The Cruel Crypto Game; How to Beat CryptoLocker Ransomware

Oct 5, 2015 02:58 PM
Oct 6, 2015 11:05 AM
635794766462428330.jpg

It always looks different when it's not about you.

The Internet is our world's Alterego. Those many bits don't really make sense unless we want them to be valuable, to mean something.

Our rush to the future is too fast to keep up with. Denying technology is ignorance, isolate from it is impossible, it surrounds us, it is human.

As such, computers are designed to be like people, like everything we design is. It's not what it is, but how it is: personal computers may save help you, damage you, save your life or put it in danger, like you do.

At the end, it is all just memory.

The Call

Eleven in the morning, summer. Just got back from the daily routine around the city, almost done parking, computer job awaits me, I have like twenty post-its. Garage is closed. Yes, everything is in place in my bag, I'm rushing upstairs.

Sudden call.

It's from a close friend I worked with many times. Nobody's around at the office. They got a virus, I got a simple case of malware removal, easy deal.

Wait.

Strange scripts? Encrypted files?

No, this time is different. I've heard this before, on the infosec news.

635794695370795234.jpg

It's a ransomware, not the kindest one. Computer job can wait.

Bag is fine, garage is closed, here we go again.

Cold Case

I'm late.

As soon as I enter the offices, I'm shown the supposed infected computer. It's been down for quite some time now, but the ethernet cable is still sneaking on the ground, unplugged. Someone else noticed this before, but didn't say anything to the manager? Sure, it was somebody that knows how to deal with it, thankfully not many around, should be easy to identify.

The stories employees tell are a total mess. Nobody wants to admit his state of unaware modern internet user. They don't know me, and I'm out of their environment, I need a better plan.

Context

So far, this is all I know about this situation:

-I can't wait to run Linux;

-A ransomware infected an unity of the local network and was able to encrypt most of the files on the disk. The system files remained untouched, as expected;

-At least two people should know what happened, unless the miserable victim is the same person who unplugged the computer from the local area network and killed the harmed system in a clumsy attempt of hiding his sins. Farfetched, sed errare humanum est.

-I really want to fire Linux;

635794696671889225.jpg

Investigating the employees, I can figure out the surroundings a little better:

-The frenetic movements around this computer date back of a whole day. If so, in case the ransomware tried to pipe trough the entire one classed network and succeeded, black plague. I should just burn everything down, in that case.

-The network has a Dropbox sharing system that links all the users. The employees use it to be always updated about the business of the industry, work files. They share some folders on every account. The synchronised files are stored both locally and on the cloud space offered.

-Other computers look infected as well, however a closer look reveals that only Dropbox shared folders are corrupted, not all of them, only three very big folders. Maybe I'm not too late after all.

-However, the main Server, the one running the web server, the mail server and other things that the boss won't be happy to shutdown, has other corrupted folders, different from the Dropbox ones. And Windows is still running.

The mystery deepens.

635795411859190989.jpg

Recon

The network has six main computers:

-One computer has no infected files, since it is the one that nobody turned on since more than one day. But I am addicted to scans.

-The Server has Dropbox corrupted folders with encrypted files and some others that I am told are only shared with one computer, not the one infected. Unexplained.

-The infected computer has folders of any kind randomly corrupted here and there, it's just a big mess. There probably is no hope for them. Fortunately, this is a secondary computer, leftover of an incompetent past employee. Malware addicted and negligent, might be the cause of what happened. The computer might be part of a botnet, but it's just speculation. If it did, the whole network might have been infected.

-Other three computers have just the shared Dropbox folders corrupted. They can all access the folders they share with the Server, but they don't show up on a fast attempt to map the corrupted files. Better to keep them silent until I figure this out completely.

635794695802670427.jpg

In every completely encrypted folder, there is a .txt file reporting the way you can get back your files, along with the code of a not so eye candy local web page to show in the browser when the encryption is completed, filled with red and caps locked sentences. A simplistic way to freak the victim out of his mind and inhibit him. To make him look stupid in front of the people he trusts.

I finally realize that the name I've been chasing so long is "CryptoLocker", one I've heard many times before. In case it wasn't clear enough, things start to sound very bad. A fast research on the internet seems to give no hope. We are not going to get those files back easily. Shadow copies have been deleted.

My friends starts to browse the internet in search of a solution, a way to decrypt the files, confidently. It's too hard to tell him to stop.

We are obviously not going to pay the ransom, ever.

Firing up Linux, so that the Windows executable of the ransmoware doesn't run, I list all the corrupted files on every system and give a look at them. They all end with the extension ".encrypted". Too easy:

sudo find / -name "*.ecnrypted"

Surprisingly, I couldn't find evidence of the ransomware still being around.

The IT Guy

I manage to speak with the IT guy who has been incriminated of lowering the system defences for a brief period of time to test things out.

635795414651222015.jpg

Hold on, this doesn't make much sense since somebody must have opened an executable imprudently or something, of course, the ransomware doesn't force the door, it's a trojan. The employee blaming the IT guy is suspicious, he doesn't look convincing enough to gain all my trust, in other situations I would laugh at his words.

But hey, he was employed because he knows how to do his job. Just keep him away from a computer, until the cyber hero comes to rescue us all.

Turns out, some mistakes were made, some actions were taken to temporary stop the emergency.

The Final Picture

The untrusted man did in fact cause the problem.

The day before, at some point in time ranging from eleven and twelve in the morning, he calls the IT guy saying all the files suddenly became "white" on the Desktop, because of the on going encryption, so the expert first rapidly unplugged the computer from the network to let the employee continue his job, then shut the computer down when he realised bad things kept happening,

The Dropbox folders were encrypted first, while other folders under C were being corrupted meanwhile.

Dropbox started to synchronise everything, while too many people didn't care about the hundreds of files being updated on their accounts. Again, human error. Again, nobody saw anything. Again, "not my fault".

635794698313295733.jpg

An option was spelled wrong in the sharing settings of the corrupted shared folder on the Server, so that every computer of the network could access it instead of only the chosen user, thus CryptoLocker.

The IT guy then tried to use some software to remove the malware, I was told Microsoft Security Essential but at this point I'm just nodding at anything people say, and somehow actually did it.

The CryptoLocker Ransomware

CryptoLocker is part of the ransomware family, malware pieces that steal your files by encrypting them and force you to pay a ransom to be able to decrypt them.

Generally, this trojan enters a computer via Social Engineering. That's what is so horrible about it, it makes you trust it, and as a consequence, question your sense of trust. Usual Null Byte users know what all of it means and would probably get on with it, but as shown in our case, people feel stupid to admit they fell for that, even though it is comprehensible, and, after all, forgivable.

635795422987730982.jpg

This malware is generally spread trough email attachments or deployed by bots if your system has already been compromised and is part of a botnet. Most of the times the email looks as legit instructions from managers or clients. Since Windows by default was made easy, you can hide the fact that the pdf in the attached ZIP is actually an executable file by adding .pdf before .exe, which is not going to be shown. As easy as Windows.

Roughly half the population of the internet probably didn't get a single sentence. How can you defend from a threat you can't even understand?

Symantec says that around three percent of the users hit by CryptoLocker decide to pay. The payment is a loss, nobody would like to pay to have their files back, but some just had to, just wanted to get back to their normal life. The transaction is bad organized, trough unstable systems, and obviously many users never saw their files coming back.

Some did, since these robbers must be honest, so that more people are encouraged to pay. Mercy.

635794740065112812.jpg

In each encrypted folder there is a text file explaining how to pay trough Bitcoin the organization behind this. So far, I think it's pretty clear that you should never pay them, or this will never stop. Like any other crime.

For the more curious and techy users: CryptoLocker places itself usually under "Users" or "Documents and Settings", but it keeps changing. It is a Windows ransomware; that doesn't mean you are safe out of it anyway, but here we are all going to tell you that Linux is a better choice in terms of security, always. If you'd like to focus on security in your environment, you should consider Linux as a priority, perimetrical defense comes later.

Once set-up, the malware adds a key to the registry so that it can start automatically. It then tries to connect to its servers, and when it does the responding server generates a 2048 bit RSA key and sends the public key to the infected computer. If you heard this before, you know you can't really deal with it. If you don't pay, the private key, the one that is able to decrypt your files, gets deleted. Brute force impossible for the amount of time required, with current technology. In case we could, ransomware or crypto related crimes might still move to even harder algorithms somehow, like Lattice based ones.

635794727145639025.jpg

Mitigation is working, but not solving the problem. There are countless ways to prevent all of this, from backups to advanced purposes antiviruses, you can find them online. In our case, the company's devices weren't really on the bleeding edge of security for sure, but the problem is that this malware keeps evolving and transforming every day. And it's not alone.

That's why we must focus on security awareness first, and then on perimetrical security.

Making internet users aware of the dangers is the first step. I'm sure such a movement might even reduce the number of incidents of a half.

Safe Play

This time, it ends with back pats.

Turns, out, the IT guy, an active system administrator with some years of experience, just employed my friend, had recently setup a system which backs up the entire server every night, and keeps the records for three consecutive nights. On top of that, it holds weekly backups that date back to four weeks. We were able to replace the corrupted files in the shared folder in no time.

I am not going to quote the backup service, one of those long lasting projects, but there are so many out there that give you the opportunity to backup even on cloud that it's useless to start listing them, since this would determine your choice, while you need the service that most fits your needs.

For dropbox, it was a little more complicated. Fortunately, Dropbox keeps record of every deleted file (or, in this case, deleted and then created with a different name ending with .encrypted, because this it the sequence in which CryptoLocker operates), and these copies can be restored with a click on the web site version.

635794734269325179.jpg

However, it's not easy to restore hundreds of files one by one, so I managed to tweak the Dropbox Java API to work with deleted files and restore them automatically to the version previous the current one. It was a lot of fun, you can find my fork of the Dropbox Java API and a sample application on Github.

The new measures taken to safe up the system even more were to switch between two hard disks every week, so that if one gets destroyed or stolen, you still have the other one, and to hide it from plain sight anyway. Just in case prevention was not going to win the game for once.

The attacked computer, filled with random data, was dismounted because old and slow. The IT guy provided to buy the best computer he could find at the local store. He's now asking for the purchase of a trusted and up to date antivirus, and teaching employees how you browse the web and your mail inbox.

He told the victim that the malware came from an employee working far away, that shares the folder too. They started laughing and joking about it like friends would do. He knew. I knew. I finally smiled.

Conclusion

The more you try, the luckier you get.

This time. we were lucky, but not everyone is.

I've seen a lot of people confused by what hacking and informational security really mean. We are never right, we just try to. We are not trying to show how cool we are, that's not our point, never that.

It doesn't help you when a mother tells you all of the photos of her recently lost daughter were corrupted because of a cold black minded human somewhere else in the globe decided to be the proxied coward who would load her sorrow raising money for whatever reason ranging from weapons to drugs.

CryptoLocker may die, but malware has always been among people.

635795428211646658.jpg

We got to the point where internet is a deus ex machina, where fast scrolling your friends list on your conveniently designed smartphone is a simple action, while thousands logic blocks are being updated every millisecond, so that lag doesn't hurt your eyes, doesn't make you think it is just a machine.

Sometimes, it's just as easy as unplugging the battery and rubbing your eyes, focusing on the shape of things around you.

Side Note

I'd like to point out that the inspiration for this post came from a bunch of recent life experiences I had; some contributed to the atmosphere of it, some inspired the thoughts, some for the story itself, which is in fact based on reality.

I never refer to any Null Byte user in the post, never, hope nobody even barely thought I did. New comers interested in informational security will always be treated as welcome by the entire community and me. It's just about people I meet everyday in my life and their attitude, what they do, think, say.

The first pictures come from the game The Stanley Parable, a social experiment game about choices, where you can choose to follow the path of the narrator of deviate from the main story.

To the users of Null Byte:

I'm finally able once again to contribute to the community with content. I will probably start publishing more often, how-tos and guides. As always, I'd like to thank all of you who support me, especially the 43 33 guys, you are the best.

Oh, and Hi, new comers! The community is encouraging more and more people to join. I hope you will all enjoy the stay here.

I hope you liked this little read and also found some interesting points about which I would like to know your opinion, Null Byters!

The Final Mystery

All the files found with the "find" command were last modified a day before my visit, except for just one: the last file in the output (that's why I noticed it), an encrypted file, had his last modification date back to two months before.

Output error? Memory corruption? Botnet?

Comments

No Comments Exist

Be the first, drop a comment!