TA13-309A: CryptoLocker Ransomware Infections

Discussion in 'Security Alerts' started by News, Aug 8, 2014.

  1. News

    News Extraordinary Robot
    News Feed

    Joined:
    Jun 27, 2006
    Messages:
    26,215
    Likes Received:
    20
    Original release date: November 05, 2013 | Last revised: June 05, 2014
    Systems Affected


    Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

    Overview


    US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

    Description


    CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

    Impact


    The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

    Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

    While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

    Solution


    Prevention

    US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:


    Mitigation

    US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

    • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.
    • If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.
    • If your computer has not yet been encrypted with the CryptoLocker malware, the tools listed in TA14-150A may be able to remove this malware from your machine.
    References

    Revision History

    • November 5, 2013: Initial Release
    • November 13, 2013: Update to Systems Affected (inclusion of Windows 8)
    • November 15, 2013: Updates to Impact and Prevention sections.
    • November 18, 2013: Updated Prevention and Mitigation Sections
    • June 2, 2014: Update to include GameOver Zeus Alert (TA14-150A) reference in Mitigation Section

    This product is provided subject to this Notification and this Privacy & Use policy.

    Continue reading...
     

Share This Page

Loading...