• United States



by Kim Crawley

Tips to avoid being bit by CryptoLocker (and what to do if you are)

Dec 03, 201318 mins
Application SecurityCybercrimeData and Information Security

InfoSec Institute's Kim Crawley details CryptoLocker, the latest in scareware, and offers suggestions for avoiding infection

As early as 2007, if not earlier, Windows users encountered the very first rogue antivirus programs. Even today, end users are easily fooled by this vicious type of malware.

Developers of rogue antivirus programs usually put a lot of effort into creating GUIs that resemble legitimate antivirus programs or OS components such as Windows Defender.

Contrary to popular belief, rogue AVs aren’t exclusive to Windows. In May 2011, the first rogue AV for Mac OS X was discovered. In June of this year, the first Android rogue AV was discovered. If rogue AVs for Linux distros, other Unix/BSD distros, iOS, BlackBerry and Windows Phone don’t already exist, they’re inevitable.

Because Mac users and mobile device users frequently believe that they’re “immune” to malware, rogue AVs for those platforms may be even riskier than the first ones for Windows.

I’ve never encountered rogue AVs as a user. As an IT security expert, web developer, and occasional white hat “skiddie,” (script kiddie) I should know better, so I do. I first encountered rogue AVs while providing remote support to Windows users all across the United States. And, oh boy, did I ever see them a lot back then. I swear, nearly a quarter of my support tickets involved ridding user machines of rogue AVs.

[Windows 8 security unshaken by antivirus vendor’s claims]

They usually fooled my customers very well. Either the end user didn’t know what AV software they were using, if any, or didn’t think it was suspicious to see a program that looks like an antivirus program, but not their antivirus program. I said, umpteen times, “Just let me get rid of it for you, do not, whatever you do, input your credit card number!” “But I just want it to go away!” they’d cry.

Often, between calls, I’d hear my coworkers say the very same thing to customers.

You know what would have happened if my customers had done what the rogue AVs told them to do? The party behind the rogue AV would take their credit card number, validate it, then charge large amounts to it, fraudulently, even though the GUI would say the charge would be $19.99 or something like that. Then, the credit card number might be used for identity theft. On the end user’s side, they wouldn’t be rid of the rogue AV. In fact, I’ve had many customers say that after inputting their credit card numbers, their PCs would get even worse. Oh why didn’t those customers call me or one of my colleagues before considering doing that?

The bigger picture is that, when end users fall prey to rogue AVs, they not only harm their PCs, mobile devices and themselves, but by making the people who write that sort of malware money, they’re encouraging them to keep doing it. It’s insidious.

Rogue AVs have been called “scareware” in recent years. Well now, there’s a new type of scareware in town!

Introducing the very first rogue cryptography program, CryptoLocker! People discovered CryptoLocker on PCs running Windows XP, Vista, 7, and 8 in September 2013. CryptoLocker doesn’t lie quite as much as rogue AVs do. A rogue AV will typically “discover” thousands of malware items on your PC that don’t actually exist. “You must pay $19.99 for Antivirus Protector 2013 to protect your PC!” when “Antivirus Protector 2013” is itself the actual malware. CryptoLocker largely does exactly what it says it will do. It will gradually encrypt files and folders on your PC, without giving the user access to the decryption. If the infected PC is a client in a local network that shares files and folders, such as a library or office PC, the shared resources will be encrypted first.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

CryptoLocker will keep on encrypting files until you can’t use your favorite applications and documents. Eventually, Windows won’t even work properly, because essential OS files, such as dynamic link libraries will be encrypted. And it doesn’t matter if you’re using an admin account.

The solution, according to the CryptoLocker GUI, is to pay two Bitcoins to the makers of the program. To the uninitiated, Bitcoin is a digital currency that was founded in 2009. When I first checked Bitcoin exchanges in 2011, a Bitcoin was about $5.00 Canadian or $7.00 American. As of this writing in November 2013, a Bitcoin trades for $306.00 American or $323.00 Canadian, so it’s a highly volatile currency and it may be continually rising in value. Oh, if only I bought Bitcoins in 2011! I don’t think I could afford them now.

If you want to buy Bitcoins yourself, do note that they’re perfectly legal to buy and use. Some mainstream banks will sell them to you, or alternatively, you could buy them online via PayPal or a credit card. The only element of illegality is that, because they aren’t easily traceable like other methods of payment, they’re popular for the use of buying illegal things. For example, the Silk Road was a popular eBay-like store for illegal drugs that existed only through the Tor network, under the .onion top level domain. I never bought anything there, but I took a look at the site for curiosity’s sake. It was shut down by authorities as recently as a couple of months ago and the only currency allowed there was Bitcoins.

Now, the makers of CryptoLocker are using the currency. I imagine at this point, too many makers of rogue AVs have been caught by credit card companies, so the CryptoLocker folks have realized that Bitcoins are safer. Bitcoins can be bought with any major currency worldwide, but note that two Bitcoins are now over $600.00 in American or Canadian currency. Ouch!

Lawrence Abrams at Bleeping Computer has written an excellent guide to getting rid of CryptoLocker. Unfortunately, he offers paying CryptoLocker as one of the options for removing it. He even goes so far as to explain how to put CryptoLocker back on your PC if a legitimate AV shield has quarantined it, in order to make the payment. Although users have reported that CryptoLocker actually does decrypt files and goes away after payment, I strongly discourage you from paying them. As I’ve said about rogue AVs, it only encourages the bastards. If an organized crime member showed up at my apartment, demanding money to stop his gang from burning my building down, I wouldn’t pay the gangster, I’d call the cops.

Now, the cops can’t help you prevent or get rid of CryptoLocker, so I’ll offer my two cents, a tiny fraction of a Bitcoin.

[Kaspersky aims to be ‘big boy’ of enterprise security world]

To prevent CryptoLocker, you’ve got to know how users acquire it in the first place. CryptoLocker’s victims have reported that it usually starts by them receiving an email that appears to be from UPS or FedEx. Keep in mind, it’s really easy to spoof emails if you know how to do it. I’ve done it myself. Depending on your email program, whether it’s a client that runs in your OS, such as Microsoft Outlook or Mozilla Thunderbird, or webmail such as Gmail or Yahoo! Mail, the “from” field could very likely contain “” or “” even though the sender doesn’t have legitimate use of either domain name. The spoof email could be all text, with very official looking wording, or an HTML email, with very official looking graphics.

The spoof emails make it sound like they’re related to tracking a package you’re sending or receiving. For that reason, users get fooled most frequently as it gets closer to Christmas, hence CryptoLocker debuting in September 2013. The email will have a .zip archive attached to it, that the body of the email insists you open. When the archive is unzipped, the user will get a double extension file, .pdf.exe has been reported. The file will open in a PDF reader like Adobe Reader or Foxit Reader, but at the same time, a Windows executable will launch on the user’s machine, which is the CryptoLocker malware. UAC (user account control) may or may not be triggered. The user’s AV shield may or may not catch it. Even if UAC and the user’s AV shield do something, the malware may still be installed on the user’s machine.

The only thing about CryptoLocker that surprises me, a jaded malware expert, is why the makers bother to create a ZIP file containing a double extension Windows executable. The ZIP file is obviously to escape security components in email clients and webmail that blocks .exe files to prevent malware infection. But it’s much easier to file-bind. I’ve done it myself. There are “skiddie” programs that will take your malware executable, for any platform, and merge it with a seemingly innocuous media file or document, such as a .pdf, a .jpg, or a .doc. If it’s bound to a graphic, such as a .jpg, .png or .gif, it can open in an email client or webmail application as a picture in an email; if it’s another type of file, like a .mp3, .doc or .pdf, it will launch in the user’s default program for the file type in a perfectly normal way. The malicious executable will launch and run in the background, and the user won’t notice that anything’s wrong until their PC, smartphone, or tablet starts experiencing a problem.

In the case of transmitting the malware the CryptoLocker way, someone who knows more about security than a typical user can notice that something’s up. But one of the clever things that CryptoLocker does, if it’s true for everyone, is it really does decrypt and rid itself if the user pays the over $600.00 worth of Bitcoins. So, users can tell people in person and online, “Pay them! It worked for me!”

[Rise seen in use of Google service for mobile botnets]

The only way to directly decrypt CrptoLocker’s AES and RSA encryption is to either have a supercomputer or computing cluster run a specialized cracking program for several weeks, or actually have the decryption keys that the CryptoLocker folks have. We’re still looking for the computers that they use.

If you get infected with CryptoLocker, there are still alternatives to offering those crooks their ransom, because I strongly advise you not to give them money. If you’re smart PC user, the contents of your hard disk partition that’s infected and is being encrypted will have at least one uninfected back-up. It could be internal, like another disk in a RAID configuration; external, like on a USB, eSATA or FireWire connected external hard disk; or online, on a web-based back-up service, that’s often referred to as a “cloud” back-up. I use Dropbox and Google Drive to back up my many documents and media files, but there are other, paid services to back-up actual hard disk partitions, including those that contain operating systems. If you use a web-based backup, you should also have an alternative form of backup on something that’s physically in your control, like an internal disk, an external disk, DVDs, or USB flash drives. As trustworthy as Dropbox, Google and other third parties may be, what would you do if you had internet connection problems, or if one of those services loses your data or goes down? That sort of thing has happened, even with services people have paid good money for.

With your back-up in place and restorable, get rid of the CryptoLocker malware. Make sure your AV program has its most recent signatures, then use it to run a scan. Only stay connected to the internet long enough to download new signatures, because CryptoLocker keeps encrypting while you’re online, and stops encrypting when you’re offline. CryptoLocker has even been known to encrypt while transmitting data online before you’ve even logged into a user account.

After running your AV shield’s scan, you’ll probably want to run other removal programs. As with your AV shield, stay online only as long as it takes to download the programs. You’ll probably want to boot Windows into safe mode before you run the programs. You can boot into safe mode either by hitting F8 while booting or rebooting Windows or, while booted into Windows, running msconfig to change boot settings. Msconfig can be launched by entering the exact name of the program (“msconfig”) via run or cmd.exe. Check the associated checkboxes for safe mode, then reboot.

[Bad Kaspersky antivirus update prevents business and home users from accessing websites]

If you’ve booted into safe mode properly, your desktop wallpaper will be black with “Safe Mode” and the name of your version of Windows in white text in each of the four corners. Also, a help window will launch, “What is Safe Mode?” To be extra sure that CryptoLocker isn’t continuing to run, don’t choose “Safe Mode with Networking.” Otherwise, you can unplug your Ethernet cable or turn off your WiFi.

The programs I recommend are in this list. Keep in mind, CryptoLocker only affects Windows so far, and these programs are only for removing malware in Windows. I’ve personally used them literally thousands of times for customers who’ve paid me to do the work:

  • ComboFix.
  • HijackThis. If you don’t have lots of experience using HijackThis, choose the option to create a log file. Then copy and paste the log here. The result will tell you which items thousands of users consider malicious. Only remove those items if you want to make sure you don’t remove anything that isn’t malware.
  • Malwarebytes’ AntiMalware. When I was a Windows remote support employee, we referred to it as MBAM. You will not only have to be online while downloading the program, you’ll also have to be online while downloading the latest signatures. Make sure you’re offline when you aren’t doing either.
  • TrendMicro’s Fake AV Removal Tool.
  • IoBit Uninstaller, or Revo Uninstaller. Although Windows has a native program uninstaller under the Control Panel, it does an absolutely lousy job of removing stray registry keys, unlike IoBit and Revo’s applications. IoBit and Revo’s programs also have features to remove malicious programs that don’t show up in the program list, but may appear as an icon on your desktop, or have some sort of GUI. Be very careful when you install either program. Like many legitimate Windows programs, they may sneak malicious programs such as the toolbar into their installation wizards. Read each step of the installation wizards really carefully, and check or uncheck boxes to make sure you don’t install extra programs as you install the program you intend to install.

After you’ve run all the malware removal programs, which may take a few hours or more, you’ll need to reboot your PC to get rid of all the malware that’s been quarantined. Until you’ve rebooted, the malware will still be on your machine.

Once you’ve rebooted, you can recover your back-up, and be back to where you where before you were infected with CryptoLocker. As an added bonus, you’ll probably remove all or almost all of the malware that was also on your machine.

If you haven’t backed up your files and OS before being infected with CryptoLocker, you’re kind of screwed, unless you profit the criminals, which encourages them to continue this sort of malicious activity. That’s one of the many reasons why, if you don’t already have a local backup of some sort, to do one as soon as you can, assuming you haven’t yet been infected with CryptoLocker.

Unfortunately, I’m concerned that users of Windows Vista, 7, and 8 have been lulled into a false sense of security. That’s because those Windows client operating systems create a back-up partition under the “D:” logical drive. Usually, the D partition will only back up the operating system, if it works at all. But aside from things that can physically destroy your hard disk, there is Windows malware that can cross over from your C partition onto your D partition. Additionally, there’s malware that can infect your BIOS, so your PC won’t even boot.

[Is mobile anti-virus even necessary?]

If you have a Windows 8 OEM machine with Secureboot, you’re still not safe from BIOS malware, in spite of what Microsoft says. My fiancé and I have personally created Secureboot-infecting malware that works, as we’ve tested it. I’m afraid all that Secureboot does is what I believe Microsoft really intends to do, which is to make it very difficult to install other or additional operating systems on your PC, namely Linux distributions. That’s a violation of your user rights. When you buy a PC, you should have every right to install whichever OS you choose, in place of or in addition to Windows.

When you read this article, please spread the word, whether you personally use Windows, or whether your coworkers, family or friends do. Don’t open email attachments you don’t trust 100 percent. Don’t open double extension files, such as .pdf.exe. Don’t click on banner ads to download programs. Don’t click on banner ads that look like legitimate download links on the same web pages as actual legitimate program download links. Those are most often seen in BitTorrent search engines like The Pirate Bay or IsoHunt, but they’re also found on legitimate program direct download link web pages on websites like Softpedia. Be careful, when running Windows installation programs for legitimate programs, to not allow it to slip in extra malicious programs such as the toolbar, or WeatherBug. Be wary of web pages for downloading programs for free screensavers, avatars, emoticons, or free games, usually for poker games, but not always.

Run a legitimate antivirus program. If you’re going to pay for it, I recommend Kaspersky, for Windows or Mac OS X. For freeware antivirus shields, I recommend ClamWin for Windows, or ClamAV for Mac OS X, Linux, or Unix. In my professional opinion, the ClamAV programs you can install for free are at least as good as the Kaspersky programs you pay for.

For smartphones and tablets, Lookout is available in the App Store for iOS, in the Google Play Store for Android, and in the native stores for BlackBerry and Windows Phone. That’s the best option for mobile devices until there are ClamAV programs available for those platforms.

Make sure you run exactly one antivirus shield. Running two or more is even worse than not having one at all. That’s because, instead of protecting you from malware, the programs will attack each other. So in addition to having no protection, your CPU and RAM will waste all kinds of resources for no good reason. I’ve even seen people running multiple AV shields have their PCs become so hot that their machines shut down.

When you run one AV shield, make sure it’s set up to have an active shield, and to install new signatures and run scans at least once a week, at a time you know your PC will be running. It’s still possible to get infected with malware when you run an AV shield. That’s because your AV shield can only protect you against malware that it has signatures for.

[Blog: Rogue antivirus makes users offer they can’t refuse]

Think of the signatures as vaccines. It’s important to get your flu shot, and it’ll protect you from certain strains of influenza, but it won’t protect you from polio or measles. That’s why it’s possible to set up your AV shield to download new AV signatures. Keep in mind that the developers of antivirus programs can only provide you with signatures for malware they’re aware of, so you’re still subject to what we in the IT security world call “zero day” attacks. Even the best antivirus developers, like ClamAV or Kaspersky, will only have a signature for a new piece of malware as soon as the second day that it’s been infecting user’s machines.

But it’s essential to run an AV shield, no matter what your operating system is, or whether it’s a PC, server, or mobile device. A well updated AV shield will still protect you from 98 or 99 percent of infections. Just because people can still die in car accidents while using seat belts, antilock brakes and airbags, it’s still important to use those things. They’ll still greatly reduce your likelihood of dying or being seriously injured in a car accident.

And finally, as I’ve mentioned before, back up your entire hard disk partitions to local disks, or online (“cloud”) in addition to local disks.

As Smokey the Bear says about forest fires, only you can prevent malware infection and spreading.

Kim Crawley is a security researcher for the InfoSec Institute, an IT security training company specializing in CCNA certification training.