Ransomware has adapted over the years, becoming more difficult to thwart. “Malware that encrypts your data and tries to sell it back to you, or else, is not new,” noted Paul Ducklin, a researcher at Sophos Labs, in a blog. “In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.”
That bug used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available, Ducklin noted. Not so with the CryptoLocker next-gen ransomware, which uses a public key to encrypt a variety of file types such as images, documents and spreadsheets. The malware searches for files to encrypt on all drives and in all folders it can access from the compromised computer, including workgroup files shared by colleagues and resources on company servers.
“The more privileged your account, the worse the overall damage will be,” Ducklin said.
CryptoLocker installs itself in the Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically when the user logs on. It then produces a lengthy list of random-looking server names in the domains .biz, .co.uk, .com, .info, .net, .org and .ru – and then tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds. Once it has found a server that it can reach, the server generates a unique public-private key pair and sends the public key part back to the computer.
“Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them,” said Ducklin. “You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.”
The malware offers to trade money for the private key to unlock the encrypted files. “It pops up a pay page, giving you a limited time, typically 100 hours, to buy back the private key for your data, typically for $300,” Ducklin said. Then a warning comes that the server will destroy the key after a time specified, meaning that the files will never be able to be recovered.
The picture doesn’t get better. “SophosLabs has received a large number of scrambled documents via the Sophos sample submission system,” he said. “These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back. But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.” In other words, unlike other ransomware, there is no remediation.
Worse, the infection vectors make it difficult for consumers to avoid. CryptoLocker arrives via email attachments and botnet – the former is easy to avoid by being wary of unsolicited attachments. Botnets though are a different story.
“Most bots, or zombies, once active on your computer, include a general purpose ‘upgrade’ command that allows the crooks to update, replace, or add to the malware already on your PC,” said Ducklin. “So take our advice: make it your task today to search out and destroy any malware already on your computer, lest it dig you in deeper still.”