CryptoLocker industry: techniques, threats, realities, solutions and stakes.
In our
fully-digital world, there is nothing nasty like seeing your valuable files,
dossiers, video, photos and backups inaccessible, unavailable or impossible to decrypt.
With
the sophistication and the proliferation of security threats and cybersecurity
attacks, this reality is more and more aggressive.
Ransomware is a particularly nasty piece of malware that takes, infected
machines hostage.
In this context, CryptoLocker continues, successful to infect lot of
computers and devices.
If unfamiliar, Connectikpeople.co, soon #Retinknow®, recalls that, CryptoLocker
encrypts the files of computers it infected and then, demandes a ransom for a
private key to decrypt those files.
Fox-IT and FireEye have established many of the private keys associated
with CryptoLocker, and help us inter alia, understand the way that CryptoLocker
works:
1. CryptoLocker arrives on a victim’s machine through a variety of techniques
such as spear-phishing emails or watering hole attacks.
2. CryptoLocker then connects to randomly generated domain (via DGAs) to
download a specific RSA public key.
3. At that point, an AES-256 key is created for each file on the system.
4. CryptoLocker then encrypts all of the supported files using the generated
key from step 3.
5. The generated key is then encrypted with the downloaded RSA public key from
step 2.
6. And finally, the AES-key is written to the beginning of the encrypted
files, thus requiring the private key to decrypt.
It is clear that, there are several copycats and hybrid versions of
Crytpolocker that exist, ranging from programs like CryptoDefense, PowerLocker,
TorLocker and CryptorBit, to variants that are not necessarily named but have
modified functionality, such as using Yahoo Messenger as a propagation
technique.
Therefore,
to help solve the problem of victims’ files still being encrypted FireEye
and Fox IT developed a decryption assistance website and corresponding tool
designed to help those afflicted with the original CryptoLocker malware.
This means, Fox-IT and FireEye
have established many of the private keys associated with CryptoLocker.
Having these private keys may allow for decryption of files that are
encrypted by CryptoLocker.
However, certain files may not be decryptable; because new variants of
CryptoLocker may be released at any time, and the tools available below, may
not be able to decrypt files infected with these more recent variants.
https://www.decryptcryptolocker.com, is where you can upload an encrypted CryptoLocker file. Based on
this upload, the user will be provided with the option to download a private
key that should decrypt their affected files. The site also provides instructions on how to apply this key
to the files encrypted by CryptoLocker to decrypt those files.
Connectikpeople.co, soon #Retinknow®, recalls that, to use the site, simply
upload an encrypted file. Enter your email address, to ensure the private key
associated with the file is sent to the correct individual.
Connectikpeople.co, soon #Retinknow®, can also observe that, the
Decryptolocker.exe tool is designed to perform a few different types of
functions. Here are some examples of various prompts you can enter,
depending on the result you would like to obtain.
1) If you would like to test a file if it is encrypted with CryptoLocker,
you can enter:
Decryptolocker.exe –find File1.doc
Decryptolocker.exe –find File1.doc
2) If you would like to find all files encrypted with CryptoLocker in a
directory, you can enter:
Decryptolocker.exe –find -r “C:\FolderName”
Note: Remember to include the “-r”
3) If you would like to decrypt a file encrypted with CryptoLocker, you can
enter:
Decryptolocker.exe –key “<your private key provided in email>”
File1.doc
4) If you would like to decrypt all files in a folder, you can enter:
Decryptolocker.exe –key “<your private key provided in email>”
C:\FolderName\*
Note: Remember to include the “*” at the end
5) If you would like to decrypt all the files in a folder or drive
recursively, you can enter:
Decryptolocker.exe –key “<your private key provided in email>”
-r C:\
