Cryptolocker Ransomware Prevention


If you are a CryptoLocker Victim, you may recover your files for free!

Please click here to learn more.

Table of Contents

  1. What is CryptoLocker
  2. What should you do when you discover your computer is infected with CryptoLocker
  3. Is it possible to decrypt files encrypted by CryptoLocker?
  4. Will paying the ransom actually decrypt your files?
  5. Known Bitcoin Payment addresses for CryptoLocker
  6. CryptoLocker and Network Shares
  7. What to do if your anti-virus software deleted the infection files and you want to pay the ransom!
  8. How to increase the time you have to pay the ransom
  9. Is there a way to contact the virus author?
  10. How to restore files encrypted by CryptoLocker using Shadow Volume Copies
  11. How do you become infected with CryptoLocker
  12. How to generate a list of files that have been encrypted
  13. How to determine which computer is infected with CryptoLocker on a network
  14. How to prevent your computer from becoming infected by CryptoLocker
  15. How to allow specific applications to run when using Software Restriction Policies
  16. How to be notified by email when a Software Restriction Policy is triggered

 

What is CryptoLocker

 

CryptoLocker is a ransomware program that was released around the beginning of September 2013. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 96 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

 

 

CryptoLocker payment screen

 

 

When you first become infected with CryptoLocker, it will save itself as a random named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following autostart entries in the registry to start CryptoLocker when you login:

KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker”
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker_<version_number>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker_<version_number”

Please note that the * in front of the RunOnce value causes CryptoLocker to start in Safe Mode.

The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm . Some examples of domain names that the DGA will generate are lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate with it and receive a public encryption key that will be used to encrypt your data files. It will then store this key along with other information in values under the registry key under HKEY_CURRENT_USER\Software\CryptoLocker . Unfortunately, the private key that is used to decrypt the infected files is not saved on the computer but rather the Command & Control server.

CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds a files that matches one of these types,it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker\Files Registry key.

When it has finished encrypting your data files it will then show the CryptoLocker screen as shown above and demand a ransom of either $100 or $300 dollars in order to decrypt your files. This ransom must be paid using Bitcoin or MoneyPak vouchers. It also states that you must pay this ransom within 96 hours or the private encryption key will be destroyed on the developer’s servers.

Warning: If you enter an incorrect payment code, it will decrease the amount of time you have available to decrypt your files. So if you plan on paying the ransom, please be careful as you type the code.

More technical details about this infection can be at this blog post by Emsisoft.

 

What should you do when you discover your computer is infected with CryptoLocker

 

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree . This will terminate both at the same time.

 

Is it possible to decrypt files encrypted by CryptoLocker?

 

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if have System Restore enabled. More information about how to restore your files via Shadow Volume Copies can be found in this section below.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

Will paying the ransom actually decrypt your files?

 

Paying the ransom will start the decryption process of the CryptoLocker infection. When you pay the ransom you will be shown a screen stating that your payment is being verified. Reports from people who have paid this ransom state that this verification process can take 3-4 hours to complete. Once the payment has been verified, the infection will start decrypting your files. Once again, it has been reported that the decryption process can take quite a bit of time.

Be warned, that there have been some reports that the decryption process may give an error stating that it can’t decrypt a particular file. At this point we have no information as how to resolve this. Visitors have reported that the infection will continue to decrypt the rest of the files even if it has a problem with certain files.

Known Bitcoin Payment addresses for CryptoLocker

 

CryptoLocker allows you to pay the ransom by sending 2 bitcoins to an address shown in the decryption program. Bitcoins are currently worth over $200 USD on some bitcoins exchanges. Earlier variants of CryptoLocker included static bitcoin addresses for everyone who was infected. These static addresses include:

https://blockchain.info/address/18iEz617DoDp8CNQUyyrjCcC7XCGDf5SVb
https://blockchain.info/address/1KP72fBmh3XBRfuJDMn53APaqM6iMRspCh

Newer variants of CryptoLocker appear to be dynamically generating new bitcoin payment addresses for each instance of an infection. You can use the links above to see transactions into the wallet and out of the wallet.

 

CryptoLocker and Network Shares

 

CryptoLocker only encrypts data stored on network shares if the shared folders are mapped as a drive letter on the infected computer. Despite what some articles state, CryptoLocker does not encrypt data on a network through UNC shares. An example of a UNC share is \\computername\openshare.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoLocker.

 

What to do if your anti-virus software deleted the infection files and you want to pay the ransom!

 

As many anti-virus programs would delete the CryptoLocker executables after the encryption started, you would be left with encrypted files and no way to decrypt them. Recent versions of CryptoLocker will now set your Windows wallpaper to a message that contains a link to a decryption tool that you can download in case this happens. There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.

 

 

How to increase the time you have to pay the ransom

 

When the CryptoLocker is first shown, you will see a timer that states you need to pay the ransom within 96 hours. Some people have reported that you can increase the time by rolling back the clock in your BIOS. So to increase the timer by 10 hours, you would change your clock in your BIOS to 10 hours earlier. The virus author has stated that using this method will not help. They have said that the private key required for decryption will be deleted from the Command & Control server after the allotted time regardless of how much time it says is left on the infected computer.

 

Is there a way to contact the virus author?

 

People have asked how they can contact the author of this infection when their payment does not go through. There is no direct way to contact the developer of this computer infection. They are, though, monitoring the various threads about this infection, including our CryptoLocker support topic , and have responded to infected user’s issues as well as to give other messages on the home page of their Command & Control servers. The address for this Command & Control server can be found on the desktop wallpaper on an infected computer. The url that they specify to download the decrypter, can also be used to view the messages from the author. Simply go to the home page rather than the executable. So if the wallpaper has an URL of http://kjasdklhjlas.info/1002.exe, to see the message you would go to http://kjasdklhjlas.info/. Please note that this url is not valid.

The current text as of 10/22/13 of the Command & Control server is:

Command & Control Server Message

 

How to restore files encrypted by CryptoLocker using Shadow Volume Copies

 

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8. In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called Shadow Explorer. It does not hurt to try both and see which methods work better for you.

Using native Windows Previous Versions :

To restore individual files you can right-click on the file, go into Properties , and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.

 

Previous Versions Tab for a file

 

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.

This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.

Using Shadow Explorer :

You can also use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

Restoring files with Shadow Explorer

To restore a whole folder, right-click on a folder name and select Export . You will then be prompted as to where you would like to restore the contents of the folder to.

<h4 How do you become infected with CryptoLocker

 

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection. You will know you are infected with Zbot as there will be a registry key in the form of:

HKCU\Software\Microsoft\<random>

Under these keys you will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData% . Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch it.

An example Zbot/CryptoLocker email message is:

—–Original Message—–
From: John Doe [mailto: John@mydomain.com] Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form – Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.

Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

 

How to generate a list of files that have been encrypted

 

If you wish to generate a list of files that have been encrypted, you can download this tool that I have created:

http://download.bleepingcomputer.com/grinler/ListCrilock.exe

When you run this tool it will generate a log file that contains a list of all encrypted files found under the HKCU\Software\CryptoLocker\Files key. Once it has completed it will automatically open this log in Notepad.

Another method is to use the Windows PowerShell (thanks prsgroup ):

For systems with PowerShell, you can dump the list of files in the CryptoLocker registry key using the following command:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode

Make sure to include the “-Encoding unicode” parameter to ensure that filenames with Unicode characters are preserved.

How to determine which computer is infected with CryptoLocker on a network

 

On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.

You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.

How to prevent your computer from becoming infected by CryptoLocker

 

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

https://support.microsoft.com/kb/310791
https://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:

C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)

In order to block the CryptoLocker and Zbot infections you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually . Both methods are described below.

 

How to use the CryptoPrevent Tool:

FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place.

CryptoPrevent

A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.

You can download CryptoPrevent from the following page:

https://www.foolishit.com/download/cryptoprevent/

For more information on how to use the tool, please see this page:

https://www.foolishit.com/vb6-projects/cryptoprevent/

Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.

How to manually create Software Restriction Policies to block CryptoLocker:

 

To manually create Software Restriction Policies you need to do it within the Local Security Policy Editor or Group Policy Editor. If you are a home user you should create these policies using the Local Security Policy editor. If you are on a domain, then your domain administrator should use the Group Policy Editor. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.

Once you open the Local Security Policy Editor, you will see a screen similar to the one below.

Local Security Policy Editor

Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies . This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule… . You should then add a Path Rule for each of the items listed below.

If the Software Restriction Policies clt;p align=gt;Under these keys you will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under ause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.

Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block Ransomware executable

Path: %AppData%\*.exe

Security Level: Disallowed

Description: Don’t allow executables to run from %AppData%.

Block Zbot executable

Path: %AppData%\*\*.exe

Security Level: Disallowed

Description: Don’t allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe

Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe

Security Level: Disallowed


Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe

Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe

Security Level: Disallowed


Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe

Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe

Security Level: Disallowed


Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe

Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe

Security Level:
Disallowed


Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

You can see an event log entry and alert showing an executable being blocked:

Event Log Entry

 

Executable being blocked alert

If you need help configuring this, feel free to ask in the CryptoLocker help topic .

 

How to allow specific applications to run when using Software Restriction Policies

 

If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user’s profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.

Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program’s executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.

 

Unrestricted Policy

Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.

 

 

Threat Classification:

 

Advanced information:

View CryptoLocker files.
View CryptoLocker Registry Information.

 

Tools Needed for this fix:

 

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [<random>] C:\Users\<user>\AppData\Roaming\<random>\<random>.exe
O4 – HKCU\..\Run: [CryptoLocker] C:\Users\<User>\AppData\Roaming\<Random>.exe
O4 – HKCU\..\RunOnce: [*CryptoLocker] C:\Users\<User>\AppData\Roaming\<Random>.exe

 


 

Associated CryptoLocker Files:

%UserProfile%\<random>.exe
%UserProfile%\<random>\<random>.exe (zbot)

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.

 

Associated CryptoLocker Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<Random>”

 


 

This is a self-help guide. Use at your own risk.

Reference: BleepingComputer.com

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Email this to someone