The United States computer emergency readiness team (CERT) has issued an alert about the CryptoLocker ransomware.
Proving the major impact that it has had upon businesses and users globally, the US CERT said that the 2013 campaign “restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files”.
It said: “As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.
“In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.”
According to Watchguard, CryptoLocker is a ransomware Trojan that encrypts your personal files and often arrives as a file with a double extension, such as “*.pdf.exe” and since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.
Once infected, CryptoLocker has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. US CERT warned that CryptoLocker then connects to the attackers’ command and control (C&C) server to deposit the asymmetric private encryption key out of the victim’s reach which victims are required to pay in three days.
Watchguard said that upon infection, the first action should be to disconnect the infected PC from the internet as if CryptoLocker can’t access its C&C, it can’t encrypt files and disconnecting the machine may prevent further files from being encrypted. It also warned that CryptoLocker’s encryption is uncrackable as “it uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use”.
“There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this,” it said.
US-CERT and the Department of Homeland Security encouraged users and administrators experiencing a ransomware infection not to respond to extortion attempts by attempting payment, and instead to report the incident to the FBI at the Internet Crime Complaint Centre. It was recently predicted that the UK CERT will open in the new year.
AlienVault researcher Jamie Blasco told IT Security Guru that this was a threat that uses public crypto, and said it is “virtually impossible to recover your files”.
