Monetizing Malware With Cryptolocker

In the "Good Old Days" of computing, when it was really starting to become popular, computer viruses would often be destructive or at least have a high nuisance value. In more recent years the goal has often been a bit more subtle, by infecting the computer in a manner that may not immediately draw attention to the user, but all the while either stealing personal information, or serving up bogus search results to get clicks and make money that way. And that's the name of the game; since it became apparent that there were ways to monetize malware, the involvement of organized gangs upped the ante and the sophistication of the attacks. Most recently, we have Ransomware, such as Cryptolocker.

Cryptolocker malware is very upfront about the motive behind it; this type of malware quietly encrypts (scrambles) your PC data, making it inaccessible to you or anyone else, and demands that you pay cash to get an unlock code to get your data back. In this regard, it is more properly termed "ransomware". 

The encryption affects both local data, mapped drives, attached USB devices and in some case, cloud drives. The best "fix" for this is to wipe your PC and start over, but many home users either don't have the backups in the first place, or are so upset by the whole thing that just take the PC to the big box store they bought it from and have them handle it (at a significant cost). 

In the UK, where Cryptolocker infections are quite prevalent at the moment, about 2 in 5 of those infected actually pays the "ransom", typically around $500!

From the US CERT site:
The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.
Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.
While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).
For tips and methods of avoiding this type of malware, see Brian Krebs here, and some more generic advice from the UK Guardian here.

No comments:

Post a Comment