Ransomware: Cryptolocker

Paper submitted for my Master’s in Cybersecurity and Computer Forensics at Utica College, 2014.

Introduction

CryptoLocker is a virus known as “ransomware.” CryptoLocker is a scheme to trick people into opening attachment in a seemingly trustworthy message and executing the Trojan that encrypts data on the victim’s hard drive and connected drives. CryptoLocker then offers to unlock the data for a fee—around $400. There are methods to prevent it from running, but the social engineering is so good that many people are duped. The thieves have collected millions of dollars and variants and copycats abound.

Cryptolocker

CryptoLocker was detected in September 2013, but has its origins in the 1970s, when the term “Trojan horse” was first used by ARPA’s D.J. Edwards, in describing trapdoor attacks in early computers (Anderson, 1972). Dr. Joseph Popp developed the first ransomware in 1989, to—he claimed—collect money for AIDS research. PC Cyborg (aka AIDS Trojan) was an early form of ransomware that encrypted files on a PC’s C: drive and demanded $189 to unlock the files. The Trojan replaced the autoexec.bat file and counted boots until reaching 90, when it hid and encrypted directories. The attack vector was a floppy disk containing “AIDS Information Introductory Diskette” (Longstaff, 1989).

Using symmetric encryption, it was easy for experts to analyze the encryption tables and reverse the effects (Kassner, 2010). In 1996, Columbia University researchers, Moti Yung and Adam Young, were able to reverse the Trojan by using public key decryption. Extortionists have tried different ransomware with little success. The AIDS Trojan, CryZip, and Arhvirus are examples of failed attempts.

Cryptolocker uses social engineering to access a victim’s computer. It currently affects only Windows systems, although there are rumors that there is a Mac version. Not only does it infect a single computer, but networked drives and portable drives. The victim receives an email purporting to be from DHL, UPS or some other well-know company. The email will be regarding a shipment or payment and provides an attachment for the victim to review. The Trojan is then unleashed. By hiding the extension (.exe) the victim believes it is a PDF. Once inside it will target a range of files, such as .odt, .docx, .jpg, and others. It then encrypts the files using a public key and sends a warning screen to the victim claiming they have 72 hours to pay—in Bitcoins or MoneyPak—to receive the decryption key or all files are lost (“Cryptolocker,” 2013).

RansomwareCryptoLocker hits individuals, corporations, and even police departments. In November 2013, the Sawnsea, Massachusetts police department was hit by CryptoLocker when an employee opened a CryptoLocker email. The department took heat after they gave into the criminals’ demands and paid $750 in Bitcoin to get their data decrypted (“Cryptolocker Strikes Again,” n.d.). In one week alone, CryptoLocker had infected more than 12,000 computers—most in the United States. The criminals avoid detection by moving the virus to different servers, some of which have been identified in Germany, Kazakhstan, Russia and Ukraine (Neal, 2013). It is obvious, after reading the splash screens and email messages, that the criminals are not American. The language is so fractured that in could have been generated with a basic translating system. It is interesting to note that currency figures in emails are written as 00,0. The comma used to separate the whole number from the fraction is common in Eastern Europe, such as Russia, Slovenia, etc., but a period (full stop) is used in Euros as it is with US dollars (“theFinancials.com,” n.d.).

At present, there is not much that can be done. Many people reported that they have paid the ransom and have received the decryption key, however, many reported they paid and received nothing. It is estimated that the thieves are clearing $5-$30 million a year (Goodin, 2013). The most logical ways to avoid becoming a victim is to backup data regularly, so that, if infected, data can be restored. And, of course, don’t fall victim by opening a suspicious email and blithely downloading the attachment without being 100% certain it is legitimate. Another method is to use a service, such as Ceryx, that has a more robust system of analyzing email before sending it to recipients (Abrams, 2013).

Although emails are the most popular attack vector, a new variant has been using Yahoo Messenger with an image named YOURS.jpg.exe (“New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger,” n.d.). Additionally, Cryptolocker uses exploit kits on hacked websites, usually placed inside an advertisement and masquerading as a video program, which are typically used on porn sites (Binder, n.d.).

CryptoLocker has been an effective ransom tool and has been in service for more than six months without any arrests. With the millions of dollars the thieves have made it would be logical to conclude that they would be winding down to avoid getting caught. The bigger threat is from copycats. With any kind of malware, there are always those who want to emulate their “heroes.” In December 2013, CryptoLocker 2.0 was discovered. It was not an updated version of CryptoLocker, but a knockoff. Security experts were able to see the differences in how the visues were built. CryptoLocker used C# whereas the original was written in C++. The copycat infects music files, whereas the original was more “business-oriented” (Lipovsky, 2013).

Conclusion

Any new technology that proves successful will surely last for a long time and be copied by many, improved upon and adapted to new uses we cannot even think of yet. However, there are technologies that should heed the warnings of CryptoLocker. The Internet of Things is fast-becoming a reality, but like the Internet, it is developing quickly with little thought to security. It would behoove manufacturers to think about securing their “things” before releasing them or the next criminal holding your company for ransom could be the office coffeepot. A more immediate threat is the coming attack on mobile devices, with Android devices predicted to be the first to be hit.

As connections are made between humans and hardware and software, the threat will greatly increase. Once the stuff of science fiction, it is within the realm of possibility that people can be hacked and held for ransom. It would be a convenient method for kidnappers. Instead of climbing through a bedroom window and snatching the Senator’s kid, simply hack into her biotech and disrupt it unless payment is made electronically. CryptoLocker is nasty virus now, but it will morph and be copied in ways that will affect entire infrastructures, human-mechanical hybrids, objects, houses, and even space exploration. The future is bright, but there are already storm clouds on the horizon.

 

Utica College

Utica College

Cryptolocker: Ransomware That Works

Jeffrey P. Macharyas

Utica College

CYB 610-Cyber Intelligence

March 28, 2014

 

References

Lipovsky, R. (2013, December 19). Cryptolocker 2.0 – new version, or copycat? We Live Security. Retrieved from http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/
Abrams, L. (2013, December 20). CryptoLocker Ransomware Information Guide and FAQ. bleepingcomputer.com. Retrieved from http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
Anderson, J. (1972). Computer Security Technology Planning Study, Vol. II (p. 16). Ft. Washington, PA: HQ Electronic Systems Division (AFSC). Retrieved from http://csrc.nist.gov/publications/history/ande72.pdf
Binder, J. (n.d.). Cryptolocker Encrypted Trojan. Gooroo Technical Services. Retrieved from http://www.gooroo.com.au/cryptolocker-encrypted-trojan/
Cryptolocker Strikes Again: U.S. Police Department Pays Ransomware to Decrypt Important Files – Egltech | West Michigan’s Department. (n.d.). Egltech | West Michigan’s Department. Retrieved from http://egltech.net/cryptolocker-strikes-again-u-s-police-department-pays-ransomware-to-decrypt-important-files/
Cryptolocker: How to avoid getting infected and what to do if you are. (2013, October 25). Computerworld. Retrieved from http://www.computerworld.com/s/article/9243537/Cryptolocker_How_to_avoid_getting_infected_and_what_to_do_if_you_are_?pageNumber=1
Goodin, D. (2013, October 17). You’re infected—if you want to see your data again, pay us $300 in Bitcoins. Ars Technica. Retrieved from http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/
Kassner, M., (2010, January 11). Ransomware: Extortion via the Internet. TechRepublic. Retrieved from http://www.techrepublic.com/blog/it-security/ransomware-extortion-via-the-internet/2976/
Longstaff, T. (1989, December 19). Information About the PC Cyborg (AIDS) Trojan Horse. SecurityFocus. Retrieved from http://www.securityfocus.com/advisories/700
Neal, R. W. (2013, November 16). CryptoLocker Infects 12,000 Computers In One Week. International Business Times. Retrieved from http://www.ibtimes.com/cryptolocker-virus-infects-12000-computers-one-week-how-hackers-are-avoiding-detection-1473046
New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger. (n.d.). The State of Security. Retrieved from http://www.tripwire.com/state-of-security/vulnerability-management/new-cryptolocker-variant-spread-yahoo-messenger/
Ransomware Attacks to Target Mobile Devices: RSA. (n.d.). CIO India. Retrieved from http://www.cio.in/topstory/ransomware-attacks-to-target-mobile-devices%2C-warns-rsa
theFinancials.com. (n.d.). theFinancials.com. Retrieved from http://www.theFinancials.com