Forum Thread: Copycat ransomware demands cash to unscramble files

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Open Discussions

This thread has been marked as locked.
mogs Copycat ransomware demands cash to unscramble files
Expert Contributor 14th Dec, 2013 20:39
Ranking: 2265
Posts: 6,269
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK

Malicious programs that demand a ransom to restore files that they have encrypted are starting to proliferate.

Security company IntelCrawler has discovered malware called Locker that demands $150 (£92) to restore files.

The cyber-thieves behind Locker were trying to emulate the success of CryptoLocker that has racked up thousands of victims this year.

However, IntelCrawler said, flaws in the malicious program suggest it might be easier to defeat than CryptoLocker.

IntelCrawler said it first saw "large-scale distribution" of several different versions of Locker early this month. So far, the malware has managed to snare people across the US, Europe and Russia. It is spread via infected files placed on compromised websites and through booby-trapped files disguised as MP3s.

Analysis by Andrey Komarov, of IntelCrawler, shows that when Locker infects a machine, it deletes files leaving only encrypted copies behind and also drops a small file containing a unique ID number and contact details for Locker's creators.

The file also warns that no key will be given to any victim who harasses or threatens the malware's creators.

Those who want to get their data back are encouraged to use the contact details and, once the ransom is paid, each victim gets a key to unscramble files.

However, help could be at hand for anyone hit by Locker, said Mr Komarov, as IntelCrawler had managed to penetrate the network the cyber-thieves were using to monitor victims. This helped the company extract the universal keys used to scramble target files.

"Our researchers are working on the universal decryption software in order to help the victims," said Mr Komarov.


mogs RE: Copycat ransomware demands cash to unscramble files
Expert Contributor 14th Dec, 2013 20:48
Score: 2265
Posts: 6,269
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 14th Dec, 2013 20:55
Cryptolocker: Menace of 2013

Summary: The scale of the Cryptolocker threat is disputable. It's the psychology that is truly frightening.

By Rob O’Neill | December 13, 2013 -- 20:17 GMT

Security software company Symantec this month named Cryptolocker the “Menace of the Year”.

Bitdefender logged over 12,000 victims in a week last month. That's not huge on a global scale but it should be a big enough number to make businesses pay attention.

While relatively few have been affected so far, many of those that have succumbed experienced a world of pain, as the victim stories below will attest.
Backup is the key to recovering from a Cryptolocker lockout.
For anyone who hasn’t been paying attention, Cryptolocker is a variant of ransomware that unlike its predecessors does not work by locking a computer. Instead, it encrypts all data and demands a ransom in Bitcoins for the user to regain access.

It is usually distributed as an executable attachment disguised as a Zipped document and presented as an invoice or report or similar via a spam campaign.

All of that would be frightening enough for individual users, but Cryptolocker more than most trojans is a threat to businesses too. that's because it not only attacks data on the PC on which the executable was opened, but also on devices and drives connected to that PC.

So, what’s it like being on the receiving end?

One business in Australia that was shut down for five days with staff sent home on leave. Every network share’s business data was encrypted, over 64,000 files, after a staff member clicked on an attachment, despite telltale suspicious signs.

The firewall failed to detect and stop the infection as did antivirus software.

After the download, multiple files executed from a website and downloaded more malicious code to boot at startup via the registry.

Backup is key. It allows companies to enter their own personal Tardis and, like Dr Who, wind the clock back.

In this case it failed. The server had made room for the latest revised data by deleting all the old backups.

“The receptionist could not wait for the backup to complete on the last known backup date, and pulled out the USB drive early.”

This forced the IT fixers to restore from an older backup, losing many proposals and quotes. The system was recovered “but at great expense and emotional cost”.

Contrast that with a New Zealand law firm where, through good management and a bit of luck, backup was effective.

“Only 45 minutes of work was lost and as this all happened at around midday a lot of staff were at lunch so there was not much activity in regards to the data.”

The most famous victim to date is the Police department of Swansea, Massachusetts. Infected in November, the department decided to pay the ransom demand of two bitcoins, around US$750 at the time, and recovered its data.

In the process it not only revealed its vulnerability, but also drew heat for rewarding the criminals.

Cryptolocker is not entirely new. It emerged in September, but similar malware families date back as far as 2005.

Symantec says due to the publicity around ransomware, there are fewer uninformed potential victims and that had lowered the effectiveness of the tactic and its profitability.

Cryptolocker is their response.

“Due to this increased public awareness, in the last quarter of 2014 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data…

“If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.”

There is no way to retrieve locked files without the attacker's private key. There can also be a time limit, usually 72 hours, in which to pay the ransom.

Almost comically, the criminals were making so much coin from a surging bitcoin value, they later reduced the ransom.

Users are being advised to take the following precautions:
•Backup all files regularly and off the network
•Lock down directories
•Make sure you have a business grade unified threat management (UTM) firewall with current subscriptions
•Keep all virus protection software up to date
•Make sure all employees are aware of this danger, trained in response and know to not open attachments without first talking to the IT department.

Bitdefender Anti-CryptoLocker
A security solution that is especially created to prevent the CryptoLocker ransomware from getting to your computer and infecting it
You can download Bitdefender Anti-CryptoLocker from Softpedia.

Was this reply relevant?
mogs RE: Copycat ransomware demands cash to unscramble files
Expert Contributor 17th Dec, 2013 14:07
Score: 2265
Posts: 6,269
User Since: 22nd Apr 2009
System Score: 100%
Location: UK

Unlocking CryptoLocker: How infosec bods hunt the fiends behind it

Looks like 2013's nastiest cyber-threat is run from Eastern Europe - or Russia

By Thomas Brewster, 16th December 2013

CryptoLocker, the bitcoin thieving ransomware menace that has become 2013’s most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have exclusively revealed to The Register.

Dell SecureWorks’ Counter Threat Unit (CTU) set up a sinkhole operation not long after the uber ransomware emerged in September, registering multiple domains from a pot of those used by CryptoLocker. Between October 22nd and November 1st, around 31,866 unique IP addresses contacted those CTU sinkhole servers, 22,360 from the US, 1,767 in the UK and 818 in India.

This provides a glimpse into the scourge that CryptoLocker has now become. But Keith Jarvis, a security researcher with Dell SecureWorks’ CTU, estimates the overall number of infected machines is now approximately 250,000.

“The actors infect machines in ‘waves’ so rates wax and wane between zero and around 5,000 a day,” he told El Reg.

Another Russian beastie?

Read more at :-

Was this reply relevant?
Maurice Joyce RE: Copycat ransomware demands cash to unscramble files
Handling Contributor 17th Dec, 2013 19:01
Score: 11934
Posts: 9,165
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 17th Dec, 2013 23:53
For any home user concerned by this threat it should be well covered by your National Crime Fighting Agency.

Advice for UK Residents is here:

This subject is also well covered here:

with links to an easy to understand background information,action plan & active Forum:

Within the information you will note there is a link to FoolishIT LLC -

Just install this programme & all should be in order****

**** You will note there is an option to upgrade costing $15. This allows auto updating of definitions as the threat landscape changes (set & forget).

If you elect not to upgrade just run a manual update scan weekly.With either version installed you will still have the option to chat direct with the author to dispel any concerns you have on this issue.


Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
Was this reply relevant?
mogs RE: Copycat ransomware demands cash to unscramble files
Expert Contributor 20th Dec, 2013 16:28
Score: 2265
Posts: 6,269
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 20th Dec, 2013 16:37
December 20, 2013

CryptoLocker ransom Trojan infected 250,000 PCs

Dell SecureWorks estimates at least 0.4 percent of victims of the malware paid up, generating millions of dollars in ransom payments
By John E Dunn |

The feared CryptoLocker ransom Trojan has infected at least a quarter of a million PCs worldwide, a success rate probably generating somewhere in the low millions of dollars in ransom payments, a new analysis by Dell SecureWorks has estimated.

Alarming reports of the chaos sown by CryptoLocker have been easy to come by, less so hard numbers about the scale of what has surely been the malware story of 2013.

Offering some of the first data, Dell SecureWorks recorded 31,866 infected PCs contacting sinkholed command and control servers between Oct. 22 and Nov. 1 alone, over 22,000 of which were in the U.S. with around 1,700 in the U.K.

Carrying out the same exercise between Dec. 9-16 , the number of infected PCs had fallen to only 6,459, a fall attributed mainly to a lower level of activity by the botnets pushing the malware.

From these numbers, the firm calculated that in the first 100 days of its activity from mid-September, CryptoLocker managed to infect between 200,000 and 250,000 PCs globally, disproportionately in English-speaking countries.

This brings Dell SecureWorks to the issue of how much money the criminals have made from CryptoLocker.

Based on bitcoin payments connected to ransoms, Dell Secureworks estimates that between September and December the sums extorted were between $380,000 and $980,000 in value, depending on how long the virtual currency was held for.

Because this excludes ransoms paid using other channels such as MoneyPak -- most of the sums extorted Dell believes -- the real damage had to be much higher than this, the firm said.

"These figures represent a conservative estimate of the number of ransoms collected by the CryptoLocker gang," said Dell SecureWorks' researchers.

"Based on this information and measurements of infection rates, CTU researchers estimate a minimum of 0.4 percent, and very likely many times that, of CryptoLocker victims are electing to pay the ransom."

Many of the victims of CryptoLocker's shakedown have been small businesses rather than consumers; from its first appearance the malware targeted SMEs using subject lines such as 'consumer complaint' to engineer employees into opening attachments, the firm said.

One high-profile example of this was a U.S. police department that not only found itself infected by CryptoLocker but quite incredibly agreed to pay its bitcoin ransom demand.

As this target field became exhausted, the criminals had shifted, probably reluctantly, to less profitable home users. Today, the waxing and waning of CryptoLocker corresponded to activity on botnets used to distribute it, such as Cutwail.

According to Dell, its creators were almost certainly seasoned in malware campaigns that appear to have made sound design decisions that complicate efforts to mitigate this threat and have demonstrated a capable distribution system based on the Cutwail and Gameover Zeus botnets."

December 20th, 2013, 12:04 GMT · By Eduard Kovacs
CryptoLocker 2.0 Appears to Be the Work of Copycats

Last month, researchers from ESET discovered what appeared to be a new variant of the notorious CryptoLocker ransomware. The threat is dubbed CryptoLocker 2.0, but experts believe that it’s not developed by the same individuals who created the older version.

CryproLocker 2.0 is similar to CryproLocker. It scans infected computers for certain file types and encrypts them using RSA public-key cryptography. It then demands the payment of a certain amount of money to have the files restored.

However, a closer analysis reveals that there are a lot of differences between the two. Furthermore, there are no significant improvements in the new variant of the malware.

For instance, CryptoLocker is written in C++, while CryptoLocker 2.0 in C#. The 2.0 version is designed to accept payment only in Bitcoin, unlike the older one that also accepts Ukash, MoneyPak and cashU.

As far as the encryption is concerned, CryptoLocker 2.0 claims to use an RSA 4096-bit cipher, but it actually utilizes RSA 1024-bit, which is weaker than the original version that uses RSA 2048-bit.

When it comes to command and control (C&C) communications, the old variant of the ransomware uses an RSA public key for encryption, while CryptoLocker 2.0 relies on AES. Another noteworthy thing is the fact that CryptoLocker 2.0 uses hardcoded C&C addresses, while the original version contains a domain generation algorithm (DGA) as well.

Interestingly, CryptoLocker 2.0 is designed to mimic cracks and activators for various pieces of software, such as Microsoft Office, Windows, Photoshop and Team Viewer. Experts say that this serves as an additional spreading mechanism.

“The list of functionalities present in the trojan code is quite extensive and also includes stealing Bitcoin wallet files, launching the legitimate BFGMiner application or running DDoS attacks against a specified server. However, we were unable to establish whether this functionality was actually being used at present,” ESET’s Robert Lipovsky noted.

In conclusion, considering that there are a lot of differences between the two threats, CryptoLocker 2.0 is most likely the work of a copycat.

Was this reply relevant?

This thread has been marked as locked.