The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan.
It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. Then this ransomware infects computer and then searches for files to encrypt. This includes anything on hard drives and all connected media and even mounted network drives. Then it encrypts certain types of files using RSA public-key cryptography, with the private key stored only on the malware’s control servers. In fact,this method relies on two “keys,” one public and one private. Hackers encrypt data using the public key, but it can only be decrypted using the unique private key they hold.
The Cryptolocker malware will display warning screens indicating that data will be destroyed if you do not pay a ransom to obtain the private key. If the deadline was not met, the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in bitcoin. Of course, there was no guarantee that payment would release the encrypted content.
Source: usa.kaspersky.com and en.wikipedia.org
What Does CryptoLocker Do?
The most common method of infection is via emails with unknown attachments. Although the attachments often appear to be familiar file types such as *.doc or *.pdf, they in fact contain a double extension — a hidden executable (*.exe). Once opened, the attachment creates a window and activates a downloader, which infects your computer.
Also, this malware may also come from websites that prompt you download a plug-in or video player.
When executed, CryptoLocker installs itself within the user’s profile, then begins scanning the computer, any connected devices, and any other devices on its network for files and folders to encrypt.
CryptoLocker uses an RSA 2048-bit key to encrypt the files, and renames the files by appending an extension (such as, .encrypted or .cryptolocker or .random characters), depending on the variant. Finally, the malware creates a file in each affected directory linking to a web page with decryption instructions that require the user to make a payment. Instruction file names are typically DECRYPT_INSTRUCTION.txt or DECRYPT_INSTRUCTIONS.html.
Source: varonis.com
Methods of Combating Cryptolocker
It can be said that ransomware does not cure, but it is possible to prevent a ransomware attack (which is not 100%). The best thing to do is to prepare ourselves for the disaster recovery and business continuity and have a BCP.
The best plan is to back up all important data. Both online (on the main storage device itself) and in storage peripherals (such as external hard drives). Of course, these storage peripherals should not always be connected to a physical server or virtual server, as they may become infected if they are always connected to them. These storage peripherals will only be connected to servers at the time of backup, and will be disconnected from the server or computer immediately after the backup operation is completed and stored in a secure location.
However, the following recommendations can be considered in the field of prevention of this attack:
- Having a powerful anti-malware that its signature database has must up-to-date always.
- Don’t open any attachments from unknown email addresses.
- Don’t download any files from an unfamiliar website.
- If you believe you may be infected, run a full system scan using a reputable antivirus program.
- Limit the personal information you give away or put online.
Removing CryptoLocker Ransomware
There is no way to guarantee that a ransomware will be delete. In addition, deleting malware alone is not enough, of course we must be able to decrypt the encrypted files. Every security company offers some solutions. Avast, a well-known manufacturer of home and enterprise security products, recommends solutions.
———————————
Sources:
