Given the tension between the CIS and the West, unless they start targeting people at home it's hard to see how the people behind this are going to be stopped (as oppsed to the latest version of their scheme being stopped by some clever fix).
Unlocking CryptoLocker: How infosec bods hunt the fiends behind it
CryptoLocker, the Bitcoin-hungry ransomware menace that has become 2013’s most infamous malware, was likely created by a single hacker crew in Russia or former Eastern bloc states and is heavily targeting US and UK systems, researchers have exclusively revealed to The Register. Dell SecureWorks’ Counter Threat Unit (CTU) set …
-
-
Monday 16th December 2013 16:02 GMT Sammy Smalls
Maybe cut Russia off from the interweb? Maybe unthinkable/impractical now but it's not difficult to see a properly tiered internet evolving due to legal differences/indifference between countries. Forget tiering about bandwidth and content, this would be 'connected to the rest of the world or not' structure. Maybe we could have another tier structure that is 'monitored by the NSA/GCHQ or not'.
-
Tuesday 17th December 2013 13:28 GMT PyLETS
@Sammy Smalls: Net blocking criminal domains
This already happens with spam to a large extent. Many email MTA admins choose to use the Spamhaus blacklist. Configuring it is easy, but it's up to each host or firewall operator to do the DNS lookups to see if a connection is coming from a listed badguy controlled address. Implementing blocks at a political or geographical level "Maybe cut Russia off .. " is neither as effective nor as targeted as supporting reputable blacklist providers and configuring host and firewall providers to make decisions accordingly. Then it's up to each network or host operator to make their own decisions as to what to block or allow by choosing a reputation provider and configuration, leaving room for competition between blacklist providers based on accuracy of listings.
-
-
-
Wednesday 18th December 2013 13:19 GMT lorisarvendu
Re: perhaps ....
Although your sentiment is correct, in this case even a fully-updated Windows and AV will not necessarily help, as a) Cryptolocker does not exploit a Windows vulnerability and b) the waves of attack are often ahead of AV signatures.
Educating users about the wisdom of not opening every damn email attachment they receive will do far more good, although that doesn't help in cases of compromised web pages.
-
-
Monday 16th December 2013 16:00 GMT Richard Jones 1
Sensible to Suggest Ways of Blocking The Spread?
We should all know to keep machines as up to date and fully patched as possible.
We should all avoid clicking on any unexpected mail.
We should all avoid opening anything from an unknown source.
Items from known sources but in stupid forms should be ignored, e,g, anything from a Yahoo mail address suggesting someone is lost somewhere overseas.
But what else should one do in mitigation or prevention.
Richard
-
-
This post has been deleted by its author
-
-
-
Monday 16th December 2013 17:49 GMT FrankAlphaXII
Re: Sensible to Suggest Ways of Blocking The Spread?
You can manually do everything that the tool does for you if you don't trust it. The author goes into detail about what the tool does on the foolishit webpage, so if you don't trust the tool itself, you can still get the same degree of mitigation without using it. It ain't perfect but its a fuck of a lot cheaper than buying bitcoins for criminals.
-
-
-
Monday 16th December 2013 18:58 GMT dwrjones87
Re: Sensible to Suggest Ways of Blocking The Spread?
As far as I know, DropBox allows you to revert a file to a previous version, a functionality that this beast can't alter, so therefore I would be tempted to class it. Offline your computer, clean it, go back online, go through all your files on DropBox and revert them or perhaps email support and ask them to do it en-masse for you, and then download, and be more bloody careul about what you open in the future
-
Tuesday 17th December 2013 09:08 GMT J__M__M
Re: Sensible to Suggest Ways of Blocking The Spread?
"revert a file to a previous version, a functionality that this beast can't alter"
Say what? Please explain, because this is exactly the part that is keeping me awake at night... like right now, for instance. Seriously, how hard do you think it will be to delay the "pay up or you're fuct" message for, say, 31 days? Not hard at all is how hard, and it also wouldn't be hard to make the file selection process a little more intelligent than the file extension shotgun method they're using now.
The next iteration of this thing will have scrambled files working their way though 30 days of snapshots like a hot knife through buttah.
-
-
-
Monday 16th December 2013 18:42 GMT Anonymous Coward
Re: Sensible to Suggest Ways of Blocking The Spread?
All very well, but that still doesn't necessarily save you when you visit a forum/comments page (perhaps initiated from a perfectly above-board Google search) which has some malicious script injected which instantly redirects you to an exploit-laden site hosted on some bulletproof host that's been hosting malware for years.
Chrome pops up a message telling you you're entering a site with a bad malware reputation, but not before dialogs have popped up and your AV (or a theatrical scary mock 'AV') appears.
Of course I speak from bitter experience. Did I hit the hard-power-off button fast! Turns out my AV did block a 1MB payload... but can I ever be sure there weren't additional exploits that could have slipped through the AV net and gone undetected? Scans clean, but logically you can't prove you're not pwned.
Chrome. On fully up-to-date Win7/64bit. NOD32.
-
Tuesday 17th December 2013 00:24 GMT Steven Raith
Re: Sensible to Suggest Ways of Blocking The Spread?
"Chrome. On fully up-to-date Win7/64bit. NOD32."
To be honest, if you're thinking about searching for something potentially dodgy (in whatever capacity), you owe it to yourself to set up a basic Linux (or any other OS you are happy with, as long as it's not vulnerable to cross compiled stuff, etc) VM and use that for searching out scary stuff.
Even with a Windows VM, you can snapshot it before you start so you can roll back to a working version, NAT it out of your main network, etc.
It's not as hard as it sounds, and it's well worth researching and implementing it, especially if you're now newly paranoid about that sorta thing.
No OS zealoutry, just good old fashioned common sense. :-)
Steven R
-
Tuesday 17th December 2013 04:37 GMT David 14
Re: Sensible to Suggest Ways of Blocking The Spread?
Or maybe just download the free VMware Viewer application from www.vmware.com and then download one of the many pre-packaged Web Browser Linux appliance virtual machines. This makes a VM on your machine that is a rock-solid barrier between your web browser and your on-machines files. Use your regular browser for known and trusted sites, let the appliance be your way to browse the net for fun or even for "dodgy" stuff... lol.
-
-
-
-
-
Monday 16th December 2013 22:27 GMT John Smith 19
Note the games theory aspect. It's an "honest" criminal.
You pay money -->get files back.
No money --> no files back (AFAIK).
So it uses the Microsoft Crypto API ?
Is this ever called the CrAPI by any chance?
I also note it seems to rely on a set of "Cryptographic Service Providers."
I presume that like any windows service they can be manually shut down if they are too slow/resource heavy/useless for user convenience by going to the start menu, choosing run and typing "services.msc" ?
-
This post has been deleted by its author
-
Monday 16th December 2013 22:47 GMT Anonymous Coward
Re: Note the games theory aspect. It's an "honest" criminal.
Prior art. It appears there is a how to do manual
http://link.springer.com/chapter/10.1007%2F11556992_28
Information Security
Lecture Notes in Computer Science Volume 3650, 2005, pp 389-401
Building a Cryptovirus Using Microsoft’s Cryptographic API
Adam L. Young
This paper presents the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. A novel countermeasure against cryptoviral extortion is presented that forces the API caller to demonstrate that an authorized party can recover the asymmetrically encrypted data. The attack is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is used for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by using 8 types of API calls and 72 lines of ANSI C code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can apply cryptography to devise the payload of a cryptovirus when a cryptographic API is readily available on host machines.
-
-
Monday 16th December 2013 23:41 GMT veti
Want to declare an interest?
"Thieving", "scourge", "menace", "gang of crooks" - while not unreasonable in context, are still strong words, and I can't help feeling they're not typical of the coverage usually given to viruses/trojans/etc on this site. There is an uncharacteristic degree of venom there.
In the interests of full disclosure, could El Reg clarify whether anyone involved in the writing or editing of this or other BitLocker stories has actually been affected by it at first hand?
-
Tuesday 17th December 2013 00:27 GMT Anonymous Coward
Re: Want to declare an interest?
You don't need to have been burgled or have had your car nicked to consider burglars or car theives to be a menace/scourge/theiving gits etc.
I've had a couple of sites affected by this (thankfully with offline backups etc) and I fully support the sentiment, TBH. This malware is particularly nasty, and no amount of AV will stop a user from ignoring the warnings and letting it loose on their network.
-
-
Tuesday 17th December 2013 06:21 GMT Shannon Jacobs
This is why "Live and let spam" is bad
Kind of too late now, but if these criminals had been driven out of business years ago, then they wouldn't have become the monstrous threat they now are. Not all, but most of the infrastructure they are now using has evolved steadily over the years of playing patty-cake with the spammers. The scams have been profitable enough to keep them at it, and now we have this ongoing fiasco.
In particular, if the major email providers had been serious about shutting down the spammers' business models starting some years ago, maybe we would not have reached this point. Now it's basically too late and we are dealing with serious and professional criminals, but... Imagine if the email providers had bothered to provide integrated anti-spammer tools starting several years ago. Rather than playing games and feeding the spammers while they grew so strong and dangerous, we--ALL of the people who sincerely and fiercely hate spam--could have helped shut down ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help and protect ALL of the spammers' victims. The "victims" is not just the suckers who send money to the spammers, but the corporations whose reputations are abused by the spammers, and even all of the other people who use the Internet.
Tell you what. I'll sponsor a prize for anyone who can convince me the spammers make ANY positive contribution to the world. I'm not saying we can cure their vicious sociopathy, but we could have pushed them under less visible rocks.
Oh well. Evidently it's too late now. We don't have any option but to live with them--and in perpetual fear of clicking on the wrong attachment.
-
Tuesday 17th December 2013 10:53 GMT Anonymous Coward
Offer a reward
Offer a $<multi> million reward and amnesty for information leading to the capture and prosecution of the offenders.
Some of those involved will have no qualms about turning in the rest of their group to get a life of anonymous luxury on some hot island for the rest of their days.
Once the identitied are know do not leave it up to the US to distribute justice. Instead, deal with the Russion authorities and have them take care of matters. For they are far more scary in their approach to making an example of such people.
-
Tuesday 17th December 2013 13:27 GMT Anonymous Coward
Re: Offer a reward
" Instead, deal with the Russion authorities and have them take care of matters"
Dream on, mate! A big part of the problem is that the Russian state and Russian criminals exist on a continuum, not a binary scale. And not in the manner of the ongoing till-dipping and employ-your-mates graft prevalent in the US or UK, but on a much larger, more open and more brutal scale. We all know what happens to investigative journalists in Russia for example - murdered, and the authorities never seem to find the cuplrits.
So the chances are that the Cryptolocker gang are already part of criminal/political gang run by a mid level oligarch in some sh1tty oblast in southern Russia. And if they aren't they'll be looking to use their new found wealth to buy friends and influence. The only prospect of the authorities turning on them is if those same authorities think they aren't getting their cut, and have the back up of even more powerful thugs.
Progessively isolating increasingly large amounts of the internet is the only answer, because that would force the Russian government's hand when the tap is about to be turned off. But I simply don't think that US or European politicians are clever enough or brave enough to start such a move. Funny, isn't it. All this NSA and GCHQ data and phone scraping and storing "to keep us safe" and the useless f*ckers can't protect us from spam or business-grade malware?
-
-
Wednesday 18th December 2013 18:57 GMT 2cent
Is this the right key?
"Using the Microsoft CryptoAPI, Cryptolocker encrypts each file with a unique AES key, which is then encrypted with the RSA public key received from the crooks’ server. "
Does this mean that replacing or removing Microsoft CryptoAPI stops CryptoLocker from action before or during infection?