Cryptolocker employs 'professional' twist

Read time 6min 50sec
Victims must pay up, or suffer the consequences.
Victims must pay up, or suffer the consequences.

The authors of Cryptolocker ransomware have unveiled a customer support decryption service for those struggling to pay the ransom on time.

Ransomware is a class of malware that restricts access to an infected computer system. For the restriction to be removed, users must pay a ransom to the malware creator, who will then send a decryption code.

"Researchers have been seeing the 'professionalisation' of crime-focused malware for some time. For example, e-banking malware providers have not only been providing software, but even technical support services to fraudsters," says encryption expert Ian Farquhar.

When the virus was first introduced, victims were given three days to settle up, or a line of numbers would be deleted from a file on the attackers' server, preventing them from ever decrypting the infected files.

According to Lawrence Abrams, who runs an online help forum called Bleeping Computer and who has been following Cryptolocker incidents, the attackers realised they were losing too much money because victims were unable to pay the ransom in time.

Changing their payment terms, but increasing the price for those who can't pay in time from two Bitcoins to 10, was how they solved this issue, he says.

In October, a Cryptolocker ransomware Trojan infected users' PCs by encrypting their data and demanding $300 or a similar amount in another currency for the decryption key.

Later that month, Cryptolocker evolved to accepting payment in Bitcoins, which allowed victims to remain totally anonymous. Today, the Trojan will only accept payment via Bitcoin or MoneyPak.

According to Farquhar, various governments shut down ways for fraudsters to get money from victims. "This is why they're using Bitcoins and certain forms of payment that don't allow easy tracing of the payment. I'm sure they'd use cash if it was practical for them to do so, but it's not."

For naive users, says Farquhar, sourcing this type of payment instrument may take longer than the deadline. "How many small business owners would know about Bitcoin exchanges?"


Farquhar says Cryptolocker takes quite a while to encrypt all of the data, so users can minimise the damage if they catch it early. Security professionals could decrypt all files if they had access to the command and control server infrastructure, he continues. "The server is based in Russia, based on its IP address, so the co-operation of Russian authorities would be needed."

Anti-virus (AV) solutions are ineffective, as they use signatures of known malware and the attackers need simply recompile and repack the code so the signatures won't match, adds Farquhar.

"More modern malware solutions use heuristic and behavioural analytics, but these are slower and sometimes generate false positives. Don't forget, the scammers have copies of all of these anti-virus tools too. They test their creations and if one of the common AV tools detect it, they figure out how to avoid that detection."

The malware is also being delivered as a ZIP file, containing an executable program, which installs the malware, says Farquhar. "The best approach is to understand phishing attacks, and learn not to be fooled. People need to check what they're opening, and not fall victim to the confidence tricks the fraudsters use."

However, he says the fact that more and more legitimate companies are sending out documents via e-mail is a problem. "Bills, bank statements, information, disclosure documents all arrive in e-mail daily to many people. These companies have a responsibility to learn how to assist users to verify that their documents are legitimate."

Using identifying information, such as a shared secret, in the e-mail is one way to clearly identify a legitimate mail, he suggests. "This is very important, but is often neglected because electronic billing is so often driven not by customer demand or customer convenience, but by a cost savings on the part of the bill sender.

"It's about time these companies stepped up and did a better job," says Farquhar.

To pay or not to pay?

Although it has been widely reported that victims who paid the ransom were in fact able to retrieve all their files, Farquhar says there is a practical and a moral dimension to the question of whether it's just easier to cough up and be done with it.

"Practically, as long as the fraudsters are unlocking files upon payment, and in lieu of a technical workaround, the rational approach is to pay the ransom. However, ethically, in doing so, you're funding predatory criminals and most likely organised crime. Your payment may be funding extremely unpleasant things - it's impossible to know."

Farquhar suggests that people consider both dimensions. "Can you recover the files some other way, such as from those backups everyone is supposed to be doing, but so few people actually do, despite the incredibly low cost of external drives? Do you really need those files? Are you ever going to use them again? If not, don't pay.

"I cannot advise one way or the other. It really becomes a choice the individual must make based on their own judgement of the situation," he says.

For Uri Rivner, VP of business development and cyber strategy at Biocatch, it's entirely up to the victim to decide what to do. "You either pay, or suffer the consequences, which, in this case, means not being able to see those files again unless you can recover some of them through other means."

Businesses must also remember that many files are backed up in the cloud, sent to colleagues and friends by e-mail, or otherwise stored not just on the hard drive, says Rivner.

"Ransomware may not be one of the top malware concerns, but anyone who is actually hit by Cryptolocker and similar nasties will learn - the hard way - why it's important to keep basic security hygiene on one's PC, or alternatively back up important files," he adds.

"Like other Trojans, Cryptolocker sneaks into your computer if you don't regularly patch up critical applications such as Flash, Java and Adobe reader, and then visit a Web site that has been hijacked, or if you fall for a social engineering attack."

Don't look to law enforcement

Users should not expect anyone to save them, according to Rivner. "Governments won't go after such operations as Cryptolocker, because the infrastructure may be hosted on civilian servers and digitally 'bombing' them might have adverse effects."

While law enforcement may want to put Cryptolocker's operator behind bars, this would take ages, if it happened at all, he says.

"There are private corporations that act against major pieces of malware in conjunction with law enforcement, but these operations are rare and they'll probably not help much - the best they'll do is prevent future victims from being hit, and chances are even this won't work. Attacking cyber crime infrastructure is a bit like an excessive use of antibiotics - you only make the malware operation more resilient in the future as the authors beef up their defences," explains Rivner.

"And if you're just reading this, realising that your files are totally not backed up and they really matter to you, then you should think about using a backup service or a detachable hard drive. This can save a lot of trouble."

See also