This is a comprehensive summary on the CryptoLocker ransomware, covering its retrospective profile, encryption mechanisms and file restoration techniques.
What is CryptoLocker?
The strain of file-encrypting ransomware dubbed CryptoLocker has an eventful background. It surfaced in late summer 2013, so it is one of the oldest known samples to date. Before its emergence, the worst variants that Windows users had encountered were so-called Police trojans that locked infected computers’ desktops and did not encrypt any data. As opposed to these low severity threats, the early iterations of the malware in question actually used a strong cryptographic mix of RSA and AES ciphers. To top it off, the cybercriminals implemented these algorithms immaculately, which made the hostage data unrecoverable unless the victims opted into paying the Bitcoin ransom.
In June 2014, CryptoLocker went defunct as a result of the well-orchestrated “Operation Tovar”. In cooperation with private security companies, the law enforcement agencies of several countries were able to take down the entire infrastructure behind this ransomware. And yet, computer users around the globe are still getting infected with it. How come? Different groups of perpetrators have been actively devising copycats under the same old ‘brand’. The main attributes, however, haven’t changed.
This ransomware trespasses on Windows computers through social engineering. The would-be victims receive emails disguised as customer care notifications from services like UPS or Fedex. The trick is all about the ZIP files attached to these emails. The offending object looks like a PDF document but is an .exe entity instead. The event of opening this file triggers the executable and starts the compromise proper.
CryptoLocker first scans the hard drive for files with extensions from a hard-coded range. These include .rtf, .pst, .doc, .xls, .ppt, .jpg, .dng and many more formats. As soon as this routine is complete, the ransomware encrypts the detected files with AES algorithm, and then encodes the AES key with RSA cryptosystem. The private RSA key, which is the prerequisite of data restoration, is stored on the malefactors’ Command and Control server. By the way, the fraudsters use DGA (Domain Generation Algorithm) to coin multiple sites that host the C&C, which reduces the adverse effect of possible page takedowns.
The file encryption process is followed by different instances of user interaction. The virus replaces the desktop wallpaper with a warning that says, “Your important files encryption produced on this computer: photos, videos, documents, etc.” The main CryptoLocker interface contains the same alert. The victim is told to submit 2 BTC, which is over $1000, to a specified Bitcoin address. The ransom increases to an enormous amount of 10 BTC after a 72-hour deadline expires. The original size may vary – some distributors ask for 1 BTC. The MoneyPak payment channel may be available for USA users.
To recover from a CryptoLocker attack, one should get rid of the malware itself and then try to reinstate the locked data using the workarounds below.
CryptoLocker removal
By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.
1. Download and install CryptoLocker virus remover. Run the suite and click Start Computer Scan.
2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.
File recovery how-to’s
Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.
Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.
a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.
The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.
b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.
Double-check for CryptoLocker remnants
Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.
Leave a Reply