Hey there boys and girls, and welcome to another edition of “awww shucks”. It seems that there is a new variant of Cryptolocker out there in the wild, updated with a brand new higher ransom price, and new ways to hide from antivirus.
Infection: Usually, the executable for cryptolocker comes in the form of an email attachment or as part of a compromised installer package. A user would run the file, and Cryptolocker would scan through the user’s hard drive alphabetically, and start encrypting files. Before it does that, it talks to its home control server and generates a user-specific RSA key pair (Read more about public/private key encryption), and then uses that public key to encrypt the data. The private (decryption) key is then stored on Cryptolocker’s home control server.
It gets worse, because not only does it encrypt your local drive, cryptolocker looks at any USB sticks, external hard drives, or mapped file servers. It goes through those and encrypts as well. While it does not encrypt every single file, it encrypts the ones that most users are likely to use: PDFs, Microsoft Office files, pictures, music, and other documents; enough to be extremely annoying, and in the cases of large corporate environments, very likely to cause a lot of headaches by locking things like reports, or financial documents.
Once it’s done encrypting your data, it presents a nice message asking for money to decrypt the data back. Of course, that sum of money in this latest variant is a “no chump change” $400, which to a corporation might not be a big deal, but for an individual, could be fairly substantial. The only good thing about Cryptolocker (if you can even say anything good about a piece of software like this), is that if a user pays the ransom, they are actually provided with their private key to decrypt the data. I guess a scheme wouldn’t work too well if users reported that no matter what you do, your files are gone.
Mitigation: So what can you do once you’ve been infected with Cryptolocker? Realistically, there are only two things you can do, and none of them are fun.
1. You can pay the ransom. Depending on how much data you had on your drives, and how many file shares you had access to, this could take a very very long time. It is time consuming, and of course there is the matter of the $400 ransom.
2. Restore from backup. Again, depending on how much data there was, this could be very time consuming for your admins, and could mean a lot of lost productivity for your company.
I wish there were better ways to restore your data once you’ve been hit by Cryptolocker, but unfortunately, the cryptography used is quite strong, and even with a supercomputer, it would be very difficult (realistically impossible) to find the matching private key.
Prevention: So, how can individuals and businesses prevent getting such an infection? The problem with ransomware such as this, is that it’s a lucrative operation for the people running this scheme (c’mon NSA, where are you when we need you?), and this allows for the developers to constantly improve upon their product. This means that once an anti-virus definition comes out for a variant of Cryptolocker, another variant might already be out in the wild.
Besides keeping your AV signatures updated, there are some group policies that you can implement to help out.
Ok, Active Directory admins, bust out your GPO Manager and let’s get to work.
1. Create a new GPO and call it whatever you want. I named mine “Global – Computer – SRP versus Cryptolocker” since it’s a global policy that uses the Computer Configuration portion of a GPO.
2. Go down to Computer Configuration, and head into Policies -> Windows Settings -> Security Settings -> Software Restriction Policies
3. Right click on Software Restriction Policies (I’ll just call it SRP from now on), and select “New Software Restriction Policy”.
4. Let’s create some rules; Under “Additional Rules” , right click in the right panel and select “new Path Rule”. The following are the path rules we’ll need to create and set as “Disallowed”, and their descriptions.
- %AppData%*.exe — prevent from running in appdata. Most apps that are installed won’t ever need to run from appdata, so we can prevent them from running here. We may want to test this first, since apps such as Dropbox or other “user-space apps” might need to be whitelisted at some point.
- %AppData%**.exe — prevent subfolders of appdata
- %UserProfile%Local SettingsTempRar**.exe — WinRAR uses this as a temp location, so if CryptoLocker comes to us in a rar file, we can prevent it from being run.
- %UserProfile%Local SettingsTemp7z**.exe — same with 7zip
- %UserProfile%Local SettingsTempwz**.exe — same with winzip (people still use winzip?)
- %UserProfile%Local SettingsTemp*.zip*.exe — email attachments that come in ZIP format usually extract here if we use Windows’ built in zip handling
- %LocalAppData%TempRar**.exe –WinRAR on Windows 7 uses this location
- %LocalAppData%Temp7z**.exe –7zip on Windows 7 and above uses this location
- %LocalAppData%Tempwz**.exe –WinZip on windows 7 uses this location
- %LocalAppData%Temp*.zip*.exe –Windows built in ZIP handling uses this location
Of course, if you only have Windows 7/Server 2008 and above in your environment, you can skip c through f, or you can separate out these rules into “SRP for Windows XP” and “SRP for Win 7” if you’d like.
This blocks all executables in paths that cryptolocker commonly uses to infect your machine. I mentioned apps like Dropbox that will stop working once this policy is put in place. You’ll have to be mindful of such applications (if they are used in your workplace), and create additional rules with the “Unrestricted” user level attached to them. Dropbox, GoToMeeting, temporary applications will need to have this whitelist enabled. Test in a lab environment, test with just your machine, or a group of users first. This is one of the few places in Windows where the whitelist takes precedence over the blocklist.
Good luck, and I hope you never get Cryptolocker.