[Update] The BBC have reported stating that many of the users affected by CryptoLocker may now be able to decrypt their data for free, by using a portal created by Fox-IT and FireEye which can match the private key required to decrypt the data that had been encrypted by the CryptoLocker virus by uploading a small sample file of encrypted data along with an email contact address so the users can receive the required key. This may not work in 100% of cases, but it is a great bit of news for those who may have lost valuable data due to CryptoLocker.
In this article I will show you one of the free tools that have been made available, which can help prevent your computer or network becoming infected by the CryptoLocker virus. Please note that I will be looking at the CryptoPrevent utility (version 4.1 as of this writing) which has been created by the very talented Nick Shaw of FoolishIT.com and is aimed at individual Windows users. For those who would like a tool that can be used to block CryptoLocker infections across a domain, then please use the CryptoLocker Prevention Kit which was created by Third Tier and the SMBKitchen Crew. BitDefender have also released a free blocking tool for CryptoLocker which can be downloaded here.
Firstly, what is CryptoLocker?
CryptoLocker is a particularly nasty piece of ransomware that, when executed, will encrypt user data, including anything stored on a network if the shared folders are mapped as a drive letter on the infected computer. BleepingComputer have noticed that the current variants of CryptoLocker does not encrypt data on a network through UNC shares. An example of a UNC share is \\computername\openshare
The files are encrypted using a mixture of RSA & AES encryption and will create a Public and Private key, of which the latter is created on a Command and Control Server. (C&C server). Once the encryption of the data has finished, the ransomware will present the CryptoLocker payment window which will give the user an option to decrypt their data for US$300, along with a countdown timer that starts at 96hrs (4 days) and counts down to 0. Once the timer has expired and the user has decided not to pay for the files to be decrypted, then the Private Key for those files that resides on the C&C server will be deleted making decrypting the data impossible due to the asymmetric encryption process requiring both the Public and Private keys for decryption.
If you find that you are infected, then the first thing that you should do is to disconnect your computers wired or wireless network, which will prevent further files from being encrypted. Also, it is advised that you should make no effort to remove the infection until you are sure that you don’t want to pay the ransom.
Users can become infected by CryptoLocker after opening infected PDF or Zipped attachments via emails, often pertaining to be a customer support related issue from Fedex, UPS, DHS, etc.
If there is one thing that this infection should drive home to users of all levels, it is that having complete and up to date backups of their data stored either off-site (eg. Cloud storage) or on non networked devices like a removable storage device, (External USB HDD) is of the utmost importance.
Is it possible to decrypt my files after CryptoLocker has finished encrypting them?
There is currently no way to decrypt your files without paying the ransom demand, as it requires having access to the Private Key created by CryptoLocker. As the Private Key is created, and stays on the C&C server until payment is made, then attempting to brute force the encrypted files without the required key would be unrealistic. The only current way to get back the files that were encrypted is either via a previous backup of your data or via Volume Snapshot Service (VSS) if you had enabled system restore prior to the infection and had the VSS service running prior to the infection. It should also be noted that the most recent variants of CryptoLocker will now attempt to delete all of your old system restore points, making data recovery even harder.
Note: VSS (Volume Snapshot Service) is enabled in Windows 7 by default, but Windows 8 has it disabled by default which wasn’t the greatest decision by Microsoft. To enable it in Windows 8 you will have to do so via an elevated Command Prompt.
If you do have System Restore turned on for the drive that contained the files that have been encrypted, and you weren’t infected by a variant of the virus that attempts to delete old restore points, plus don’t wish to pay the ransom demand, then you may be able to revert back to a date before you became infected by performing a System Restore. So far I haven’t read that CryptoLocker actually copies itself into older restore points as some infections do, so this is a viable way to recover data where possible. If you just wish to revert an individual file or folder containing multiple files then simply right-click on the file/folder and select Properties. Then choose the Previous Versions tab, a date prior to the infection and hit Restore and OK. If you choose this method, then make sure that you are clean of the infection first
You can also use the free program Shadow Explorer that can revert multiple folders back to previous dates. There is also a portable version available for this program that has the same functionalities. Simply select the folders that you wish to restore back to and then right-click on them and hit Export. Then choose a location to save the restored data.
That said, some people who have been forced to pay the ransom demands to get their data decrypted have had some success. If you are willing to pay up for the required Private Key that may decrypt your data, then do not attempt to remove the infection until you have decrypted the files. Running your AV will in all likeliness remove the infection and registry keys, so if you then decide to pay up for the decryption, you won’t be able to unless you reinfect your self.
The authors of CryptoLocker have obviously realised this and have now added, as of November 1st, a way for users to still obtain the Private Key required to decrypt via getting the user to upload an encrypted sample file which they can then match with the correct key. This however comes at a higher price, which is currently 10 BitCoins or approximately $2,825 USD as of today’s exchange rates. Once this payment has been made, you will be provided with the Private Key as well as a standalone CryptoLocker decryption tool.
For the most up to date information about this process, please see this BleepingComputer link that gives a lot of details regarding the new service, and how to use it.
CryptoLocker decryption tool
How do I remove the infection?
Removing CryptoLocker is actually fairly straightforward, and can be done by using a decent and up to date anti-virus or Anti-Malware program. Malwarebytes will detect the latest variants of CryptoLocker and remove it for you. However, the free version of MBAM will not prevent it from infecting you in the first place as it does not have the added protection of the Pro version of Malwarebytes which constantly scans for infections in the background as well as updating itself. Most of the major Anti-Virus solutions will also attempt to block and remove this infection from your computer or network, but as CryptoLocker is being updated constantly, you too should make sure that your AV solution is also updated.
If you have up to date backups of the encrypted data at hand and don’t wish to pay the ransom then you can just delete the infected registry values and the randomly named .exe which you will find in %appdata%
The file paths that have been used by this infection and its droppers are:
C:\Documents and Settings\\Application Data\.exe (XP)
C:\Documents and Settings\\Local Application Data\.exe (XP)
Note that you will need to have Show hidden files, folders and drives checked in folder options to see the AppData your Local and Roaming folders. You can also type %appdata% in the address bar in Explorer, and then select AppData. Check both the Local and Roaming folders.
How to download and use the CryptoLocker prevention tool by Nick Shaw of FoolishIT?
Note: Do not install this tool if you already have the infection.
Firstly, head to his site and download the free program which is now up to version 4.1.
When you install the program, you will be asked if you have purchased a Product Key for Automatic Updates (now called CryptoPrevent Premium) so that you can receive silent automatic updates. If you haven’t and wish to get the Premium version of the tool, then you can either in the next window or after the install. The Premium version only costs $15.00 and can be installed on all of your computers for the one-off price. Protection wise there is no difference between the Premium and Free version, except that you will have to make sure that you manually check for updates often using the Free version as Nick is constantly improving the program.
After the initial prompts for the Premium Version, you will get to the main window where you can apply the protection. For the Group Policies to be made (which applies to all users on the computer) hit Apply, and the policies will be made.
You will need to reboot once the Group Policies and other protection has been made.
Once you have rebooted, open the CryptoPrevent tool and hit the Test button to make sure that the protection is in place.
If you find that a certain program requires being added to the AppData, (like uTorrent or Spotify may) in order to function correctly, then you are also given the option to add programs to the Whitelist. I have applied this program to about 6 computers now and the only program I had to add was uTorrent. If uTorrent (or other programs) were installed prior to installing the CryptoPrevent tool, then they will be automatically added to the Whitelist. The only reason I had to add it to the Whitelist on one of my computers was due to me installing it after I installed the CryptoPrevent tool which blocks programs, like CryptoLocker, from adding themselves to AppData.
Adding a program to the Whitelist is very straightforward. Select Whitelist at the top of the main window and then choose Whitelist Editor.
Next, browse (No.1) to where the .exe resides for the program you want added to the Whitelist. These are stored in C:/Program Files
Once you have selected the .exe add it to the Whitelist by hitting Whitelist (No.2) That’s it.
To manually check for updates, simply hit the Updates! button at the top. If there are none available you will see the image below:
If there are you will be asked to apply them followed by a reboot.
Note that in version 4.1 (my other screenshots are from v.3.1) you now have the added ability to have the program email an alert to you should the tool block a program, which is very useful should you be out of the office or on holiday. Note that the email alert system is only available to Premium users. The other useful addition is that you can also take a look at an Events log showing blocked events.
Notes on adding email alerts
If you have paid for the Premium version of CryptoPrevent and wish to add email alerts, then the process is simple. Select Alerts! from the top, which will open the config window. In the example below, I am getting my alerts sent to my Gmail address. Simply input your email address and your password. Once you have done this, hit the Send Test Email.
If you have 2-Step-Verification enabled on your Gmail account, then you will have to generate an APP Specific Password and input that instead of your Gmail password. I have tested this using my Gmail which does have 2-Step-Verification enabled.
If you want to upgrade to the Premium version, just select Updates! from the top and then Automatic Updates. This will then open a small window where you can purchase the upgrade and input the registration code needed. As well as having the most up to date version of the program applied silently in the background for you, you also get the ability to schedule the program to check for updates to fit your needs.
This is a fantastic program that Nick has written, but please make sure that if you are using the free version, that you regularly check for updates. Also, for the tiny cost of $15 for the Premium version you not only support him, but also get the added benefits that come with it.
The program in no way guarantees that you won’t fall victim to CryptoLocker, but it does gives you some fantastic protection, that can be added to multiple computers with ease.
Just remember to make sure that you keep regular backups for your computers, keep your AV software up to date and also try to educate other users when it comes to opening certain attachments in their emails.
I would like to say a huge thank you to the admins and other helpers over at BleepingComputer who have put an enormous amount of effort into helping people and companies deal with this nasty infection, as well as providing solutions for those infected. I would also like to thank Nick Shaw for creating his free program that applies some of the main protections known for the program, as well as being on hand to answer some of my questions regarding his program via his site.
Images in this article are the property of BleepingComputer