This is a game changing Trojan, which belong to the class of malware known as
Ransomware . It seriously changes views
on malware, antivirus programs and on backup routines. One of few Trojan/viruses which managed to get
into front pages of major newspapers like
Guardian.
Unlike most Trojans this one does not need Admin access to inflict the most damage. It also targets
backups of your data on USB and mapped network drives. If you offload your backups to cloud storage
without versioning and this backup has an extension present in the list of extensions used by this Trojan,
it will destroy (aka encrypt) your "cloud" backups too.
It really encrypts the data in a way that excludes possibility of decryption without paying ransom.
So it is very effective in extorting money for decryption key. Which you may or may not get
as servers that can transmit it from the Command and Control center might be already blocked; still
chances are reasonably high -- server names to which Trojan connect to get public key changes (daily
?), so far at least one server the Trojan "pings" is usually operational. So even on Oct 28 decryption
was possible). At the same time the three days timer is real and if it is expire possibility of decrypting
files is gone. Essentially you have only two options:
To pay the ransom hoping that cyber crooks will start the decryption
Restore your files from a backup (if you are lucky to have a recent backup on disconnected or
non-mapped drive or with the extension not targeted by the Trojan).
Beware snake oil salesmen, who try to sell you the "disinfection" solution. First of all disinfecting
from Trojan is trivial, as it is launched by standard CurrentVersion\Run registry
entry. The problem is that such a solution does not and can't include restoration of
your files.
It was discovered in early September 2013 (around September 3 when domains to reach C&C center were
registered, with the first description on September 10, see
Trojan:Win32/Crilock.A.).
Major AV programs did not detect it until September 17, which resulted in significant damage inflicted
by Trojan.
Here is the screen displayed when the Trojan finished encrypting the files (it operates silently
before that, load on computer is considerable -- encryption is a heavy computational task):
File encrypted by CryptoLocker can't be decrypted without paying ransom. They can only be restored
from backup if backup is available and were not encrypted in the process as well (that stresses the
value of offline backups, aka "cold backups").
Please be aware about snake oil salesman, or may be some other, older virus which was also called
Cryptolocker. Especially beware those that mention SpyHunter by Enigma Software.
As of the second half of October such links are now top all search engines.
CryptoLocker virus: is a series of ransomeware infections that we have
recently classified as extremely dangerous and recommend removing immediately. This page
will show you precise instruction on how to remove the CryptoLocker virus.
The CryptoLocker virus hijacks the computer and limits is functionality
in an attempt to hold your PC ransom. It will make claims that your access to your computer
is limited and other similar warnings and to unlock the encryption the infected user will
need to pay a "fine." It is important to note that all of the warnings and messages that
come from the CryptoLocker Hijack virus are fake and should be disregarded. However, the
CryptoLocker Hijack virus will not allow the computer to work normally
until it is completely removed. The CryptoLocker Hijack virus will not go away on its own,
action must be taken to remove it. Please see below where we show our easy step-by-step
removal instructions for the CryptoLocker Hijack virus.
quietman7
Global Moderator
27,757 posts
Gender:Male
Location:Virginia, USA
From the PC Tuneup instructions
Quote
b. By clicking run you will have begun downloading a program called SpyHunter4
made by Enigma Software. Spyhunter4 features the latest in virus removal technology
and has one of the largest Malware and Virus databases in the world. Spyhunter4 is one
of the only programs that offers Point & Click virus removal. This program will guide
you the entire installation process.
c. Once you have run the Full Scan using Spyhunter4, and followed the prompts to
register your software, your virus should have been removed. Take a moment to reboot
your computer and make sure it is running properly. If not, you may have a more serious
issue. If this does happen, do not hesitate to call our hassle free virus removal help
line.
SpyHunter by Enigma Software is a program that was previously listed as
a rogue product on the
Rogue/Suspect Anti-Spyware Products List because of the company's history of
employing aggressive and deceptive advertising. It has since been delisted but in my opinion
it is a dubious program which is not very effective compared to others with a proven track
record and I would not trust all the detections provided by its scanning engine.
Newer
versions of SpyHunter apparently installs it's own "Compact OS" and uses Grub4Dos loader
to execute on boot up. The user no longer sees the normal Windows boot menu but instead
sees the GRUB menu. For some folks this has resulted in SpyHunter causing a continuous loop
when attempting to boot. An example was reported in this
topic.
Further, AV-Test has not included SpyHunter in the comprehensive testing analysis that
would reveal how SpyHunter compares to the best anti-spyware in terms of protection, repair
and usability.
When searching for unfamiliar or unknown malware on the Internet, it is not unusual
to find numerous hits from untrustworthy and scam sites which misclassify detections
or provide misleading information. This is deliberately done more as a
scam to entice folks into buying an advertised fix or removal tool.
SpyHunter is one of the most common "so-called" removal tools pushed by
these sites.
Netghost56
Grinler, on 28 Oct 2013 - 09:30 AM, said:
Typical BS from those types of virus removal guide blogs. All they are trying to
do is sell the product.
Thanks for letting us know.
Kind of ironic but last night CNBC did an episode of American Greed that was about
Innovative Marketing and Winfixer scareware (fake AV) -- the forerunners of ransomware,
IMO.
In other words like in most cases of game changing viruses in the past AV companies were caught without
pants. Payments servers were still up on Oct 15 and several users reported the decryption keys were
delivered, at least initially. But most successful cases of decryption by paying the ransom are limited
to September. While for early victims chances of getting the decryption key after payment were close
to 100%, they gradually drop; now in late October even if you pay the ransom, there is no guarantee
that the keys will be delivered, as most servers used are probably already taken down and the criminals
might be already on a run.
Rebooting PC does not clear the timer. It continues from the setting it has before reboot. It is
unclear if it can buy you additional time (you can keep PC in shutdown state for while) as timer might
be also ticking on the "mothership" with the private key.
It took from approximately two weeks for major AV products to detect this Trojan (until September
17). So again most AV companies were caught without pants. Only approximately a month later some
AV programs can block the Trojan from running (CryptoLocker
Recap A new guide to the bleepingest virus of 2013. sysadmin):
I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013
or later) will prevent the virus from running.
This is also an interesting case when disinfection means destruction
of your data. Unless you reinstall the Trojan there is no way you can decrypt any
of encrypted by Trojan files. Please note that this Trojan can be reinstalled in case of necessity and
unless related registry entries were cleaned still can accept payment of ransom.It is unclear how time counter behaves in this case. It is probably does not make sense
if the counter expired.
This is also an interesting case when disinfection
means destruction of your data.
Please note that this Trojan can be reinstalled in case of necessity
It also stressed the value of cold backups, good spam filter and filtering executable attachments
(most victims opened attachments, which probably would be blocked by a good spam filter). Another viable
defense path is installing more strict group policies, blocking executables in your DocumentsandSettings folder and enforcing strong software restriction policies (SRPs) to disallow
the executing of .exe files from AppData/Roaming as well as %AppData%\*\*.exe.
See Prevention for some ideas of creating such group policies.
As servers used by CryptoLocker are not under the gun, chances that they will be able to push back
you private key diminish with time. Here is a relevant discussion:
It's actually very, very clever. If there was no real benefit to paying them, people wouldn't
pay them. Take into consideration the many people with failed backup systems and even $300 doesn't
measure up to lost productivity in having the files unusable forever; suddenly paying the ransom
is the logical choice. When you look at the file masks, it's obvious it's targeted at businesses,
in particular graphic designers and photographers, though the Office files obviously would hit
just about any of us.
Yeah, I guess that makes sense. If they never delivered word would spread that the entire
thing is completely bogus and people would find other ways to combat the infection. Kind of
shooting themselves in the foot if they don't deliver.
I wonder if they're nice enough to clean out your computer of their randsomware or they leave
their traces behind.
Names as always vary from one AV company to another. Microsoft uses name
TrojanWin32-Crilock.A Other security and antivirus programs use different names
(VirusTotal):
Antivirus
Result
Update
Agnitum
Trojan.Kazy!HF4Ga+lwjwI
20130916
AhnLab-V3
Trojan/Win32.Blocker
20130917
AntiVir
TR/Crilock.B
20130917
Antiy-AVL
Trojan/Win32.Blocker
20130917
Avast
Win32:Malware-gen
20130917
AVG
Ransomer.CEL
20130916
Baidu-International
Trojan-Ransom.Win32.Blocker.cfwh
20130916
BitDefender
Gen:Variant.Kazy.243236
20130917
Bkav
W32.VariantMedfosF.Trojan
20130917
ByteHero
20130916
CAT-QuickHeal
Trojan.Crilock
20130917
ClamAV
20130917
Commtouch
W32/Trojan.BXXK-0690
20130917
Comodo
UnclassifiedMalware
20130917
DrWeb
Trojan.Encoder.304
20130917
Emsisoft
Gen:Variant.Kazy.243236 (B)
20130917
ESET-NOD32
Win32/Filecoder.BQ
20130916
F-Prot
20130917
F-Secure
Gen:Variant.Kazy.243236
20130917
Fortinet
W32/Filecoder.BQ
20130917
GData
Gen:Variant.Kazy.243236
20130917
Ikarus
Trojan-Ransomer.CEL
20130917
Jiangmin
20130903
K7AntiVirus
Trojan
20130916
K7GW
Trojan
20130916
Kaspersky
Trojan-Ransom.Win32.Blocker.cfwh
20130917
Kingsoft
Win32.Troj.Undef.(kcloud)
20130829
Malwarebytes
Trojan.Ransom
20130917
McAfee
RDN/Ransom!dp
20130917
McAfee-GW-Edition
RDN/Ransom!dp
20130917
Microsoft
Trojan:Win32/Crilock.A
20130917
MicroWorld-eScan
Gen:Variant.Kazy.243236
20130917
NANO-Antivirus
20130916
Norman
CryptoLocker.A
20130916
nProtect
20130917
Panda
Trj/Ransom.AZ
20130916
PCTools
20130916
Rising
20130917
Sophos
Troj/Ransom-ABV
20130917
SUPERAntiSpyware
20130917
Symantec
Trojan.Ransomcrypt.F
20130917
TheHacker
20130917
TotalDefense
20130916
TrendMicro
TROJ_RANSOM.NS
20130917
TrendMicro-HouseCall
TROJ_RANSOM.NS
20130917
VBA32
Trojan-Ransom.Blocker.1193
20130916
VIPRE
Trojan.Win32.Cryptolocker.mc (fs)
20130917
ViRobot
Trojan.Win32
Only around September 16, 2013, more then a week after the launch of the Trojan, sufficiently robust
signatures to detect and block it in memory were deployed. Only one AV program detected it at launch
Infection vectors of Cryptolocker were pretty traditional for malware:
Distributed as either an attachment to a malicious e-mail. Mails are pretty sophisticated but
does not look like targeted for particular individuals.
By-and-large they claim to be a dispute notification. Sounds a lot like the way Zeus was
spread. For example, in email containing the Crypto Locker virus attachment with a subject "Annual
Form - Authorization to Sue Privately Owned Vehicle on State Business" that supposedly came
from Xerox. [
Remove CryptoLocker virus and restore encrypted files]
As a scan of some document:
have two in my spam collection:
-----Original Message-----
From: Xerox WorkCentre [mailto:Xerox.Device9@ company ] Sent: Friday, 18 October 2013 4:03
AM
To: Administrator
Subject: Scan from a Xerox WorkCentre
Please download the document. It was scanned and sent to you using a Xerox multifunction
device.
File Type: pdf Download: Scanned from a Xerox multi~0.pdf
multifunction device Location: machine location not set Device Name: Xerox1075
For more information on Xerox products and solutions, please visit
http://www.xerox.com [note: <-- genuine link to zerox
website]
As voice messages attachments:
In one company the attachment was called "Voicemail.zip" "Voicemail.exe"
One I saw today was "Voice Message from Unknown (899-536-7483)" with a zip file. from
a cdog.com address.
As resume:
I just saw a new email with attachment today:
Subject: "My resume"
Attachment: "Resume_LinkedIn.zip"
EXE: "Resume_LinkedIn.exe"
The body of the message says:
"Attached is my resume, let me know if its ok.
Thanks, Tommie Bledsoe"
drive-by download from the Web
As part of botnet "payload" for Zeus botnets
Once CryptoLocker has been downloaded and executed by the downloader, it ensures its automatic start
during boot by using (in one variant, other may differ) the following registry value:
(note that the file name consists of random hexadecimal numbers).
CryptoLocker first attempts to connect
to a command-and-control server, after which it generates a 2048-bit RSA public and private key pair,
and uploads the key to the server. The malware then attempts to encrypt data on any local or network
storage drive that the user can access using a 2048-bit RSA key, targeting files matching a
whitelist of
file extensions.
Attached drives and networked computers are also vulnerable to the attack. Cloud storage backup
can be destroyed unless versioning is implemented.
While the public key is stored on the computer, the private key is stored on the command-and-control
server; CryptoLocker demands a payment of US$300 with either a MoneyPak card or
Bitcoin to recover the key and begin unencrypting
files. For some victims who paid ransom, it took six days to get recovery key
Infected users also have a time limit to send the payment. Malware threatens to delete the private
key if a payment is not received within 3 days. If this time elapses, the private key might be destroyed,
and your files may be lost forever.
Due to the extremely large key size it uses, files affected by the worm can be considered lost. This
ransomware is particularly nasty because infected users are in danger of losing their personal files
forever.
Spread through email attachments, this ransomware has been seen targeting companies through phishing
attacks.
When you are infected, the server generates the keypair and sends out the public key which is used
to encrypt all your files. The virus stores this public RSA 2048-bit key in the local registry.
By the time the notification pops up, it's already encrypted everything. It's silent until the job is
done. It appears that if they are in fact using the public key to encrypt files -- that removes the
possibility of any type of key recovery, and also explains why it is extremely slow to encrypt/decrypt
files. That might be not true:
I thought I read somewhere that the actual encryption was a symmetric encryption (maybe AES).
They created a per-file symmetric key and encrypted that with the RSA public key and stored it inside
the encrypted file as a header. Obviously this would be much faster and with a per-file key you
can really give up on any kind of decryption effort since you'd have to attack it on a file-by-file
basis.
To decrypt goes to a C&C server for a private key -- the private key only leaves the server upon
confirmed payment.
Attached drives and networked computers are also vulnerable to the attack. Unless backups are versioned
they can be destroyed by encryption.
An approximate calculation of the total size of ramsom collected gives millions of dollars:
Even if we use the extremely conservative estimate of 5000 users per day, which is a no-effort
infection rate, this is still 240,000 infections over the roughly ~48 days since the malware went
public.
Given the estimated 3% payout rate (which I believe is also conservative), that equals a total
earnings to date of $2,160,000 based on two conservative estimates.
Cryptolocker will encrypt users' files using a variant of
asymmetric encryption, which requires
both a public and private key.
The public key is used to encrypt and verify data, while private key is used for decryption. Private
key exists for limited time on C&C server and is deleted if the user does not pay ransom.
Below is an image from Microsoft depicting the process of asymmetric encryption.
There is nothing new in the encryption process used, other then the ability of criminals to hide
the command and control center as without the ability to generate private key the scheme does not make
sense. Here we see an interesting proof of NSA guys focus. With the ability to intercept most of world
traffic they have could stop this criminal network in a matter of a couple of weeks. But it might well
be that this Trojan is not related to matters of national security.
According to Guardian 3% of victims pay ransom. Looks like the process of pushing private key back
is manual process and can take a week since the payment.
Connection with the C&C server is established through either a hardcoded IP (184.164.136.134,
which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0
and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org
are both active and point to 173.246.105.23.
The communication channel uses POST to the /home/ directory of the C&C server. The data
is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware
file.
On first contact the malware will send in an information string containing the malware version,
the system language, as well as an id and a group id. In return it receives a RSA public key.
In my case this has been:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQBZgSk3NNo54cxwl3nS
zZHMhFI4oU0ygX81IFsktcaCAIUrMSnUVQEcFvhcidh/5JuE+piQY5Z3iuDcKqiF
0yWZ7rck+xC1i/xaY5nNxJnh/clEqO8qRNg9DTe6qDlVO8PAHgr882dUHTzZgdAN
OWR8+5rWxck9LxtB8+DSE8cWy
The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your
system, the easiest way to do so is to break on CryptStringtoBinaryA.
The malware targets files using the following search masks:
The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially
the malware will generate a new AES 256 key for each file it is going to encrypt. The key is
then used to encrypt the content of the file. The AES key itself is then encrypted using the
public RSA key obtained from the server. The RSA encrypted blob is then stored together with
the encrypted file content inside the encrypted file. As a result encrypted files are slightly
larger than their originals. Last but not least the malware records the file it encrypted inside
the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been
replaced with "?". I haven't looked into the meaning of the DWORD value yet.
Feel free to add anything you find that I haven't covered in my notes yet. At least from what I
can tell so far, decryption without paying the ransom is not feasible.
As malware exists for more then a month, it is clear that it has sophisticated mechanisms for hiding
command and control center. Ability to hide command and control center is by-and-large based on the
greed of domain names registrars,
which serve as a clear accomplices of this criminals (ability to use
Domain generation algorithm
). Here is a description of the process from
CryptoLocker -
a new ransomware variant Emsisoft Blog
If that fails the malware will start generating seemingly random domain names using a domain
generation algorithm. This is done by creating a seemingly random string of characters based on
the current system time and prepending it to one of the following seven possible top level domains:
.com
.net
.biz
.ru
.org
.co.uk
.info
If you know the algorithm, you are able to predict which domain name the malware is going to
contact on any given day, thus allowing the attacker to set up new domains in case old domains or
the abovementioned fixed IP is taken down. At the time this blog post was written, we found the
following randomly generated domain names to be active:
xeogrhxquuubt.com
qaaepodedahnslq.org
Once a suitable command and control server has been found, the malware will start to communicate
through regular HTTP POST requests.
Public key used by the malware for communication with its command and control server
HTTP merely acts as a wrapper though. All actual data exchanged during the communication between
the bot and its command and control server is encrypted using RSA. The public key used for the encryption
of the communication is thereby embedded inside the malware file. Using RSA based encryption for
the communication not only allows the attacker to obfuscate the actual conversation between the
malware and its server, but also makes sure the malware is talking to the attacker's server and
not a blackhole controlled by malware researchers.
File encryption
Decoded initial request to obtain RSA public key used for encryption
Once the system has been successfully infected and a communication channel to the command and
control server has been established, the malware will start the encryption process by requesting
an encryption key. A typical request includes the version of the malware, a numeric id, the system's
network name, a group id as well as the language of the system.
Decoded reply send by the server to a key request
Here information about the domains mentioned above:
Domain ID:D169656517-LROR
Domain Name:QAAEPODEDAHNSLQ.ORG
Created On:09-Sep-2013 19:21:11 UTC
Last Updated On:26-Sep-2013 06:57:41 UTC
Expiration Date:09-Sep-2014 19:21:11 UTC
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT HOLD
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:DI_29729026
Registrant Name:Jerry Khoury
Registrant Organization:N/A
Registrant Street1:613 W Johanna St
Registrant Street2:
Registrant Street3:
Registrant City:Austin
Registrant State/Province:TX
Registrant Postal Code:78704
Registrant Country:US
Registrant Phone:+1.4844348723
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:DI_29729026
Admin Name:Jerry Khoury
Admin Organization:N/A
Admin Street1:613 W Johanna St
Admin Street2:
Admin Street3:
Admin City:Austin
Admin State/Province:TX
Admin Postal Code:78704
Admin Country:US
Admin Phone:+1.4844348723
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:DI_29729026
Tech Name:Jerry Khoury
Tech Organization:N/A
Tech Street1:613 W Johanna St
Tech Street2:
Tech Street3:
Tech City:Austin
Tech State/Province:TX
Tech Postal Code:78704
Tech Country:US
Tech Phone:+1.4844348723
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:CS1.BIBSSHAREPOINTS.COM
Name Server:CS2.BIBSSHAREPOINTS.COM
Command-and-control (C&C) server communication is essential for botnet creators to control zombie
computers (or bots). To hide this from security researchers, they often use rootkits and other "tricks".
However, hiding the network traffic – specifically from monitoring outside an infected computer
– is not an easy task, but is something that the botnet creators have improved through the years.
Detecting and blocking C&C communication is one way to protect users against the dangers of botnets.
Threat actors know this, thus they have developed different ways to make the C&C communication more
resistant to network security products.
In this report, we will discuss how the latest wave of Pushdo variants keep its C&C communication
channel under the radar. Known as a spamming botnet, Pusho/Cutwail was taken down
several times in the past. They are also known to distribute ZeuS/ZBOT variants.
Pushdo Hides Among the Crowd
If you are a potential attacker, the best way to not get caught is to blend your communications
with normal/legitimate traffic and appear as inconspicuous as possible. Pushdo creators understand
this and adopted this strategy into their latest malware.
As shown in Figure 1, these Pushdo variants send out numerous HTTP requests. Among them are requests
to the real C&C server. However, most of these requests serve as mere distractions.
Figure 1. PUSHDO Network Traffic Snippet
The malware sample we analyzed contains an encrypted list of 200 domains (see Figure 2). It randomly
chooses 20 among them and requests either the root path or the path of "?ptrxcz_[random]". Some
of these domains belong to large companies or famous educational institutions, while some are obscure
websites. This makes C&C server identification using network traffic analysis more difficult as
it can be tough to distinguish real C&C connections among the fake ones.
Figure 2. Decrypted list of the 200 domains
Another by-product of this fake C&C feature is the potential distributed denial-of-denial (DDoS)
the malware can initiate against the 200 web severs on the list. Though the true intention is not
to execute this attack, the huge of number of useless requests eats up a lot of bandwidth of these
websites.
Sandbox analysis is a popular tool in malware analysis. Many organizations have adopted some
kind of automatic sandbox system to detect and block unknown malware. This fake C&C feature, however,
poses new challenges to these systems. Before adding a server into the C&C blacklist, a system needs
to check the whitelist first. If the whitelist is not good enough, there may be some false positives
and inadvertently make legitimate websites inaccessible to users.
Pushdo DGA Complicates Matters
Another noteworthy PUSHDO feature is its domain generation algorithm (DGA). DGA is a popular
among botnet malware these days. It's purpose is to make malware more resistant to C&C takedowns.
Pushdo in particular uses calendar date as the seed in its DGA and generates 30 domains for each
day. It tries to connect to not only domains for a given day, but also all domains generated from
days between 30 days earlier and 15 days latter. In other words, it may try to connect to 1380 domains
each day. It seems most of them are parked domains right now and point to an advertisement page
(Figure 3).
Figure 3. Screenshot of Pushdo Generated Domain
This DGA feature can be challenging for behavior and sandboxing analysis. Using sandboxing analysis
without reverse engineering the malware and figuring its DGA may not be enough to block C&C communication,
as the malware generates different domains for each day.
During our analysis, we effectively monitored Pushdo's C&C using Trend Micro Web Reputation Services
feedback. As shown in Figure 4, there were attempts to connect to one of the C&C servers. The query
requests came from different locations, suggesting that there are still other computers infected
by this malware.
Figure 4. Requests sent to Trend Micro Web Reputation Service
Traditional method of combating malware, such as file-signature detection, may not be sufficient
in today's threat landscape. Malware authors and the likes have developed effective tactics against
signature-based detection like polymorphism and use of packers.
Monitoring behavior of a malware inside sandbox is a good approach to address this challenge
– but they are not stand alone solution. Malware like PUSHDO proves that a relying on one solution
is not enough. Such technology, coupled with deep analysis and tools like Web Reputation Services,
provides more robust protection against these threats.
Unlike most Trojans this one does not Admin access to inflict the most damage. This particular malware
does not exploit any vulnerability in the OS. Here are some ideas of proactive prevention of this
and similar viruses:
Use DNS which can block resolution of domains less then a month old and "generated" names.
In this case the Trojan cant's communicate with the C&C center and get private key.See
for example OpenDNS
Get version of Windows with shadowcopy functionality and turned it on
I also edited the registry to classify .zip file attachments as "Level 2" files. When
Outlook users click on a .zip file attachment they now get the message:
"Attachment Security Warning. This file may contain a virus that can be harmful to your
computer. You must save this file to disk before it can be opened. It is important to be
very certain that this file is safe before you open it."
I've been asked what procedure I followed to classify .zip file attachments as "Level 2" files.
This is what worked for me using Windows 7 and Outlook 2010. The Microsoft Knowledge Base article
lists the correct procedure for other versions of Office.
Prevent users from opening .zip files in Outlook 2010:
Disable hiding of extensions. This is not enough to protect from the Trojan, but
this feature of Microsoft Windows adds to confusion. This was a pretty idiotic idea from the very
beginning and Microsoft inflicted on Windows user a lot of suffering due to this stupid attempt
to make Windows more user friendly.
A good spam filter can block infection via attachments. Detention of correspondence of
extension to the header of the file also would be helpful (executable is typically masked as PDF
and due to Microsoft incompetence Windows happily executes it instead of checking the header and
complaining about the discrepancy).
Patching Java or, better completely disabling it in the browser (along with active X).
In view of the damage inflicted by Trojan this might be very helpful despite obvious inconvenience.
That will block "drive-by" infection when a user visits malicious web site. Please note that
running Web browser in VM does not help, if VM has access to files of the main computer or network
drives (which typically is the case). So this Trojan effectively defeats VM-based defense.
Use network proxy and address translation which make direct access to Command and Control
center more difficult (although not impossible, if they use HTTPS). Some posters claim that if you
disconnect the computer from the network when virus start encrypting it immediately stop encryption
process and shows ransom screen.
Use more strict group policies. If Trojan can't get to Command and Control center it
just stops. That can be different with other "copycat" Trojans. This is a very effective method
with relatively minor side effects, which protects against a class of Trojans, not just single Trojan.
See below for some ideas.
Immunization of computer based on the fact that virus access files and directories in alphabetical
order. In this case you can monitor number of open files on computer and create a honeypot
directory that would be visited first (alphabetically) by the virus. Throw in a few files that would
tie it up encrypting for a while and create a script to monitor the first file for content with
grep or something similar. If grep fails, send an alert message and start generating
large dummy files with the sequential letters (which virus will try to encrypt next), effectively
trapping the process in an infinite loop until the alert is noticed and dealt with (also, you would
need to delete the old encrypted files so the drive didn't fill up and allow it to escape).
This Trojan explicitly target backups in addition to files with MS Office extensions and such (see
above). Backups now need to be protected by keeping them offline and putting online only when need arise.
Network drives should unmapped. Rotating physical disks is also a good idea.
One of the most viable methods for preventing this type of malware from running is to tighten your
Group Policy. Details may vary and depends on your level of understanding Group policies. Here is one,
reasonably simple, but effective variant that does not require any understanding of Group Policies (CryptoLocker
Prevention):
Not tested but the idea to use group policies is right
CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker
malware or 'ransomware', which encrypts personal files and then offers decryption for a paid ransom.
Recent Changes:
◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied
multiple times without undoing the protection first. No harm would come from the duplicate rules,
but my OCD was bothering me.
◦v2.2 – added additional restriction policies to better protect Windows XP against the latest strains
– prior versions were not protecting %username%\local settings\application data and their first
level subdirectories, but rather only %username%\application data and their first level subdirectories.
Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules
for better compatibility with all OSes.
◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via
the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a
reboot doesn't quite do the trick… Also added a re-test for active protection to determine if a
reboot prompt should be displayed after Undo, on the chance that it is still required.
◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the
rules.
◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains
and OSes that have access to group policy editor (Professional versions of Windows) leaving Home
versions without a method of protection. It also isn't the most intuitive of installations for the
average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence
Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately,
like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the
Group Policy Editor available in Professional versions of Windows, and is a time consuming manual
task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes,
while being easy enough for the average Joe to do, and optionally providing silent automation options
for system admins and those who need to immunize a lot of computers automatically.
CryptoPrevent is a single executable and is fully portable (of course unless you download the
installer based version) and will run from anywhere, even a network share.
Prevention Methodology
CryptoPrevent artificially implants group policy objects into the registry in order to block
certain executables in certain locations from running. Note that because the group policy objects
are artificially created, they will not display in the Group Policy Editor on a Professional version
of Windows - but rest assured they are still there!
Executables are blocked in these paths where * is a wildcard:
◦%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2,
etc.)
◦%localappdata% (on Vista+) and any first-level subdirectories in there.
◦%temp%\rar* directories
◦%temp%\7z* directories
◦%temp%\wz* directories
◦%temp%\*.zip directories
The first two locations are used by the malware as launch points. The final four locations are
temporary extract locations for executables when run from directly inside of a compressed archive
(e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from
directly inside the download, it is actually extracted to a temporary location and run from there
– so this guards against that as well.)
NOTE: Protection does not need to be applied while logged into each user account, it may be applied
only once from ANY user account and it will scan for and protect all user accounts on the system.
This is accomplished despite an apparent bug in Microsoft's software prevention policies that does
not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)…
so protection for %temp% folders is now applied by expanding the full path to the user's temp folder
in each rule set, and replacing the username with an * in the rules so that a single rule can cover
all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to
protect all user accounts, but it was later discovered that methodology wasn't working on all systems.
If you applied protection with prior versions and want temp extracted exes blocked, you may want
to reapply protection with v2.2 to ensure it will work for you.
Open up Local Security Policy or the Group Policy Object editor and create a new GPO. I'll
show you how to create two here -- one for Windows XP machines (which use slightly different
paths for the user space) and one for Windows Vista and later machines.
Name the new GPO "SRP for XP to prevent Cryptolocker" or something similar for you to remember
easily.
Choose Computer Configuration and then navigate through Policies � Windows Settings � Security
Settings � Software Restriction Policies.
Right-click Software Restriction Policies and choose New Software Restriction Policy from
the context menu.
Now, create the actual rules that will catch the software on which you want to enforce a
restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
Under Path, enter %AppData%\*.exe.
Under Security level, choose Disallowed.
Enter a friendly description, like "Prevent programs from running in AppData."
Choose New Path Rule again, and make a new rule like the one just completed. Use the following
table to fill out the remainder of this GPO.
Path
Security Level
Suggested Description
%AppData%\*.exe
Disallowed
Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Prevent virus payloads from executing in subfolders of AppData
%UserProfile%\Local Settings\Temp\Rar*\*.exe
Disallowed
Prevent un-WinRARed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\7z*\*.exe
Disallowed
Prevent un-7Ziped executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\wz*\*.exe
Disallowed
Prevent un-WinZIPed executables in email attachments from running in the user space
%UserProfile%\Local Settings\Temp\*.zip\*.exe
Disallowed
Prevent unarchived executables in email attachments from running in the user space
*Note this entry was covered in steps 5-8. It is included here for your easy reference later.
WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.
Close the policy.
To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows
Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path
rules based on the following table.
Path
Security Level
Suggested Description
%AppData%\*.exe
Disallowed
Prevent Cryptolocker executable from running in AppData*
%AppData%\*\*.exe
Disallowed
Prevent virus payloads from executing in subfolders of AppData
%LocalAppData%\Temp\Rar*\*.exe
Disallowed
Prevent un-WinRARed executables in email attachments from running in the user space
%LocalAppData%\Temp\7z*\*.exe
Disallowed
Prevent un-7Ziped executables in email attachments from running in the user space
%LocalAppData%\Temp\wz*\*.exe
Disallowed
Prevent un-WinZIPed executables in email attachments from running in the user space
%LocalAppData%\Temp\*.zip\*.exe
Disallowed
Prevent unarchived executables in email attachments from running in the user space
Close the policy.
Once these GPOs get synchronized down to your machines -- this can take up to three reboots to
happen, so allow some time -- when users attempt to open executables from email attachments, they'll
get an error saying their administrator has blocked the program. This will stop the Cryptolocker
attachment in its tracks.
Unfortunately, taking this "block it all in those spots" approach means that other programs your
users may install from the web, like GoTo Meeting reminders and other small utilities that do have
legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow
rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it
denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows
to let those apps run while blocking everything else. Simply set the security level to Unrestricted,
instead of Disallowed as we did above.
AppLocker
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows
7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows
XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker
will not do anything for you.
But if you are a larger company with volume licenses that is deploying the enterprise editions
of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply
block programs from running -- except those from specific software publishers that have signed certificates.
Here's what to do:
Create a new GPO.
Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings,
Security Settings, Application Control Policies and AppLocker.
Click Configure Rule Enforcement.
Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected
from the drop-down box. Click OK.
In the left pane, click Executable Rules.
Right-click in the right pane and select Create New Rule.
On the Before You Begin screen, click Next.
On the Permissions screen, click Next.
On the Conditions screen, select the Publisher condition and click Next.
Click the Browse button and browse to any executable file on your system. It doesn't matter
which.
Drag the slider up to Any Publisher and then click Next.
Click Next on the Exceptions screen.
Name the policy something like "Only run executables that are signed" and click Create.
If this is your first time creating an AppLocker policy, Windows will prompt you to create
default rules -- go ahead and click Yes here.
NOTE: Also take this opportunity to review the permissions set on your file server share access
control lists, or ACLs. Cryptolocker possesses no special capabilities to override deny permissions,
so if the user who gets infected is logged into an account that has very limited permissions, the
damage will be minimal. Conversely, if you allow the Everyone group Write access for the NTFS permissions
on most of your file shares, and you use mapped drives, one Cryptolocker infection could put you
into a world of hurt. Review your permissions now. Tighten where you can. Work with your line of
business application vendors to further tighten loose permissions that are "required" for "supportability"
-- often these specifications are needlessly broad.
Using either an SRP or an AppLocker policy, you can prevent Cryptolocker from ever executing
and save yourself a lot of problems.
The big lesson here is that daily cold-storage backups are very important
Cryptolocker does not affect Acronis backups so in this case restoration is pretty straitforward.
But this is just an accident. New variants/copycats can well target those extensions too.
System restore point is not a REAL option. It keeps the files encrypted, it only restores to a point
where the files of the malware was not present on the system. The ghostexplorer only works
IF you have shadowcopy functionality and have it turned on. That means you do not have the shadowcopy
turned on and you do a system restore, the files are lost, paying for the decryption after a system
restore is not possible anymore.
The only good possible way to prevent dataloss is to have a BACKUP on a disk/tape which can regress
for a couple of days till before the infection.
There are only two options for recovering encrypted files, and they all rely on either having System
Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions
without versioning are no good as they will commit the encrypted files to the cloud.
Using ShadowExplorer gives a better
graphical frontend for restoring large amounts of files (though this will not help with
mapped drives, you'd need to run it on the server in that case).
Undelete software doesn't work as it encrypts the files in place on the hard drive, there is no copying
going on.
Mitigation: Previous versions (shadow copies) and ShadowExplorer
If you are unlucky enough to have been infected with Cryptolocker, then there are some mitigation
strategies available to you. (Of course, you can always restore from backups as well.) Both strategies
involve a tool called Shadow Copies that is an integral part of the System Restore feature in Windows.
This is turned on by default in client versions of Windows, and best practices for storage administration
have you turning this on manually on Windows Server-based file servers. If you have left this setting
alone, you likely have backups right on your computer or file share.
Previous versions
To restore the previous version of a file using the traditional Windows interface, just right-click
the file in question and choose Properties. If System Restore is enabled or your administrator has
enabled Shadow Copies through Group Policy, you should be able to see the Previous Versions tab
in the Properties window. This will list all of the versions on record of the file. Choose a version
before the Cryptolocker infection and then click either Copy to export a copy of the file somewhere
else, or Restore to pop the backup right where the encrypted file belongs. You can open the files
directly from this box too if you are not sure of the exact date and time of infection.
ShadowExplorer
ShadowExplorer is a downloadable
free tool that makes it
much easier to explore all of the available shadow copies on your system. This is a useful ability
when you have a wide range of files infected with Cryptolocker and need to restore a swath of them
at once.
When you install and run the tool, you can select the drive and the shadow copy date and time
from the drop-down menu at the top of the window. Then, just like in a regular Windows Explorer
menu, you can choose the folder and file you want, and then right-click and select Export. Choose
the destination on your file system to put the exported shadow copies on, and then you have your
backup restored. Of course, this is a previous version, so it may not have the most current updates
to your files, but it is much better than having lost them completely or having to pay a ransom
for them.
A
DNS sinkhole campaign is underway and in high gear to
block computers infected with CryptoLocker from reaching
the malware's Command & Control
servers. A DNS sinkhole is a method used
by security researchers to monitor Botnets and to block
communication between an infected computer and its Command
& Control server. This method is now being used against
CryptoLocker, a file encrypting ransomware that requires
a $300 USD ransom from victims in order to get their files
back. We have been monitoring and
helping CryptoLocker victims since its release in early
September. This infection has been devastating for its victims.
For quite a while, we have noticed that an unknown organization
has started redirecting, or sinkholing, CryptoLocker domains
to sinkdns.org hostnames. When CryptoLocker attempts to
communicate with certain domains it will instead be sent
to a server hosted in the sinkdns.org
domain. The connection will also contain
the http headers Server: You got served!
and X-Sinkhole: malware cryptolocker sinkhole.
By sinkholing the domains, communication between an infected
computer and the malware's Command & Control server is not
able to take place. If CryptoLocker is unable to communicate
with a C&C server and receive a public key used to encrypt
files, it will endlessly loop till it can. By breaking this
communication, security researchers aim
to halt CryptoLocker before it further encrypts other infected
computer's files.
Unfortunately, this sinkhole is not completely successful
at this time. Tests have shown that CryptoLocker will eventually
find a non-sinkholed
hostname that is part of its
Domain Generation Algorithm and begin encrypting the
files. Furthermore, in order for a person to pay the ransom
and decrypt their files they will need to be able to reach
one of infection's C&C servers. If all its
domains become blocked, then affected
users will no longer be able to pay the ransom if they wish
to do so. As you can see this is a double-edged sword.
At this time no organization has taken
credit for the sinkhole campaign. If anyone
has any information on the sinkdns.org domain, please let
us know here. For more information about CryptoLocker, please
see this guide:
CryptoLocker Ransomware Information Guide and FAQ.
CryptoLocker, the latest strain of ransomware , is best known for trying to force users into paying
a fee by encrypting certain files and then later offering a $300 decrypting tool. In this entry,
we discuss how it arrives and how it is connected with other malware, most notably ZBOT/ZeuS.
We
reported earlier that CryptoLocker malware not only blocks access to the infected system, but
also forces users to buy a $300 decrypting tool by encrypting certain files. Recently, we were alerted
to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed
messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized
by its having small file size and a simple downloading function.
Using feedback provided by the Trend Micro
Smart Protection Network, we searched for information linking CryptoLocker ransomware to this
downloader and found a sample email containing a malicious attachment (detected as
TROJ_UPATRE.VNA):
Figure 1. Screenshot of spam with malicious attachment
Once this attachment is executed, it downloads another file which is saved as cjkienn.exe
(detected as
TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as
TROJ_CRILOCK.NS).
Figure 2. CryptoLocker infection chain
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known
to steal information related to online banking credentials. The attackers can use the stolen information
to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users
will be unable to access their personal or important documents.
Notes on CryptoLocker Encryption
Although the ransom note only in CryptoLocker specifies "RSA-2048" as the encryption used, our
analysis shows that the malware uses AES + RSA encryption.
RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt
the data and another is used to decrypt the data. (One key is made available to any outside party
and is called the public key; the other key is kept by the user and is called the private key.)
AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information.)
The malware uses an AES key to encrypt files. The AES key for decryption is written in the files
encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the
malware, which means that a private key is needed to decrypt it. Unfortunately, the said private
key is not available.
For information on which files are encrypted, users can check their system's autostart registry.
Figure 3. List of encrypted files as seen on system's registry
Through group policy you can set a powershell logon script to dump any *.exe files found in your
users appdata to a text file. Depending on how many users in your company, you can monitor it by
looking through the text files once a day. Checking for a folder named after a random string, followed
by an exe file.
Appdata\Roaming\3afdef3\34345da.exe for example.
This can provide some early warning and has allowed us to catch a few users running cryptolocker
before it had finished encrypting.
For companies with a lot more computers to monitor, you can use splunk to read all your text
files for you and report anomalies.
Powershell script below: Make sure to edit the path to save the text file
I had a user yesterday tell me they got a link they were warned was spam, clickeditanyway, the antivirus blocked the site and locked them
out for 10 minutes, showed a warning that the AV did that, and tried to clickitagain anyway before asking me if they shouldn't have done
that.
I can't tell if this an Id10T error or if he is legitimately trying to get out of work for a
few days...
===
I found that simply copy/pasting the folder containing Spotify.exe to Program Files allowed it
to run. However, it would not update (not unexpected). It did still function, though.
and %userprofile%\appdata\local\*.exe just in case.
Also to spare some headaches, windows 7 clients need to be restarted the first time the SRP is
applied or they won't work. Subsequent changes only require a gpupdate /force.
*also if you can I would just block all *.zip attachments to emails. I put that in place on monday
and i've already deleted several dozen emails coming in masquerading as financial data, voicemails,
government forms, etc that have a .zip with a malicious .exe inside it. I'm willing to deal with
the extra step of verifying an email and releasing it from the filter than having somebody try to
run this shit.
Interestingly, I recently "fought" this particular virus with a client of mine. While it
had THREATENED that it would delete his "encryption key," in fact his data wasn't affected at
all. I merely started in Safe Mode with Command Prompt and then ran msconfig where I found where
the "virus" was loading and merely deleted the file. Using explorer.exe showed that all files
were actually still present and hadn't been encrypted at all. This is merely a variant of what
I call the "FBI Virus" (since that's what it started out as). It prevents you from doing just
about anything in Normal Mode. Even in Safe mode, it still launches. This is because it appends
your shell= line in the registry to include itself when Windows Launches (which includes Safe
Mode). However, starting in Safe Mode With Command Prompt doesn't load the "virus" because you're
not using the shell= command line in the registry.
It's really quite simple.
I did have a tech the other day, though, that couldn't run ...Command Prompt; in which case
he either had to remove the hard drive from this computer and attach it to another, or boot
to some OS from CD (I prefer UBCD since it has a Remote Registry Editor).
My point is, it's not that difficult to remove once you know how it's done.
Voice_ofReason > Don Hancock
I suspect you didn't run across CryptoLocker itself, but just another variant of the older
ransomware apps.
Russell Johnson
Follow the money! Where is law enforcement?
Ramon S
The first thing I do on any Windows system is disable the hide known file extensions option.
It is a security problem, it should not be enabled by default, and that feature should not even
be there in the first place.
How many times did I come across files name like worddoc.doc.docx just because unknowing users
had this option enabled and for good measure add the file extension to the file name. Also,
telling them to open worddoc.docx always comes back with the complaint that they cannot find
the file in the location specified.
Microsoft should release a patch that disables this feature and rips it out entirely
USASAgencyman
Criminally Misleading From PC Tuneup???
hxxp://pctuneup.org/cryptolocker-virus-removal/
Quote
CryptoLocker virus: is a series of ransomeware infections that we have
recently classified as extremely dangerous and recommend removing immediately. This page
will show you precise instruction on how to remove the CryptoLocker virus.
The CryptoLocker virus hijacks the computer and limits is functionality
in an attempt to hold your PC ransom. It will make claims that your access to your computer
is limited and other similar warnings and to unlock the encryption the infected user will
need to pay a "fine." It is important to note that all of the warnings and messages that
come from the CryptoLocker Hijack virus are fake and should be disregarded. However, the
CryptoLocker Hijack virus will not allow the computer to work normally
until it is completely removed. The CryptoLocker Hijack virus will not go away on its own,
action must be taken to remove it. Please see below where we show our easy step-by-step
removal instructions for the CryptoLocker Hijack virus.
Online attackers are using encryption to lock up our files and demand a ransom
- and AV software probably won't protect you.
Here are ways to defend yourself from CryptoLocker - pass this information along
to friends, family, and business associates.
Forgive me if I sound a bit like those bogus virus warnings proclaiming, "You
have the worst virus ever!!" But there's a new threat to our data that we need to take seriously.
It's already hit many consumers and small businesses. Called CryptoLocker, this infection shows
up in two ways.
First, you see a red banner (see Figure 1) on your computer system, warning that
your files are now encrypted - and if you send money to a given email address,
access to your files will be restored to you.
Figure 1. CryptoLocker is not making idle threats.
The other sign you've been hit: you can no longer open Office files, database
files, and most other common documents on your system. When you try to do so, you get another warning,
such as "Excel cannot open the file [filename] because the file format or file extension is
not valid," as stated on a TechNet MS Excel Support Team
blog.
As noted in a Reddit
comment, CryptoLocker goes after dozens of file types such as .doc, .xls, .ppt, .pst,
.dwg, .rtf, .dbf, .psd, .raw, and .pdf.
CryptoLocker attacks typically come in three ways:
1)Via an email attachment. For example, you receive an
email from a shipping company you do business with. Attached to the email is a .zip
file. Opening the attachment launches a virus that finds and encrypts all files you have access
to - including those located on any attached drives or mapped network drives.
2)You browse a malicious website that exploits vulnerabilities
in an out-of-date version of Java.
3)Most recently, you're tricked into downloading a malicious
video driver or codec file.
There are no patches to undo CryptoLocker and, as yet, there's no clean-up tool
- the only sure way to get your files back is to restore them from a backup.
Some users have paid the ransom and, surprisingly, were given the keys to their
data. (Not completely surprising; returning encrypted files to their owners might encourage others
to pay the ransom.) This is, obviously, a risky option. But if it's the only way you
might get your data restored, use a prepaid debit card - not
your personal credit card. You don't want to add the insult of identity theft to the injury of data
loss.
In this case, your best defense is prevention
Keep in mind
that antivirus software probably won't prevent a CryptoLocker infection. In every case I'm aware
of, the PC owner had an up-to-date AV application installed. Moreover, running Windows without admin
rights does not stop or limit this virus. It uses social engineering techniques - and a good bit
of fear, uncertainty, and doubt - to trick users into clicking a malicious download or opening a
bogus attachment.
Your best prevention is two-fold:
1) Basic method: Ensure you keep complete and recent backups
of your system. Making an image backup once or twice a year isn't much protection. Given the size
of today's hard drives on standalone PCs, an external USB hard drive is still your best backup option.
A 1TB drive is relatively cheap; you can get 3TB drives for under U.S. $200. For multiple PCs on
a single local-area network, consider Michael Lasky's recommendations in the Oct. 10 Best Hardware
article,
"External hard drives take on cloud storage."
Small businesses with networked PCs should have automated workstation backups
enabled, in addition to server backups. At my office, I use Backup Box by Gramps' Windows
Storage Server 2008 R2 Essentials (site).
It lets me join the backup server to my office domain and back up all workstations. I run the backups
during the day, while others in the office are using their machines - and I've had no complaints
of noticeable drops in workstation performance.
The upcoming release of Windows Server 2012 R2 Essentials (site)
will also include easy-to-use, workstation-backup capabilities. Recently
announced Western Digital drives will also act as both file-storage servers and workstation-backup
devices.
2) The advanced method: If you have Windows Professional or higher,
you can tweak your systems to protect them against CryptoLocker. You'll want to thoroughly test
the impact of the settings changes detailed below - and be prepared to roll back to your original
settings if needed. (After making some of these changes, you might not be able to install or update
some applications.)
All business and Pro versions of Windows include the ability to prevent certain
types of software from launching from specific locations. CryptoLocker launches from a specific
location and in a specific way (well, for now). By implementing Windows' Software Restriction Policies
rules, we can block CryptoLocker from launching its payload in your computer.
Software Restriction Policies (more
info) t to other systems. Also, take the extra step of undoing the changes
and checking whether the test system still runs as expected. Most important: Back up
all systems before making the changes.
To make the changes, click Start/Control Panel/Administrative Tools. Click Local
Security Policy and locate Software Restriction Policies under the Security Settings heading. Right-click
it and select New Software Restriction Policies. Right-click Additional Rules and
select New Path Rule to open the new-rule dialog box shown in Figure 2.
Figure 2. Creating a new path rule to block CryptoLocker
The following rules block applications such as CryptoLocker from running in the
defined locations. For example, the first set of rules applies to the specific user folder
%Appdata%, which equates to user\{yourusername}\appdata\roaming.
Enter the following sets of Path, Security Level, and Description information
as separate rules:
For Windows XP, enter the following:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
and
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
For Windows Vista and higher, use the above settings plus
the following:
Description: Block executables run from archive attachments opened
with WinRAR.
From archive attachments opened with 7zip:
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened
with 7-Zip.
From archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened
with WinZip.
From archive attachments opened using Windows' built-in .zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened
using Windows' built-in ZIP support.
Figure 3 shows the Software Restrictions Policies section with newly entered rules.
Figure 3. A completed set of software restriction policies
When you're done entering new rules, reboot your system so that the changes take
effect. Again, if you discover you can no longer update some applications or install software, you
might need to undo some of these changes. Look in your application event log -
or in the admin section - for the specific rule that's misbehaving. (To open the log, click Control
Panel/Administrative Tools/Event Viewer; then, in the navigation pane, click Windows Logs/Application.
For more on the Event Viewer, see the Oct. 27, 2011,
Top
Story, "What you should know about Windows' Event Viewer.")
As the malware authors change their tactics, you might need to revisit the rules
settings; I'll try to post updates into the Windows Secrets Lounge whenever needed.
For even stronger CryptoLocker protection, those folks with solid IT savvy might
want to consider application whitelisting - i.e., setting up a list of applications
approved to run on their workstations. All other software installations are blocked. See the National
Security Agency (yes, that NSA)
document
(downloaded PDF), "Application whitelisting using Software Restriction Policies."
Be aware that application whitelisting is a highly advanced tactic. Take some
time to determine all allowed applications in order to properly set up application
whitelisting.
Once again, keeping your AV software up to date is not the panacea for CryptoLocker.
The hackers using this exploit are adapting the virus so quickly that AV vendors can't keep up with
the many CryptoLocker variations in play. It's up to individual users to stay vigilant about
what they click. The bad guys just keep getting badder.
Maybe_Forged 5 points6 points7 points
ago
Owner of an IT company here. We have several hundred clients and I'd like to report what we've dealt
with so far.
The primary source of infection are users opening email attachments. Our clients that use
messagelabs or rackspace for anti spam/hosted exchange have not been hit at all. Coupled with
Trend Micro blocking new malicious websites seems to keep them safe. As you see a layered approach
is best but not not always foolproof. Some clients that have AV gateways enabled on the sonicwall
don't pick this up and I suspect they never will ultimately proving them to be useless.
We setup a honeypot VM and have been able to get a cryptolocker infection via Java exploits.
So ignore Java updates at your peril. The latest version pops up a warning and lets you know not
to run.
The creator of this virus is doing his best to defeat traditional AV and it is working. What
isn't working for this bastard are spoofed emails if your email server/anti spam is setup and worth
a damn.
We have a lot of clients using Network Solutions as their email provider and they have been
passing these infected emails with spoofed addresses like it's their business. We are quickly
getting our customers off that garbage.
Two, yes two clients out of so many of ours have been hit. One had a backup so we did not
pay the ransom and the other had nothing so they paid. All of a sudden now they have money for
a real backup solution.
We are using this opportunity to educate our customers on best practices when it comes to
doing shit on the internet.
SRP is useless unless you have roaming profiles and we think the best way to implement it
is to just whitelist certain programs like Chrome, etc, and deny the rest. For Windows 7 AppLocker
has been an amazing tool though sadly we still have a few organizations running XP
tl;dr: Get proper anti spam for your email server/service. It's cheap insurance against users
who like to be idiots with attachments Backup your stuff and test it. Don't wait for a disaster.
bluesoul
Interesting, no prior reports of Java as a vector of infection. I'm not surprised exactly,
but that's all the VM did? You're sure that was the vector?
EDIT: Also, roaming profiles and the roaming folder of AppData aren't that intrinsically
linked. We have no such setup on our server and the SRP was prevented from running on a VM via
the SRP
Maybe_Forged
Correct, it's not a common vector but it uses a .JNLP file as a dropper. I think our engineer
said Java u40 and up will provide a security warning and prevent it from running.
Sorry to hijack top post in a "best" sort, but the number of infections is getting high enough
that some Canadian Bitcoin exchanges are getting multiple requests for Bitcoin from affected users:
On the topic of this post, this is starting to look like just the start of something really,
really, bad with Malware for sure. While I feel the need to warn people of the threat, part of me
wonders if publicity for this thing will only signal to other Malware authors this is the new effective
method...
This thing scares the crap out of me. I have all my important stuff backed up in Dropbox, but
since Dropbox is a live backup, I'd be SOL if it starts encrypting everything in my Dropbox folder,
which Dropbox then syncs...
I rented a cheap VPS and wrote a Java app to download my Dropbox via OAuth once per day and store
it in an AES-encrypted zip with a randomly-generated password stored in a text file encrypted with
RSA, for which the private key is in several cold-storage locations.
Overkill? Maybe. But I'm paranoid now.
===
Doesn't Dropbox store multiple versions? So in theory you should still be ok, though I have no
idea how many versions and what limitations it has on versioning so a real backup is of course better.
9/17 EDIT: All 9/17 edits are now covered under Prevention.
10/10 EDIT: Google matches for CryptoLocker are up 40% in the last week, and I'm getting 5-10
new posts a day on this thread, so I thought I'd update it with some interesting finds from fellow
Redditors.
/u/soulscore reports that setting the BIOS
clock back in time added time to his cryptolocker ransom. Confirmed that the timer extends
with the machine offline, but that may be cosmetic and I don't like your chances of this actually
helping if your timer runs out on the server side.
/u/Spinal33 reports that AV companies are
catching up with CryptoLocker and are blocking websites that are spawned in the virus's domain
generation algorithm. This effectively means that some people are locked out of the ability
to even pay the ransom. (Technically they could, but the virus couldn't call home.)
Malwarebytes is claiming that MBAM Pro will catch CryptoLocker. If someone wants to test
them on it, be my guest. Confirmed
/u/CANT_ARGUE_DAT_LOGIC gave
some insight on the method the virus uses when choosing what to infect. It simply goes through
folders alphabetically and encrypts all files that match the filemasks towards the top of this
post. If you are lucky enough to catch it in the act of encrypting and pull the network connection,
the CryptoLocker message will pop up immediately and the countdown will begin. Helpful in determining
what will need to be taken into account for decryption.
<
10/10 MEGA EDIT: I now have an active CryptoLocker specimen on my bench.
I want to run down some things I've found:
On WinXP at least, the nested SRP rule is necessary to prevent infection. The path rule needs
to be %AppData%\*\*.exe
Once the program runs it spawns two more executables with random names in %userprofile%. Adding
a SRP to cover %userprofile%\*.exe may be desired, though this will prevent GoToMyPC from running
at a bare minimum.
This user was a local administrator, and CryptoLocker was able to encrypt files in other user's
directories, though it did not spawn the executables anywhere but the user that triggered the infection.
When logged in under a different account there is no indication that a timer is running.
The environment has server shares but no mapped drives and the shared data
was not touched, even though a desktop shortcut would've taken the virus to a share. I suspect that
will be covered in the next iteration.
The list of masks above does not appear to be totally complete. PDF files were encrypted and
were not originally part of the set of file masks. That is the only exception I noticed, everything
else follows the list. Conveniently (/s), CryptoLocker has a button you can click that shows the
list of files it's encrypted.
The current ransom is $300 by MoneyPak or 2BTC, which at the time of writing would be $280 and
change.
Fabian reported that registry data is stored at HKCU/Software/CryptoLocker. I cannot glean the
meaning of the DWORD values on files but I do notice they are unique, likely salts for the individual
files. I'm curious what purpose that would serve if the private key was revealed as the salts would
be useless.
I have confirmed the message /u/soulscore left
that setting the BIOS timer back a few hours adds an equal amount of time. No telling whether that
will work once it has a network connection and can see the C&C server, though.
The virus walked right through an up-to-date version of GFI Vipre. It appears AV companies either
consider the risk too low to update definitions or, more likely, they're having trouble creating
heuristic patterns that don't cause a lot of collateral damage.
10/18 EDIT: Hello arstechnica! Please read through comments before posting a question as there's
a very good chance it's been answered.
New developments since 10/15:
We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop
CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own,
AV Comparatives is a wonderful resource.
We have reports of a new vector of infection, Java. This is hardly surprising as Zeus was already
being transmitted in this fashion, but /u/Maybe_Forged
reports contracting the virus with a honeypot VM in this manner.
/u/zfs_balla made a hell of a first post on
reddit, giving us a lot of insight to the behavior of the decryption process, and answered a frequently-asked
question. I'm paraphrasing below.
A file encrypted twice and decrypted once is still garbage.
The waiting for payment confirmation screen stayed up for 16 days before a decryption began,
so don't lose hope if it's been up a while.
The DWORD values in the registry have no bearing on decryption. Renaming an encrypted file to
one on the list in the registry will decrypt it. However, I would presume this would only work for
files that the virus encrypted on that machine as the public key is different with every infection.
Adding any new matching files to somewhere the virus has access will cause them to be encrypted,
even at the "waiting for payment confirmation" screen. Be careful.
Hitting "Cancel" on a file that can't be found doesn't cancel the entire decryption, just that
file.
TLDR:
1)If you are still waiting for payment activation after two weeks dont give up-
I just got mine 16 days later! Payment servers are still up!
2)the individual file "salts" are not needed for decryption, so if you somehow brute
forced the private key it would work for ALL files, not just one file as some AV vendors are claiming.
3)during the "waiting for payment activation" phase, newly found files are still
being encrypted, disconnect all media until payment is activated, it will pause and prompt you if files
are missing during decryption.
4)Rebooting does not ruin the "waiting for payment activation" screen if you paid,
it still comes back up.
5)Clicking cancel on a "failed to decrypt file" message does not cancel the entire
encryption process.
6)Cryptolocker can be 'tricked' into decrypting any file that was encrypted by renaming/matching
file path to a missing file the decryption stopped on and clicking retry, the salts do not matter.
7)Decryption is done in the same order encryption was done, so if you somehow got
encrypted twice, it will not reverse itself properly from what i can tell. I was wrong, it did
decrypt properly. See update below
8)ZFS everything. If you care about any of your data, move it to a ZFS based system,
setup hourly snaps for easy versioning in windows and do offsite replication. Also, pick 2 more backup
solutions that aren't crashplan.
Full Story: Sysadmin for a SMB here that got hit ~2 weeks ago, had about 1.5 out
of 5.5 TB of network shares shredded before i was able to unplug the lan cable of the offending computer.
Turns out our backup solution(s) silently failed since april and we were looking at a staggering amount
of data loss. The $300 was a no-brainer, but after 2 weeks of "Waiting for payment activation" i began
to loose hope. So much that i tried to deposit the moneypak back into my paypal acct only to be asked
for my SSN which i fortunately didnt feel like giving out.
Fast forward 16 days after infection, i rebooted the infected laptop and was greeted by the cryptolocker
prompt again (which had previously disappeared after 14 days) and figured i would connect it to guest
wifi in the off chance i get activated- 2 hours later: PAYMENT ACTIVATED!! So now i am prompted saying
it cant find the first encrypted file on the mapped drives, so i scramble to reconnect the old encrypted
drives that have been abandoned and follow the registry export in winmerge watching it do its magic.
After 45 mins it hits the first file it cant find- someone had deleted 8 files from a share! I didn't
want to click cancel, as i thought that would cancel the whole decryption process, so i made an asdf
text file and renamed to the missing file+path and it said "FILE NOT ENCRYPTED" but still would not
go past it. Here is the interesting part: I copied and renamed a known-encrypted pdf to the name+path
of the missing file and it took it without complaint- AND DECRYPTED IT. So that basically proves that
the random dword "salts" are not used by decryption thus confirming what the OP had speculated.
A couple other pointers if you decide/need to pay the ransom: Decryption will halt
at any files missing, so dont worry about having the (partially) encrypted drives mapped while its waiting
for payment activation. Its not worth sacrificing any good data at this point. Keep it disconnected
from everything on a guest wifi and wait for payment activation before you reconnect to anything important.
It was still encrypting any new data introduced to it while waiting for payment activation.
Regularly export your cryptolocker reg key to view the list of encrypted files, save versions of
this and use comparision tools like winmerge to keep track of the decryption/encryption process. Once
a file is decrypted, it is removed from the reg key. My reg key was 28megs at its peak!
I actually tried to get sneaky and copy the encrypted network shares to an external 3tb drive and
connect it to the infected computer and share the external drive locally then map the correct drive
letters. Unfortunately cryptolocker saw this as a whole new drive and went in a re-encrypted everything
on it again. As of now cryptolocker has successfully decrypted the original network shares, but it currently
stopped waiting for the usb drive to be plugged back in. I am curious if it will successfully decrypt
a file that has been encrypted twice. My gut reaction would be no, but after seeing how it decrypted
the spoofed file/path i am curious. It must be taking some sort of shortcut to encrypting the files
if it can move this fast on an old core2duo...
I was never comfortable with our NTFS hardware raid-5 setup for the shared drives. I had actually
setup a ZFS SAN (napp-it+openindiana) to move these shares to so we could get snaps/versioning and offsite
replication on the shared drives but i never was able to get the GPO maps to work with san authentication.
Once we got infected, this became a top priority and i sorted out the maps and moved all unencrypted
data to the ZFS SAN and switched users over to this.
Anyways, i had been immersed in this thread for the last 2 weeks and figured i would post my experience.
Good luck to everyone!
UPDATE: I have test decrypted several files that were encrypted twice and to my
surprise they did decrypt successfully with the single decryption pass! This only applies to files that
somehow managed to get encrypted twice with the same infection (read: same private
key), which may not help that many people. What happened in my situation was that i reintroduced a copy
of the encrypted files to the infected system under a different path name and it re-encrypted all of
the already-encrypted files.
We had a call from a client with a strange virus asking for $300. As IT Professionals, we have
seen this a million times and suit up to go save the day. We roll out to the clients location as
normal, get inside for what we expect to be a 15 minute removal and find the most dangerous virus
/ mal-ware we have ever seen.
Crypto Locker is an up front, and honest program. It is not making false claims or trying to
make threats it cannot deliver on. That is what makes it so unique when compaired to other malware
programs out there. Like an arrogant little kid who knows he pulled a fast one over on you and you
have no choice but to do what he says.
To sum up, Crypto Locker starts out by putting a big giant warning on your screen that tells
you the following.
I have locked up all your documents, and created a nice organized list of all the documents
I locked up for you... want to see?
No one can unlock your documents but me.
I am the only one who knows the key to unlock your files.
If you remove me, your documents will be lost for ever.
You have X amount of time left to pay for this key or else we delete it and your files are
lost forever.
Now please click "next" and we will teach you how to recieve this unlock key.
So how do you remove it?
The answer is... you don't. You pay and hope they actually unlock your files or else you lose your
files. Which is the second piece of this virus that makes it so unique. If you pay, they ACTUALLY
UNLOCK your files. According to
Geek.com
"Amazingly, paying the Cryptolocker ransom does actually initiate the decryption process."
We have also seen other accounts of payment resulting in unlocked files. Criminals who keep there
word are a rare breed indeed. There is obvious risk that you might have a Crypto Locker knock off,
who might take your money and run. So there is no guarentee. However if you have critical data that
is locked up in Crypto Locker and you do not have backups (or your backups got locked up as well)
then it might be worth the $300 gamble.
What should I NOT do?
DO NOT try to run an anti-virus and remove crypto locker. You will be successful in removing Crypto
Virus but your files will still be locked up. And once the software is removed, or once the timer
runs out they are not joking when they say noone can unlock the files.
How do I decrypt the files that Crypto Locker encrypted?
The only way to do this is to get the key that was used to encrypt the files. Below are examples
of people who have tried to self-decrypt.
So far, noone has come up with any way to decrypt the files. This is because RSA-2048 is not
a made up encryption. Infact... noone has ever cracked any RSA-2048 encrypted documents. Atleast
not publicly and there is a $200,000 reward out for anyone in the world who can do so.
This means that without the key which the virus maker has, you cannot unlock your files, atleast
not with any known methods that have been developed and are available to the public. There is not
even any known ways of doing it by the government. From what we know, the NSA themselves could not
unlock your files even if it was a matter of national security!
Can't I use someone elses key?
No, this encryption has a private and public key, and also has a separate key for decryption than
it does for encryption. This is why if you remove Crypto Locker before the files are unlocked not
even the virus maker can unlock it because he doesn't know which key goes to it.
This virus is 100% honest from what we can tell, and there is no other known method of retrieving
the data other than paying, and then you are hoping the criminals are kind enough to continue to
unlock the files. This might not be the news you are looking for but its the truth.
Even if you choose to pay to unlock the files, we highly recommend having the entire machine
deleted then reloaded with a fresh operating system. They got in once and they might still be in
your computer sitting and waiting for a month or two before they pull another lock down on you.
What can I do to protect myself or my business from Crypto Locker?
The best protection is a robust data backup plan, up to date antivirus and up to date patches from
an experienced IT professional. If you have inhouse IT then have them walk you through the disaster
recovery plan. If you are a small or medium company then outsource critical functions like this
and get a Service Level Agreement which covers complete data loss.
No IT firm/person can eliminate all risk, but with proper planning even the worst senario can
be mitigated.
CryptoPrevent is a tiny utility to lock down any Windows OS to prevent infection by the Cryptolocker
malware or 'ransomware', which encrypts personal files and then offers decryption for a paid ransom.
Recent Changes:
◦v2.2.1 – made changes to prevent duplicate rules from being created when protection is applied
multiple times without undoing the protection first. No harm would come from the duplicate rules,
but my OCD was bothering me.
◦v2.2 – added additional restriction policies to better protect Windows XP against the latest strains
– prior versions were not protecting %username%\local settings\application data and their first
level subdirectories, but rather only %username%\application data and their first level subdirectories.
Along with this comes additional whitelist scanning functionality. Other syntax changes in the rules
for better compatibility with all OSes.
◦v2.1.2 – added gpupdate /force to force a refresh of group policy after removing prevention via
the Undo features. This may negate the need for a reboot after Undo, and resolve issues where a
reboot doesn't quite do the trick… Also added a re-test for active protection to determine if a
reboot prompt should be displayed after Undo, on the chance that it is still required.
◦v2.1 – fixed Temp Extracted EXEs blocks on some systems that refused to work with %temp% in the
rules.
◦v2.0.1 – fixed whitelisting capabilities not working on some systems since v2.0
There already exists a Cryptolocker Prevention Kit as found here, but it only works with domains
and OSes that have access to group policy editor (Professional versions of Windows) leaving Home
versions without a method of protection. It also isn't the most intuitive of installations for the
average Joe, either. The methodology CryptoPrevent uses to lock down a system is presented by Lawrence
Abrams of bleepingcomputer.com here, and without that guide CryptoPrevent would not exist. Unfortunately,
like the other Cryptolocker Prevention Kit mentioned, Lawrence Abrams guide involves usage of the
Group Policy Editor available in Professional versions of Windows, and is a time consuming manual
task. CryptoPrevent seeks to alleviate these issues in allowing protection on ALL Windows OSes,
while being easy enough for the average Joe to do, and optionally providing silent automation options
for system admins and those who need to immunize a lot of computers automatically.
CryptoPrevent is a single executable and is fully portable (of course unless you download the
installer based version) and will run from anywhere, even a network share.
Prevention Methodology
CryptoPrevent artificially implants group policy objects into the registry in order to block
certain executables in certain locations from running. Note that because the group policy objects
are artificially created, they will not display in the Group Policy Editor on a Professional version
of Windows - but rest assured they are still there!
Executables are blocked in these paths where * is a wildcard:
◦%appdata% and any first-level subdirectories in %appdata% (e.g. %appdata%\directory1, %appdata%\directory2,
etc.)
◦%localappdata% (on Vista+) and any first-level subdirectories in there.
◦%temp%\rar* directories
◦%temp%\7z* directories
◦%temp%\wz* directories
◦%temp%\*.zip directories
The first two locations are used by the malware as launch points. The final four locations are
temporary extract locations for executables when run from directly inside of a compressed archive
(e.g. you open download.zip in Windows Explorer, WinRAR, WinZip, or 7zip, and execute an .EXE from
directly inside the download, it is actually extracted to a temporary location and run from there
– so this guards against that as well.)
NOTE: Protection does not need to be applied while logged into each user account, it may be applied
only once from ANY user account and it will scan for and protect all user accounts on the system.
This is accomplished despite an apparent bug in Microsoft's software prevention policies that does
not allow for the %temp% environment variable to be used in the rules (as it does allow %appdata%)…
so protection for %temp% folders is now applied by expanding the full path to the user's temp folder
in each rule set, and replacing the username with an * in the rules so that a single rule can cover
all users. In prior versions, CryptoPrevent attempted to use the %temp% environment variable to
protect all user accounts, but it was later discovered that methodology wasn't working on all systems.
If you applied protection with prior versions and want temp extracted exes blocked, you may want
to reapply protection with v2.2 to ensure it will work for you.
The Office of Campus Information Security (OCIS) is aware of a relatively new ransomware trojan
actively attacking campus users and computers. The ransomware is commonly called Cryptolocker, but
is detected as Trojan.Ransomcrypt by Symantec or Trojan:Win32/Crilock by Microsoft.
Like all file encrypting ransomware, Cryptolocker's goal is to encrypt your data and try to sell
it back to you, or else. Unfortunately, the bad guys that wrote Cryptolocker did something that
other ransomware has not always managed–they got their encryption right. Once your files are encrypted,
there is no way to decrypt them without paying the ransom.
Cryptolocker uses standard malware attacks to get itself on your computer: social engineering
emails with the trojan attached, drive-by downloads from infected web sites, and inclusion in additional
malware downloaded by other trojans already infecting a computer (botnets).
Antivirus applications are detecting Cryptolocker, but are struggling to successfully block it
before it encrypts files.
What can I do?
Paying the ransom is not recommended, however, once your files are encrypted, the only sure way
to get them back without paying up is from a backup. So prevention is much better than a cure.
1. CryptoLocker installs itself into your DocumentsandSettings folder,
using a randomly-generated name, and adds itself to the list of programs in your registry that Windows
loads automatically every time you logon.
2. It produces a lengthy list of random-looking server names in the domains .biz,
.co.uk, .com, .info, .net, .org and .ru.
3. It tries to make a web connection to each of these server names in turn, trying one each second
until it finds one that responds.
4. Once it has found a server that it can reach, it uploads a small file that you can think of
as your "CryptoLocker ID."
5. The server then generates a public-private key pair unique to your ID, and sends the public
key part back to your computer.
→ Remember that public-key cryptography uses two different keys: a public key that locks files,
and a private key that unlocks them. You can share your public key widely so that anyone can encrypt
files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt
them.
6. The malware on your computer uses this public key to encrypt all the files it can find that
match a largish list of extensions, covering file types such as images, documents and spreadhseets.
→ Note that the malware searches for files to encrypt on all drives and in all folders it can
access from your computer, including workgroup files shared by your colleagues, resources on your
company servers, and possibly more. The more privileged your account, the worse the overall damage
will be.
7. The malware then pops up a "pay page," giving you a limited time, typically 72 hours, to buy
back the private key for your data, typically for $300. (The price point is surprisingly similar
to what it was back in 1989.)
→ With the private key, you can recover your files. Allegedly. We haven't tried buying anything
back, not least because we know we'd be trading with crooks.
CryptoLocker is similar is some ways to other forms of ransomware, such as the Reveton police
Trojan, but it's far more sophisticated in its construction and aggressive in its demands.
The necessary decryption key is never left lying around on host machines. CryptoLocker phones
home to a command-and-control server to obtain a public RSA key before it begins the task of silently
encrypting files on compromised machines. The same command server also hosts the private key.
Malware that encrypts your data and tries to sell it back to you is not new. As net security
firm Sophos points out, CryptLocker chiefly differs because it uses industry-standard cryptography
for malign purposes.
"SophosLabs has received a large number of scrambled documents via the Sophos sample submission
system," Sophos
explains in a blog post.
"These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption,
and that we can help them get their files back," adds the firm. "But as far as we can see, there's
no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble."
A video from SophosLab showing the malware in action can be found on the next page. Victims receive
little or no indication of problems on an infected machine while the malware is encrypting files
in the background.
Re: Already seen this
"You can't kill this virus in normal ways."
So, it manages to run despite having a software restriction policy in place preventing any
vaguely executable code from running outside of program files or authorised network shares?
I've been receiving the companies house emails regularly. I've had a few users run them with
nothing more harmful than the standard SRP prohibited text since outlook opens attachments in
a temp directory, which is not in program files, so it doesn't run and i'm safe despite the
users.
Anti virus software is not enough. Stick yourself in a basic SRP and your virus issues will
vanish overnight because the users can't run the bloody things if they try.
Secondly, get yourself a copy of sysinternals from the microsoft website and use process
explorer instead of task manager and PSKILL to kill things instead of the "end task" button
in task manager. If you want malware dead, don't allow it to gracefully close through a task
manager request to close. That's just letting it run more instructions. Figure out where the
file and all it's dependencies are from process explorer and then either suspend or terminate
it. Take a hash of the file to stick in a network wide SRP GPO that denies it the ability to
run. Zip a copy of the file and email it to your AV vendor. Now your done and you can delete
it.
It encrypts .doc, .dwg etc
So what? In the corporate world those files should be held in some kind of version control
and backed up. So at worst you lose a day's work. Network shares? Same thing. They should not
be the master, they should be the published version of a document under proper control (also,
users don't need write access to *everything*). As for local files that are being worked on;
well, those are backed up as well aren't they?
And why the HELL do people open an attachment without first scanning it? When coming in from
outside, open it on a machine which has actual work files on it. Are they totally mentally deficient?
Run Outlook in a separate VM. Problem solved.
If you are following good procedures, CryptoLocker is minimal risk and the main annoyance
will be downtime as the PC is re-imaged. If you are affected by CryptoLocker and want someone
to blame, look in the mirror.
Then call MS and ask them why their software is so shit.
I can see this being a serious worry for home users. Top-tip: stop opening random files.
Re: It encrypts .doc, .dwg etc
How naeve can you get? ! Obviously never worked for a large corporation then. The idea that
they do things properly always is just naivety. Release documents will (should) be in a document
management system, but there are always many documents which are not.
Reality check
And what about the SMEs, who have lots to lose and are unlikely to have the budget for enterprise
level procedures?
Re: It encrypts .doc, .dwg etc
I really hope your not an IT support guy, Users are .... users... they are not IT experts,
the same way that IT Experts are not brain surgeons. Yes good practice is always good, but...
Cloud backup
If you have a sync directory, wouldn't it be rather annoying if the files in it were encrypted,
uploaded to e.g. DropBox, then synced with your other machines?
It'd be recoverable if you had a cloud locker with version control, but still annoying.
Re: Cloud backup
DropBox has versioning. In fact it's how we got back our Salesperson's files from her laptop
when she got this nasty last week.
TkH11
It never ceases to amaze me how many people open and click on links in emails without knowing
who they're from. Even my employer (who shall remain nameless) has become infected despite there
being a fairly recent and high profile campaign targetting computer security and phishing emails.
Some people are just dumb.
Mike Bell
To be fair, a bit of social engineering is involved here by making the file look like something
that it isn't (a PDF). Not every user is a geek, but they might know enough to know that PDFs
are normally harmless viewable documents. If they possess a little geekiness, they might know
that you'd better be dead sure you're running a *very* up-to-date PDF viewer. A little more
and they'd know that executables can be camouflaged like this.
I imagine that such a "dumb" user might be tempted to call you and me nerdy geeks who need
a life.
DrXym
I was talking to someone a week ago who got a popup in their browser warning they were downloading
pirated software and to click to acknowledge this. The sad thing is that while they didn't click,
they actually believed the warning to be genuine although it clearly wasn't. I imagine anyone
who clicked would be encouraged to pay a "fine" and possibly install "monitoring software" which
would just be malware of some kind.
I assume the criminals wouldn't bother with these scams if people didn't fall for them.
Wild Bill
From the detailed breakdown from Bleeping Computer, it appears that the encryption doesn't
take place until the virus is able to phone home to one of its many servers, which have their
domains automatically created using a Domain Generation Algorithm.
Is there not any software that can block all domains which are obviously gobbledygook and
are therefore likely to have been automatically generated by a nasty? It appears DGAs are used
by a lot of viruses to phone home, so such a blocklist could be a reasonably good last line
of defence for a multitude of arseholery (obviously not getting a virus in the first place is
the ideal approach).
Education is really the only way to prevent this unfortunately. Without education people will
continue to open email attachments they shouldn't, use weak passwords, and provide little or no
network security.
These types of encrypting malware are the new breed of moneymakers for malware developers, especially
as they be created by individuals, or small groups, rather than larger organizations. In the past
it was rogue anti-spyware programs, but then the credit card/merchant companies caught on and that
method was pretty much eliminated. Ransomware, such as this Cryptolock,
ACCDFISA, and
DirtyDecrypt, are the future as the ransom payments are typically anonymous, are essentially
cash, and very difficult to trace. These payment methods are typically MoneyPak, Ukash, and now
BitCoins.
As always, I suggest noone pay them if they can avoid it as it just encourages them to continue.
On the other hand, I know that not everyone has a backup of their data for whatever reason and that
it is necessary to get this data back by any means.
Once booted into this you can use the File Manager and register editor to remove the start up
entry for this, first browse the registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run locate
the random file (this will also show you where on the system this is loading from. Remove this reg
entry. You should also check: HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
Once the reg entry is deleted the use the File Manager function to browse to where this file
is located and delete this file.
Shut down the rescue disk and boot as normal, this should then be able to boot without the CrytoLocker
screen appears, you should then run a scan with your current AV software or download Malwarebytes:
http://www.malwarebytes.org/
and run a scan with this. It maybe best to run this scan with the computer in safe mode.
tl;dr: CryptoLocker encrypts a set of file masks on a local PC and any mapped network drives
with 2048-bit RSA encryption, which is uncrackable for quite a while yet.
WinXP through Win8 are vulnerable, and infection isn't dependent on being a local admin or having
UAC on or off.
MalwareBytes Pro and Avast stop the virus from running.
The timer it presents is real and you cannot pay them once it expires. You can pay them with
a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using
ShadowExplorer, go to a backup (including versioning-based
cloud backups), or be SOL.
... ... ...
Vectors: In order of likelihood, the vectors of infection have been:
Email attachments: A commonly reported subject is Payroll Report. The attachment, most of
the time, is a zip with a PDF inside, which is actually an executable.
Email attachment- I have seen one from a zerox internal spoofed email saying their scan
was ready.
PCs that are unwitting members of the Zeus botnet have had the virus pushed to them directly.
There is currently one report of an infection through Java, using the .jnlp file as a dropper
to load the executable.
Payload: The virus stores a public RSA 2048-bit key in the local registry,
and goes to a C&C server for a private key which is never stored. The technical nuts and bolts
have been covered by Fabian from Emsisoft
here. It will use a mix
of RSA 2048-bit and AES 256-bit encryption on files matching these masks: *.odt, *.ods, *.odp,
*.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt,
*.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd,
*.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf,
*.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw,
*.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b,
*.p7c, *.pdf, *.tif
Many antiviruses have been reported as not catching the virus until it's too late, including
MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by reverting
registry changes and removing the executables, leaving the files behind without a public or
private key. Releasing the files from quarantine does work, as does releasing the registry keys
added and downloading another sample of the virus.
Prevention: As this post has attracted many home users, I'll put at the top
that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent
the virus from running.
For sysadmins in a domain environment, one way to prevent this and many other viruses is to set
up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming.
Grinler explains how to set up the policy
here.
Visual example. The rule covering %AppData%\*\*.exe
is necessary for the current variant. The SRP will apply to domain admins after either the GP timer
hits or a reboot, gpupdate /force does not enforce it immediately. There is almost
no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not
sure. I don't use it.
Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.
Forecast: The reports of infections have risen from ~1,300 google results for
cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really
hard to stop until it's too late. It's also very successful in getting people to pay, which funds
the creation of a new variant that plugs what few holes have been found. I don't like where this
is headed.
We too got hit with this crypto ransomware. It infects the PC's and encrypts the
hardware with such a hard encryption that it can't be decrypted by anything right now. There's good
and bad news..
The Good news is, you can still get your files by 1 of 2 ways..
1.) making sure you have system restore points you can use a piece of software called GhostExplorer
which will essentially take a ghost image from a system restore and restore your files to then.
*you will need to back up the crucial files/ docs/ emails* THEN i would suggest reformatting the
PC and starting from scratch.
2.) OR you can pay them the $300.00 (which is what we did, cause we did not have restore points
active) and then they will give you a private key to insert within the time requested and they will
decrypt the files and release your pc back. once it's done decrypting your files back, it will uninstall
invisibly and remove itself form the PC.. Again back up your files and (esp the email in appdata)
and reformat your PC.
Currently there is nothing on the market that is blocking this ransomware. IT's nasty and
even has gotten senators and state representatives. They have then put a investigation out
to the FBI. I'm told (from what i read) that there is a chance if your infected and PAY....
FBI could contact you and will need to help the best that you can.
the BAD news is.. if you don't have $300.00 or system restore turned on.. OR you wait till after
the timer... your screwed.. you lost all your data and can never get it back. The software will
delete the secure Private key that it encrypted your files with off their server and there will
be no way for you to get it back.
From what i've read these guys started with Version 1.0 which charged people $100.00 and have
since grown exponentially and have created 2.0. This version charges $300 through a Green
Money Card you buy at your local gas station. It's supposedly untraceable. They make
approx 300k+ per month with this scam and it has grown into what we would call a "small buisness".
They do apparently always comply when you call them and are really nice to talk to on the phone..
which is extremely odd since they are scamming you. They tell you on the phone that
it's a service they provide to let you know how vulnerable you really are.. and they will legitimately
give you back all your files. (which they really do, oddly enough you can trust them with that).
They say the best way to prevent this, is to have your PC's on a domain and there is a domain
RULE that you can setup when the PC starts that will stop files that are unexpected to run.
I'm not 100% sure how this is done as i'm no Domain expert.. but it appears as of right now this
is the only way to prevent this from happening.
MOST of these scams that people get infected with DO come into a PC via email labeled from USPS
or some other supposedly reliable source. but instead it infects the users pc and starts encrypting
files. Also if your PC is on a network and connected to network drive (on a server) it will grab
that Hard drive also and encrypt the whole server. Which is basically what happened to us.. Which
is why we paid to have it released. I hate doing it.. but it is.. what it is... and
they got us... it sucks..
Connection
wіth thе C&C server іs established through еіthеr а hardcoded IP (184.164.136.134,
whiсh iѕ dоwn now) оr іf thаt fails through а domain generation algorithm located
аt 0x40FDD0 аnd seeded bу GetSystemTime. At thіs time xeogrhxquuubt.com аnd
qaaepodedahnslq.org arе bоth active and point tо 173.246.105.23.
Thе communication
channel usеѕ POST tо thе /home/ directory оf thе C&C server. Thе data іѕ encrypted
uѕіng RSA. Thе public key сan bе fоund аt offset 0x00010da0 inѕide thе malware
file.
On first
contact thе malware wіll send іn аn information string containing thе malware
version, thе system language, aѕ well аs аn іd аnd а group id. In return іt
receives а RSA public key.
Once a suitable
command and control server has been found, the malware will start to communicate
through regular HTTP POST requests.
HTTP just
goes about as a wrapper. However, all genuine information traded throughout
the correspondence between the bot and its command and control server is encoded
utilizing RSA. The public key utilized for the encryption of the communication
is consequently inserted inside the malware index. Utilizing RSA based encryption
for the communication not just permits the attacker to encrypt the actual connection
between the malware and its server, additionally it verifies the malware is
conversing with the attacker's server and not a virtual lab controlled by malware
analysts.
Once the
framework has been solidly tainted and a communication channel to the command
and control server has been made, the malware will begin the encryption process
by soliciting an encryption key. A normal request incorporates the version of
the malware, a numeric ID, the system name, a group id and additionally the
language of the system.
The key
is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key
on your system, the easiest way to do so is to break on Crypt String to Binary
A.
•
The malware targets files using the following search masks:
The encryption
used to encode records matching these mask is a mix of RSA and AES. Fundamentally
the malware will prepare another AES 256 key for every document it is set to
encode. The key is then used to encode the file. The AES key itself is then
encrypted utilizing the public RSA key acquired from the server. The RSA encrypted
blob is then saved together with the encoded file content inside the encoded
document. As a result encrypted records are somewhat bigger than their originals.
Also the malware records the file it is encrypted inside the HKCU\Software\CryptoLocker\Files
key. Vаlue names аrе thе file paths wherе "\" haѕ bееn replaced wіth "?". Sadly,
as soon as the encryption of the data is done, reversing it is not possible.
To get the file exact AES key to decrypt a file, you need the private RSA key
matching to the RSA public key generated for the victim's system by the command
and control server. Though, this key never leaves the command and control server,
putting it out of span of everybody with the exception of the attacker.
On Monday morning, I got a call from one of our Executives telling me that his home computer
was displaying a strange message and asking for some assistance. I asked what was displaying on
the screen and he responded, "It's asking for me to pay them money to get my files". After listening
to Steve Gibson's (@SGgrc) and Leo Laporte's (@leolaporte)
Security
Now podcast from last Wednesday (#427: A Newsy Week), I dreaded the answer to my next question.
"Please read me what it says on the screen, " I asked. He responded with, "Your personal files are
encrypted! Your important files encryption produced on this computer…", oh no…
My Executive's personal home computer had been infected with
Cryptolocker. This is what the screen looked like (pardon the poor quality, these are camera
phone shots):
I knew what I was facing because of Steve's excellent description of the problem. I also knew
we probably needed to pay the random to get my Executive's personal files restored. However, I wanted
to get more information about protecting our Enterprise, as well as more information on how the
decryption and payment operated. So, off to Google…
I found a really good and thorough discussion of the Cryptolocker infection on
BleepingComputer.com, They do a great job breaking down a lot of the information and providing
some resources for Enterprises to combat the virus. They also have a VERY active
support forum with over 85 pages of updates including over 1200 posts dating back to September
6, 2013.
So, I absorbed a lot of that information and set my team to work. I also sent someone over to
my Executive's home to work with him on recovery. The rest of this post is what we've done and our
plans for the future.
Each computer's infection has a Command / Control server that holds the public (and private)
keys that were used to transmit the actual encryption key used to encrypt your files. This server's
operation is critical to the successful recovery of your personal (or business) files. So if it
goes offline (or is taken offline) before you can pay the ransom, the key is lost. If you try to
work around the infection, you risk the client telling the server to delete the key.
The Command / Control server is one of many that the software uses, the one for this infection
was "http://eyebjjtyvkaulgh.org" and is presented on an information screen by the infection. Knowing
that the Malware could get removed by anti-malware software, they provide a download link to the
De(en)cryption software, so you can reinstall it. Nice! You'll also notice the file icon which is
a link to a file stored on your local hard drive that lists all of the files that were encrypted.
I decided to look up some information about that URL:
According to DNS, the host resolves to the IP address 50.116.8.191
According to WHOIS, the domain was registered with a Private Registration (no surprise)
in Queensland, AU on October 26, 2013
According to WHOIS, the DNS servers for the domain are: (ns1.happilyresist.com and ns2.happilyresist.com),
most likely just the hosting providers stock servers.
According to ARIN, the IP address is owned by
Linode, a Virtual
Server hosting provider located in Galloway, NJ
Based on the date of the registration, I suspect the domain was registered specifically for this
infection, as that timing is suspiciously close to the date of the actual infection. If I'm right,
that means that each infection has it's own Command/Control server dedicated to it. The reason for
the ransom countdown is that they only want to pay for the Command/Control server for a short time,
and then they delete the entire server instance when the time expires, not just the key.
This is the HTML of our Command / Control Server, you can use some of the more unique strings
found on this page to search Google for these servers, there is at least one other I found that
is currently online. Also, note that the text and the background colors are the same. You have to
highlight the page to see the text:
There were only two payment options available: MoneyPak or Bitcoin.
The Bitcoin address for the payment was
1AXgfzpiimunqsrSFn2qgM8YgKGqqgPwU4 (hasn't been used, as it was most likely uniquely created
just for this infection). We ended up purchasing a "Green
Dot MoneyPak" and submitting it for payment of our ransom.
The infection provides lots of helpful instructions on how to buy and use a MoneyPak. It provided
similar instructions on "Getting Started with Bitcoin" and how to make the payment. All very educational!
Once payment was made, the following screen appeared:
At this time, you are awaiting the payment to be accepted and, hopefully, the decryption to begin.
According to the screen the payment confirmation is a manual process and could take up to 2 days
to process. Then of course, the decryption itself is going to take a while.
After waiting for approximately 2-3 hours, our payment was processed and the system automatically
started decrypting files. It provides a window showing you what directory it's working in and a
list of the files that have been scanned and "recovered".
Also, there is now a file on your Desktop called "Your Private Key.bin", which is presumably
the encryption key. I took a look at the file, but it's a binary key, so not terribly useful. We
archived a copy of it just in case.
Oddly, when scanning system directories (like "Program Files") the "Files recovered" doesn't
increase, but the "Files scanned" does. The implication is that it's scanning the entire drive again.
Why? I'm not sure. We know the virus has a list of all of the files it encrypted, there shouldn't
be a reason to re-scan the whole drive(s), just decrypt all of the files in the list it already
made.
At this point, I'm a bit nervous about the outcome. I've read where after decryption ends, the
system BSODs, or reboots. If you let it reboot, it re-infects your system and you're back to Square
1. However, I know for a fact that the decryption is happening because documents on the Desktop
that were encrypted (and the icons changed because the file extension changed) are back to normal.
During the course of the decryption, we did log a few errors (3 I believe), these appeared to
be Microsoft Office temporary files (autorecovery files actually), and I believe the tilde (~) in
the file name is what caused the decryption to fail. The tilde is a special path character in Linux/Unix,
and perhaps the decryption library doesn't handle them correctly (although they appeared to encrypt
fine!).
The decryption finally finishes and you're presented with this screen:
At this point we have no idea what the software is doing. If you click Cancel we're unsure what
the software will do (it says it will delete itself), of course, for all we know the software is
re-encrypting the whole drive as the system is sitting there. We opted to power off the system without
interacting with the software at all. This seemed to be the best solution. We then pulled the drive
from the system and are mounting it to an off-net (non-Windows) computer for file recovery.
I'll post progress updates as we have them.
Why are these people doing this? Because crime does pay. The two Bitcoin addresses that were
originally used in the early versions of the infection (back in September) were:
The two addresses above amassed 46 and 55 BTC respectively according to BlockChain.info. That's
101 BTC in under 60 days, or $21,000 at today's value. This of course only covers the two known
addresses, there are hundreds (or thousands) more. By reading the BlockChain you could explore the
addresses that were used to offload the coins out of those addresses, but that is tedious work.
As the great
W.O.P.R. once said, "The only winning move is not to play.":
Don't click links or open attachments inside email.
Have a "Cold" backup in your home (i.e. not connected to your computer other than when it's
used to backup)
Have an "Online" backup that is cloud-based and inaccessible to your computer as a volume
(Carbonite
or CrashPlan)
Yes, if your files are important, you should have at least 2 backups.
The Last but not LeastTechnology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
FAIR USE NOTICEThis site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
You can use PayPal to to buy a cup of coffee for authors
of this site
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society.We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
