and I hope to see additonal responses from Webroot.</p>
Userlevel 6
<p>Well if I would run Cryptolocker on a secured Server Webroot would journal everything and I could rollback. But as the client causes the Cryptolocker infection the Webroot installation on the server wouldnt recognize it as there's no executable,process or service on the server which could be monitored; it's just a &quot;normal&quot; rw-action.</p>
Userlevel 7
<p>Well, ....&nbsp; you have me.&nbsp; I am admittedly learning the Endpoint...&nbsp; Let me 'ping' and Endpoint expert and see if he is able to provide a more expert opinion on this.&nbsp;@Explanoit are you able to help with this?</p>
Userlevel 7
Badge +56
<p>I asked the folks here and that isn't a situation we'd be able to journal, even with Cryptolocker installed on the server. &nbsp;Since it is a file server, there are many different clients accessing and altering the files, so it wouldn't be practical to journal all those individual changes, especially since the processes doing them live on the clients. &nbsp;Best bet is good backups, and make sure all your machines have endpoint installed to catch Cryptolocker before it gets started.</p>
Userlevel 7
<p>Thanks Nic!</p>
Userlevel 7
Badge +56
<p>&nbsp;</p> <div class="lia-message-template-content-zone"> <p>And this Video does answer some of your questions but you have to join to watch them <a href="https://www.brighttalk.com/webcast/8241/95617" target="_self">https://www.brighttalk.com/webcast/8241/95617</a></p> <p>&nbsp;</p> <p>Daniel</p> </div>
Userlevel 6
<p>Thanks for the clarification Nic!</p>
Userlevel 7
<p><u><strong>The following is a update on CryptoLocker Malware.</strong></u></p><p><u><strong> </strong></u></p><p><u><strong>By Ian Barker Posted June 12 2014<br></strong></u></p><p><u><strong> </strong></u></p><p><u><strong> </strong></u></p><p><u><strong><br></strong></u><strong>Summary/</strong></p><p>It's not really surprising then that the bad guys are seeking to exploit these fears. Security company <a href="http://www.bullguard.com/" title="BullGuard" target="_blank">BullGuard</a> has uncovered a major new spam campaign supposedly offering Cryptolocker decryption keys.</p><div class="articleBoxad"> </div><p>The email urges users to download a tool that it claims can unlock any files encrypted with Cryptolocker. Of course that isn't what you get. If you download the tool it installs a registry scanner which, naturally, tells you there are lots of problems with your PC which can only be solved by purchasing the spammers' offering.</p><p> </p><p> </p><p>BetaNews/Full Read Here/ http://betanews.com/2014/06/12/hackers-try-to-exploit-fear-of-cryptolocker-with-spam-campaign/</p><p><strong> </strong></p>
115966