Two cryptolocker ransomware cases in two days

[transcript of text on picture above: “Your important files encryption produced on this computer: photos, videos, documents. etc. Here is a complete list of encrypted files, and you can personally verify this. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files… To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100 EUR / similar amount in another currency. Click to select the method of payment and the currency. Any attempt to remove or damage this software will lead to the immediate destruction of the private key by the server.”]

Although this post is nearly two years old, crypto viruses are still running rampant on the internet. Normally, computers are infected when a user opens a suspicious email or downloads otherwise questionable material containing the virus. Since there are still victims of the virus out there paying the ransom to regain access to their files, criminals are continuing to create copycat variations of the virus and prey on users around the world. This lucrative criminal industry has spread to mobile devices as well. Our CEO Brian Gill wrote this post, and it’s still applicable today. Read on to learn more about how the viruses work.

By Brian Gill

Interesting 24 hours here at Gillware. Yesterday we had a cloud-backup customer that had their computer infected with CryptoLocker Ransomware.

The virus targets important looking file extensions (doc(x) xls(x) jpg etc) and looks like it fully encrypts the contents with some flavor of AES. It doesn’t rename the extensions to (.rar .exe .aes .html) like some previous ransomware variants. Because of this, all of the files on the file system had their binary altered with the encryption in-place, and our backup solution uploaded the changed files as new revisions of each and every file that was changed. So, when the customer downloaded from the cloud they got a little panicked as the data that was downloaded was encrypted gibberish just like the data on their computer. Crisis was easily averted though as our solution keeps up to five revisions of any file by default (or more if the customer wants), so our tech staff just walked them through how to pull down revision N-1 and they were good to go.

Unfortunately the 2nd time we’ve seen this (today) was in attempting a data recovery of a large Buffalo Terastation, these folks weren’t protected by our cloud. After we did our normal data recovery process of cloning all the drives, figuring out the parity/rotation/stripe/offsets etc, determining the physical and logical volumes, ultimately the file system (XFS for the data volume) we determined that while all of the PDFs worked fine (100% file system consistency check by our software) but 100% of the OLE2 data types and other office types, picture types, were fully encrypted. It’s never fun telling a customer that hundreds of thousands of documents are unrecoverable, at least for now.

The customer is attempting to locate one of hundreds of desktops that had access to this share that was the root cause of the problem. With any luck, they’ll find it and get it to us. We have to hope that there’s shrapnel of the encryption key on that box somewhere and we can use that to untwist all these files. From reading some posts on the subject, supposedly you can pay 100 bucks to some shady payment system and it’ll give you a utility to perform the decrypt somehow. We’re making multiple copies of all this data for them so they can at least contemplate trying that if they choose to do so.

There’s a bunch of lessons to be learned here. First of course is to have automated strong backups. Second, make sure that backup has the ability to keep a revision history. Third, anti-malware is critical to a small business… but the malware protection suites are always one step behind. Fourth, IT admins should be taking a look at ways of monitoring massive amounts of changed files within a certain time-frame. Perhaps Open Source Tripwire® would have saved the day here, at least partially.