You can work to prevent this by creating a group policy that disallows<p><pre><code> %AppData%\*.exe
</code></pre>
and<p><pre><code> %AppData%\*\*.exe
</code></pre>
A good discussion of this happened here: <a href="http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/" rel="nofollow">http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care...</a><p>sidenote: this virus actually scares me, and it sounds like it actually scares most people who work in IT. This is the shittiest thing anybody has ever seen, it sounds like.
I was hit by this, or a variant, at my place of business. Hundreds of thousands of files on our shared drive were overwritten, about 2 TB worth of files. Office documents, PDFs, and Adobe documents like PSD and INDD were encrypted. JPEGs were altered but still viewable. All files increased in size by a few hundred bytes.<p>Pull-only backups were the savior here, although because we didn't notice until the next day, the pulled backups on that system were also overwritten with encrypted/corrupt files. Luckily we had VSS versioning on the pull-only backup location. There was a close call in that the 2 TB or so of "new" data ended up pushing VSS over quota and we almost lost our good versions of the files that way. If not for the VSS versions, we would've had to resort to cold backups which would've been a bit older. As it stood, no file recovered was more than a few hours old.<p>Auditing on the file share indicates which workstation was infected. Pertaining to that: it surprises me that in 2013, a default install of Windows will not log any useful information about shared folders by default. You must enable object auditing in Group Policy and specifically declare which users or groups are subject to said auditing on a share-by-share basis. In a world without logrotate, I suppose a sensible default is to just let a bunch of shit happen without recording it.<p>What gets me wound up most of all is the amount of engineering involved for an average home user to protect themselves. I thought a Mac with Time Machine was enough, but a similar virus would easily corrupt those backups if they were available to it over a mapped drive.<p>It is the goddamn 21st century, and users are still losing work by overwriting documents by accident, or opening a document as an e-mail attachment and not being able to find the actual file they edited. Should people really need an IT guy with ten years of experience to be protected from simple mistakes? Google has made progress on that front with the Chromebook, I suppose.
I think the interesting thing here is the shift from the target - the "best" target used to be compromising the OS, so OS's made moves to protect themselves from programs running as unprivileged users. Now, it's trivial to wipe an OS and restore from a backup. The real value is the things people store on a computer, which are usually going to be accessible via a user account.<p>One trivial solution would be OS level automatic versioning of files (ala Dropbox or Sparkleshare) - the original files would be written to location that is read only to the user and only accessible via the OS, hence, backups could always be restored from it, but never destroyed without admin rights.<p>Of course, with people having great internet and whatnot, an automatic cloud based solution would be much more likely and useful.<p>I think with Windows 8.1 and onwards, Microsoft are automatically doing this by setting up the "Documents" type folders in SkyDrive - a great think moving forward.<p>Backups are, obviously, a much better solution but require extra storage and usually cost money.<p>So there might be a niche for a freeware product that runs as an admin that automatically versions files - perhaps even as simple as having an admin-owned .git repo for the Documents folder.<p>The worrying thing about this attack is that targeting user data is trivial on all OSs, because of the way we think about privileges - it could be done to us Linux users through something nasty in our shell rc using GPG or whatever. There is no need to compromise anything.
I get annoyed when people are warned not to open some attachment. The real problem here is that in 2013 we're still using the flawed language of "opening attachments" -- as if running a native executable with full permissions is an action that belongs in the same category as viewing an image, reading a text file, or listening to music.<p>Well, it doesn't. This is a problem that should have been solved at the level of OS permissions/UI long ago. Why does a modern OS include UI functionality allowing a standard user to run an uninstalled executable in a non-sandboxed environment? There's no good reason for it.<p>In some cases the problem been solved (e.g., restrictions that allow only signed apps to be executed). But I guess none of those cases include Windows, its standard UI, and popular e-mail programs. :-(
In a corporate environment I'd expect crucial data to be on the network drive and snapshotted every few hours. We run ZFS on our network and all the secretaries have to do their doc/excel work on the drive. Nowadays that everybody has a Gigabit Ethernet connection read/writes are extremely quick.<p>Use ZFS and make read only snapshots that are only accessible to the sysadmins. You'll solve many problems that way. We do snapshots at 6am,noon and 6pm and then keep the 6pm one for 7, 14 and 30 days.
Victims don't even get the enjoyment of having to make their payments in some far flung corner of an MMO, like the plot of Reamde.<p><a href="https://www.goodreads.com/book/show/10552338-reamde" rel="nofollow">https://www.goodreads.com/book/show/10552338-reamde</a>
A company I work with was hit when the employee opened a phishing email supposedly from another employee in the same company. It hit about 50 gb of data on the shared drive. We had Crashplan and restored from a few days previous. I then turned on DKIM and enabled quarantining non DKIM emails via DMARC.
Everyone is talking about post-infection. However - this passage from <a href="http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information" rel="nofollow">http://www.bleepingcomputer.com/virus-removal/cryptolocker-r...</a> seems fairly key also:<p>"This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them."<p>I haven't got a Windows box handy to try this on but I assume there is at the very least an extra warning dialog when opening an exe - even a zipped exe?<p>Not that that mitigates this at all. The inability to distinguish executables from data files - and although that doesn't apply in this case - the ability of data files to hide executable payloads either via design or error - is a major and currently uncorrected flaw in the system.
Ah, I guess it is time to send the annual email to mom, dad, and the in-laws to be very wary of downloading anything or clicking on links in suspicious emails.<p>I find this is good insurance against the inevitable phone calls I receive as the only computer-literate member of the family: "Hey Cory, all my documents disappeared and I can't get them back. Do I have a virus?"
I'm sorry, but if a firm doesn't compartimentalise access and a single infected workstation can bring down everything, then they deserve what they get.<p>Hadn't been ransomware it could have very well been a disgruntled employee, to the same effect.
I've been trying to raise awareness in my social medias, since my family, friends and co-workers might not spend time on HackerNews.<p>If you want, copy my message and share with your family, friends and co-workers:<p>"Hi folks,<p>There's a new virus out there that I want to raise awareness of, it's called CryptoLocker. Basically what this virus does is that it tracks all your files - hard drives, flash drives, usb sticks, network drives/shares - then it encrypts the files it finds.<p>The only way to unlock the files again is to pay $300 to get the key used for the encryption. The encryption used is RSA with a 2048 bit key which makes it extremely hard to crack, I'd say impossible with the time span and todays computers.<p>You have 72 hours before they trash the key making it impossible for you to get your data back.<p>This can be extremely devastating if you are running a business and all your files are gone. If you sync your files to the cloud, you're still not safe, it syncs the encrypted files as well. If you are able to restore to previous versions of your files in the cloud - great.<p>Let your friends, family and co-workers know about this.<p>Here are some simple ways to avoid getting a virus in general:<p>1. Don't open e-mails from people you don't know<p>2. Don't open attachments in e-mails unless you were waiting for the attachment<p>3. Don't go to websites/click links that you don't fully trust<p>4. Don't download and execute files that you don't fully trust<p>It might seem obvious to the most of us to don't do the above, but to a lot of friends, family and co-workers it might not be.<p>Imagine waking up and having to pay $300 to get your data back. However, the police tracked down one of the servers that serves the keys and shut them down which means the keys were not delivered and the data was lost, this means even if you do pay the $300, there is no guarantee that you will get the data back.<p>Raise awareness of this and avoid having your files lost."
Central to the plot in the book Reamde but these guys don't offer a 'pay in WoW gold' choice.<p>Given the cost of computers these days, at least in business a separate 'browsing' machine and 'business' machine seems to be the best solution. I wonder if you could provide wireless for employees to bring their own laptops which had no 'office' connectivity (but internet connectivity) and machines that were hard wired and MAC filtered to the 'business' network.
Since the Bitcoin blockchain is public, couldn't you follow the money? Make a list of all wallets that accepted these funds initially, and then do graph analysis, either to see where the money went or provide others with a tool to avoid transactions with those wallets?
This is one of the scariest forms of attack on computing since viruses became prevalent in the nineties. The fact they were up until recently relatively undetectable adds another eerie dynamic to the situation. It highlights the aged old problem of people not pro-actively backing up their data offline until it's too late. Go out and buy a couple of cheap 1tb external drives and back your data up now and keep doing it, there are even tools and drives that handle this automatically for you.<p>While ransomware isn't anything new, the fact that the authors of such software are using currencies like Bitcoin make it that extra bit harder to track and stop these people from extorting data. I sense a new wave of ransomware is about to hit the scene now that Ars have revealed specifics about potentially making millions a year from such a racket. It's hard informing people about these things without encouraging others to go and try writing their own ransomware and expect Bitcoin as payment.<p>This really worries me.
Called it in July. Read more...<p><a href="http://blog.kinnaird.us/the-coming-age-of-ransomware-cloud-services-meet-bitcoin/" rel="nofollow">http://blog.kinnaird.us/the-coming-age-of-ransomware-cloud-s...</a>
When I first saw the title, I thought it went like this:<p>1. Your machine is infected, and it encrypts everything it can.<p>2. The 72 hour countdown begins, and during that time your machine has been re-purposed to crunch BitCoins.<p>3. All you have to do is wait 72 hours, and everything will un-encrypt and uninstall, leaving you perfectly fine.<p>Creators profit by having millions of machines crunching BitCoins in their name.
While I'd like to think I'm sophisticated enough about security to avoid this, it makes me concerned about the vast majority of people (e.g. my parents, my girlfriend) that are clueless about such dangers.<p>Are there any recommendations of a simple way to at least enable automated backups of local documents to the cloud on a windows box?
This is the difference between crime and organised crime. People would not hand over the money to the burly visitors each month if their shop was burnt down anyway.<p>Evidence that paying the ransom actually results in the files coming back is the most troubling aspect here - these people are looking to establish a longer term criminal enterprise.
I got a similar virus once but it was before bitcoin was popular. It just asked for money via credit card. The virus hid my files, and I needed them for work too.<p>Fortunately the virus did that by some filesystem driver level hack, because after I booted into Linux I was able to mount the partition and get my files back.
People on here are talking about attachments and being smart enough not to fall for sham downloads, but this isn't how most of ransomeware is spread to its victims. They use exploit packs and 0 days. Visiting a website that's been hijacked with an Iframe or a proxy that embeds an Iframe or any other data to the HTML that is returned could get you infected. There is no full proof way around this unfortunately.
You could imagine the Bitcoin community deciding to blacklist any wallets to which funds like this were demanded and disbursed. That seems like a great idea until you then realize that this would be a way of denying anyone access to their own funds, by specifying their wallet as the recipient even though the attacker doesn't control it. There really doesn't seem to be any good countermeasure to this.
Wow what a scheme. I mean it's almost the perfect situation for whoever wrote the system. It creates an extortion mechanism with a sense of urgency. Normally, users just carry malware around on their machine for weeks or months. The most frustrating part of this whole thing is that if you don't get the private key back and you're not backing up; you're toast.
This happened to someone I know (really, it wasn't me). Not only did it encrypt the local drives it also hit all of their network drives. As reprehensible as it is to pay the ransom they really had no choice since the encryption happened the prior night before the last backup.
Our company was hit by this yesterday, caused a lot of issues. Thank god we had backups, but they were 2 days old (frustratingly enough, the backup failed the previous day - first time in months...)
For hacker having both an original file and the encrypted version that file should be relatively easy to retrieve the key? Especially if the virus XOR all or a part of the file. Otherwise a hacker may look at the random function that generate the key in the source code of the virus it may be weak and take values from the computer and time of infection.
How is this any different from a virus that <i>wipes</i> (not just deletes) your data? It takes the same amount of time (actually wiping data would be faster) and the result is the same: No data.<p>Maybe the psychological part of "Oh God the file is there but I can't use it" or the fact it's ransomware?
It's a pity to see that Windows haven't died off yet and things like this are still happening. Using Linux / Mac for years, never looked back.<p>And for those who say "my mother can't use Linux", don't be a cheapskate, get your loved ones a Mac - they will definitely know how to use it.
I know a customer that got hit by this Tuesday morning. Unsurprisingly, Avast did nothing. I just told her the bad news and clean-installed Windows.<p>I have tried to find the private key with sample files, using known file byte headers, the public key and brute force on the private key. Sadly, no luck yet.
I imagine that this combined with virus capabilities (so it can spread itself via network) would be an overkill. Strange that they didn't do it, once you have an access to the local network (as soon as the initial victim runs .exe received by email) it shouldn't be too hard.
Finally viruses are doing what they're supposed to - wreck your computer instead of staying under the radar as long as possible. If people are motivated to protect themselves from this they'll also be preventing botnets and doing good to the rest of the internet.
Huh , that is pretty scary add a physical packet snooper on all the traffic sent from my computer , it might be possible to mitm the private key as it is sent to the server. That way i might have a fighting chance against this.(if the traffic was unencrypted that is )
What I find funny is that this piece of software actually tells you more about what it does than software you pay money for and even uninstalls itself, after it is not needed anymore. It's kinda weird how malware is better quality than most other software.
I talked to a small shop owner just the other day that had been hit by this. They said they spent the $300 on a new PC instead - but I'm pretty sure they lost a bunch of irreplaceable data (mailing lists, supplier details etc). Pretty heart breaking.
Never heard of ransomware before, but the trend is alarming:
<a href="http://www.google.com/trends/explore?q=ransomware#q=ransomware&cmpt=q" rel="nofollow">http://www.google.com/trends/explore?q=ransomware#q=ransomwa...</a>
Nasty stuff. Fortunately for me, this would set off the "why the heck are my fans running so loud right now" alarm that I have in my head (that honestly, I wish I could turn off sometimes ... curse you trustedinstaller.exe!!).
Has anyone attempted to run this using Wine?<p>As long as you keep all drives (/ or ~/) unmounted, I assume it would be `safe' to test it.<p>Might be a simpler environment to analyze CryptoLocker in, as apposed to a full Windows install.
"When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary"<p>What email client automatically unzips AND executes any containing .exe files?
Well that's moderately horrifying. I've dealt with ransomware before, but mostly it just used scary messages, not literally encrypting all your data.
Disabling or limiting your use of JavaScript and Java in the browser will go a long way towards protecting against delivery of this as it is likely delivered by an exploit kit. If you do hit an exploit kit, Microsoft EMET (free) will probably mitigate the exploit/s.