We’ve started seeing yet another version of CryptoLocker .
It begins as a very simple plain text email pretending to be an email delivered fax. I’d like to point out that in an effort to evade filters or at least make blocking these a bit harder, the cyber thief has been utilizing DropBox links to give to potential victims. Much like many campaigns in the past, other virus campaigns have attempted to utilize legitimate, especially free, services to hide their malware. GoogleDocs was a favorite of spammers to peddle their pharma campaigns, but Google was usually pretty quick to clean those up. In this instance it would appear that DropBox does not scan their stored files for malware and CryptoLocker is taking full advantage of this.
This variation also appears to work a little differently in a few ways. Once the victim machine is infected, a few new pages pop up to inform the victim that they have been infected. One is a webpage explaining what just happened. Another is a text file that explains what you must do in order to decrypt your files entitled “DECRYPT_INSTRUCTION”. An interesting note in the decryption instructions his time is that they include Tor links that are supposed to be “your personal home page”. If you follow them though, you will just end up at a page that looks like the original instruction page that pops up when you are first notified of your new infection. DO NOT click on these links!
The third page that pops up is reminiscent of the original CryptoLocker providing a little countdown timer. Originally the timer represented the time you had left before they would destroy your personal encryption key, this time it states that when it runs out you will be charged double for their not so friendly decryption services. This go around i’s $500 – $600 and then $1000 – $1200 after the timer expires which appears to begin the countdown at 120 hours. With previous attacks, the payments were accepted through Western Union or Moneygram, this time they’re back to Bitcoin, and Bitcoin only.
This is a very nasty bug. Not only does it encrypt local files, but it also seeks out and encrypts attached storage as well as network shares and encrypts everything on those as well. If you have a cloud based storage system like DropBox open and logged in on your system it attempts to encrypt those files as well. It is not recommended that anyone pay these criminals the ransom they demand. We have not heard that anyone has paid and gotten their files back – the criminals just continue to bleed the user dry until the user stops paying additional money then they just stop responding.
This particular variation requires the recipient of the email to click on the DropBox link to retrieve a Zip file. The Zip file must then be opened. Inside that reveals a file by the name of Fax-932971.scr, note the screensaver .scr extension. Once the file is removed from the Zip it then appears as a pdf icon.
The ONLY way to combat this challenge is to remain HYPER ALERT AND VIGILANT to any and all emails that contain attachments. DO NOT CLICK ON ANY email attachments, faxes, bank transfers, PDF files, ZIP files.
This Trojan employs a very complex encryption algorithm and its removal has evaded everyone so far. There is currently no antivirus or anti-malware program that can protect you from this nor can it remove and fix the problem afterwards. The ONLY RECOURSE available for anyone that gets infected is to isolate the compromised machines from their networks, format and re-install the affected systems and servers and then restore them from backups. In many cases, unless you have a comprehensive offsite backup solution, your critical data is encrypted and unable to be restored. We have found that even paying the ransom will not get your data back as the criminals do not respond even after you’ve sent the money.