Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker.
It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings.
Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available.
"After reading about the ransomware on reddit earlier this week, we guessed [that it was] what we were dealing with, as all the symptoms seemed to be popping up," Nic, who asked that his last name not be published, wrote in an e-mail to Ars. "We went ahead and killed the local network connection on the machine in question and we were immediately presented with a screenshot letting us know exactly what we were dealing with."
According to multiple participants in the month-long discussion, CryptoLocker is true to its name. It uses strong cryptography to lock all files that a user has permission to modify, including those on secondary hard drives and network storage systems. Until recently, few antivirus products detected the ransomware until it was too late. By then, victims were presented with a screen like the one displayed on the computer of the accounting employee, which is pictured above. It warns that the files are locked using a 2048-bit version of the RSA cryptographic algorithm and that the data will be forever lost unless the private key is obtained from the malware operators within three days of the infection.
“Nobody and never will be able to restore files”
"The server will destroy the key after a time specified in this window," the screen warns, displaying a clock that starts with 72:00:00 and counts down with each passing second. "After that, nobody and never will be able to restore files. To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency."
None of the reddit posters reported any success in breaking the encryption. Several also said they had paid the ransom and received a key that worked as promised. Full backup files belonging to Nic's clients were about a week old at the time that CryptoLocker first took hold of the network. Nic advised them to comply with the demand. The ransomware operators delivered a key, and about 24 hours later, some 400 gigabytes of data was restored.
CryptoLocker accepts payment in Bitcoins or through the MoneyPak payment cards, as the following two screenshots illustrate.
The outcome hasn't been as happy for other CryptoLocker victims. Whitehats who tracked the ransomware eventually took down some of the command and control servers that the operators relied on. As a result, people on reddit reported, some victims who paid the ransom were unable to receive the unique key needed to unlock files on their computer. The inability to undo the damage hit some victims particularly hard. Because CryptoLocker encrypted all files that an infected computer had access to, the ransomware in many cases locked the contents of backup disks that were expected to be relied upon in the event that the main disks failed. (The threat is a graphic example of the importance of "cold," or offline backup, a backup arrangement that prevents data from being inadvertently overwritten.)
Several people have reported that the 72-hour deadline is real and that the only way it can be extended is by setting a computer's BIOS clock back in time. Once the clock runs out, the malware uninstalls itself. Reinfecting a machine does nothing to bring back the timer or restore the old encrypted session.
Earlier this year, researchers from Symantec who infiltrated the servers of one ransomware syndicate conservatively estimated that its operators were easily able to clear $5 million per year. No wonder CryptoLocker has had such a long run. As of last week, more than three weeks after it was first published, the reddit thread was still generating five to 10 new posts per day. Also a testament to the prevalence and staying power of CryptoLocker, researchers from security firms TrendMicro and Emsisoft provided technical analyses here and here.
"This bug is super scary and could really wipe the floor with lots of small businesses that don't have the best backup practices," Nic observed. "Given the easy money available to scam operators, it's not hard to see why."