Cryptolocker is not a virus, spyware or even ransomware: Cryptolocker is the New Model [UPDATED]

cryptolocker splash

[NOTE: Since I wrote this I have been getting calls from pretty much around the world. Which is weird and funny and crazy—particularly considering the differences in time zones. I am prefacing my cryptolocker experience with answers to the most commonly asked questions. Hope it helps. Again, I am not advocating paying the ransom. That is your decision. If you are compromised by crytolocker and you have files that are valuable/irreplaceable and you don’t have backups, you will have to make that choice.]

[ADDITIONAL NOTE: Time is of the essence. Do not put off to tomorrow what you can do today. This is not an exact science. Immediate response is of the utmost importance to insure infected files have the highest likelihood of (reasonably) affordable recovery. DO NOT WAIT—ACT NOW.]

UPDATE #1: “How do I re-infect my computer with Cryptolocker?”
Link is copy of Crytolocker here. Warning: it works.

UPDATE #2: “What if I ran out of time and my files are still encrypted by Cryptolocker?”
You can gain some time back by changing date in bios.
If you don’t know how, google your computer make (HP, Dell, Acer, etc), model (DV6, Inspiron 15, etc), and phrase change date bios. It should come right up.

UPDATE #3: “It won’t let me reinfect my computer.”
Turn off your antivirus and disable your antispyware. If you have Norton, use the Norton Removal Tool.

UPDATE #4 [3.27.2014]: If your antivirus/antispyware removed the CryptoLocker virus, and if you are tech-savvy, you no longer have to reinstall CryptoLocker. Instead, you may install Tor and use CryptoLocker Decryption Service at f2d2v7soksbskekh.onion/. From there you upload an encrypted file and it does a search for your public key. If that sounds tricky, get assistance before proceeding.

UPDATE #4.1 [3.27.2014]: Also, a recent computer security survey by UK’s University of Kent revealed that 1 in 30 computers have been infected with CryptoLocker, with 40% paying the ransom. If that number has a scaleable throughout the West, than CryptoLocker has already scammed  100’s of millions of dollars. If one million people paid the ransom, that’s $300 million! In other words, comparable ransom money to that of a small nation’s GNP. And it’s still going on. So yeah, this is crazy.

UPDATE #5 [4.3.2014]: Over the past week it’s been busier with an updated Cryptolocker virus. Vector remains same: zip file from email. Rule #1—DO NOT OPEN ZIP FILES IF YOU HAVE ANY DOUBT. It is something that every person in organizations should have explained. NO ZIP FILES. In any case, as ever UK professionals are adamant about not paying ransom. Noble but wise? Or possible? When it’s your files life changes.

UPDATE #5.1: This has to do with managing a Bitcoin transaction. An unusual corporate setting with a key individual savvy/confident enough to manage Bitcoin transacted 24-hr CL decrypt without any previous knowledge of Bitcoin (usually I reinstall virus and use Greendot Moneypak). However, aftewards he was spent. Why? Because getting Bitcoin is only remotely like any other sort of transaction ordinary people are used to. It’s actually mostly unlike any other type of ordinary transaction.

You should know: Knowledge of Bitcoin is not easily attained. Neither is quick purchase/trade of Bitcoin. However, in order to make it happen, you have to 1) prove to Bitcoin seller your identity is legit, and 2) move smart & fast because time is of the essence.

This is important: You will not have to meet in person but you will have to convince a total stranger that you are not trying to scam them. (Being googleable, being from a legitimate company, and having an established business domain email address are all a good start but by no means are any guarantee.) If such steps are not easy to manage, bring in backup in the form of some trustworthy geek. In fact, as this is only the first of this new type of attack, it’s a good idea to acquire some Bitcoin preemptively or at least find out who you know knows Bitcoin well enough to pull off a transaction within a very short window of time. Most Bitcoin transactions take time. Time is not a commodity available to someone infected with Cryptolocker. (Yes I know you can reset the clock in BIOS. Works sometimes.)

Update #5.2 9 [4.3.2014]: Cryptolocker now deletes shadow copies.
Bj_f-6gIYAAr7hc
So: Do not waste valuable time going after shadow copies if you are planning paying the ransom/going Bitcoin route.

UPDATE 6 [4.4.2014]: This is an excellent article on what to look for if your computer was infected by CL. I particularly like this list of vector emails which deliver the Cryptolocker. Worth reading/showing employees, family, etc. These emails all share one thing in common: they all come with a download. So: Do not download iffy email attachments. DO NOT OPEN ZIP FILE IF YOU HAVE ANY QUESTION ABOUT IT:

  • USPS – Your package is available for pickup (Parcel 173145820507)
  • FW: Invoice <random number>
  • ADP payroll: Account Charge Alert
  • Important – attached form
  • FW: Last Month Remit
  • McAfee Always On Protection Reactivation
  • Scanned Image from a Xerox WorkCentre
  • Annual Form – Authorization to Use Privately Owned Vehicle on State Business
  • Fwd: IMG01041_6706015_m.zip
  • My resume
  • New Voicemail Message
  • Important – New Outlook Settings
  • Scan Data
  • New contract agreement.
  • Important Notice – Incoming Money Transfer
  • Notice of underreported income
  • Payment Overdue – Please respond
  • FW: Check copy
  • Payroll Invoice
  • USBANK
  • Symantec Endpoint Protection: Important System Update – requires immediate action

Ok,
Ready to have your mind blown?

For the past 24-hours something took over a friend’s PC computer which encrypted all 11-years of business files. The friend unfortunately did not have any backup and the thing that took over the computer deleted all earlier restore points on the PC (running Windows 7). Then a little virus—with a timer—popped up and announced all files were encrypted and could only be decrypted for $300. Furthermore, if the money was not paid within 95 hours the decryption key would be destroyed. Meaning, all the files and data would be lost forever.*

And the thing called itself Crytolocker. (See below.)

After an entire night of research with other experts and people who are a lot smarter than most of us, I learned Cryptolocker was genuine extortion. Meaning it delivered what it promised. If you paid, people and businesses reported their files were released. Most chilling was the fact the two of the top architecture firms in NYC had been attacked. It encrypted every computer on their network (!) and the firms both lost one solid week of work (they backed up weekly). “Imagine,” it was reported, “how much money and humanhours this represents. Maybe in the tens of millions.”

With that in mind, our next step then was bold: We paid the $300 ransom.

Unbelievingly the program actually did what it promised. The files were decrypted. We recovered the files. All of them.

At this time, I just have three things to say. The last is the most important.

  • First, update your Windows** antivirus, antispyware, and java program.
  • Second, do not open any attachments that come as .zip files. I have asked my wife at this time to not open any mail attachments at all. None.
  • Lastly, most important, backup your files and data to an external harddrive or an offsite location. I do both: backing up to external harddrives (available at OfficeMax etc) and setting up Gillware exclusively for my off-site backups.

As you know, I have been hands-on computers since 1979. Cryptolocker is unlike any attack I have ever seen. So you know, it is not the “FBI has taken control of your computer” virus. Everyone asks that. It is not that.

Now I am talking with  Congressman Joe Garcia’s office and the FBI have bumped me up to the next level. My guess is Cryptolocker will be front page news within the month if not week.

I will tell you more as I have more. One thing, if you get Cryptolocker do NOT erase it off your computer. (If you have another IT person, they may call me.) You will need it to get your files back. In fact, the virus after being deleted leaves a message on the desktop explaining as much.

cryptolocker

When people say, “Watch out for the Cryptolocker virus” they are confused. It is more than a virus. It is an brilliantly executed act of high-tech extortion using tools that are outside of the ordinary computer user’s hands. This is science-fiction. This is the new model. And as of two days ago, it is reality.

Head’s up. Call if you need, back up your files today. And you may want to buy a Mac**.
Mike Mongo
305-304-1555

* Please note the encryption is an assymetrical encryption. It requires two keys, one in the virus on the computer, they other on the Cryptolocker server. The key on the Cryptolocker server is 1024-bits long. Along with the key from the virus, it is unbreakable. Not even brute force decryption can undo the encryption. Removing the virus only leaves encrypted unusable files.

** Macs are safe, as are iPhones, tablets, and Android devices. Cryptolocker only affects Windows computers.

UPDATE: We paid the $300. There was a 2-hour wait, then decryption started. It took 8-hours all-in-all, and 14,400+ files were decrypted. It worked. All the files were decrypted.

cryptolocker decrypt

The PC has now been been backed up, doubly reinforced and my friend is presently actively switching to Mac.

But the most noteworthy thing: It worked. This was extortion, plain and simple, and it worked. And I and my friend and her entire staff were overjoyed. Classic Stockholm Syndrome responses. However, the other option was terrible. My question is: what are the attackers using the money for? It’s all too well-conceived to be ordinary. The conversation with FBI continues. Stay tuned.

Advertisements

About Mike Mongo

"My name is Mike Mongo and I am an astronaut teacher. Also: author & space STEM educator. While I travel frequently, I live on the island of Key West in the Florida Caribbean. My primary occupation has me working with students and encouraging students to pursue careers in space and astronautics. Much of my time is spent writing, teaching and learning about space and space travel. Of all the things I love doing being an astronaut teacher is certainly my favorite and most fulfilling."
This entry was posted in Uncategorized. Bookmark the permalink.

12 Responses to Cryptolocker is not a virus, spyware or even ransomware: Cryptolocker is the New Model [UPDATED]

  1. Flavio Gonzalez says:

    I was hit, but I had backup of the server. Does FBI is doing something about this crime?… should I report it?

  2. Mike Mongo says:

    That is not my recommendation. That is a business decision. If you have proper backups then you are good.

  3. Marcinho says:

    Excellent post! Thank you!

  4. Brianna says:

    Hi, my work computer was infected and all of the shared drives were encrypted. We are currently waiting to get out ransom money cashed so we can get access to our files. However, I noticed you said Iphones are not affected, but my Iphone all of a sudden has had spammy notifications in place of my actual notifications for mail and Twitter. It was hooked up to the computer so opportunity was there. Can we get research behind this?

  5. Brianna says:

    Any other explanation for the change? My Twitter notifications are “@1#$%” or something to that effect and my mail notifications are different as well, display as NEWMAIL_NOTIFY

  6. Jason says:

    What is the password to sample2.zip?

  7. Max Meier says:

    The above password “infected” does not work; can you provide me the new archive password? Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s