Monday, July 24, 2017

Cryptolocker (Repost from Nov. 2013)

I originally posted this back in November 2013. Unfortunately, when I closed down the old site, I lost the original post. Fortunately, I backed up the database of posts I had made and reconstructed the post as it was.

By now, most people have heard of CryptoLocker, a nasty piece of "Ransomware" that encrypts the document and jpeg files on your hard drive and then gives you a period of four days (up from three, I believe), to pay a ransom of $300 US or 300 EUR, or 2 Bitcoins (there are reports saying it is down to a half) to obtain the private key required to decrypt the files.

All I've known about it to this point was what I read in accounts by others, and listening to Security Now! on the TWiT Network. That is, until episode #431 of Security Now! when the host, Steve Gibson of, announced that he had obtained a copy of the malware (it wasn't CryptoLocker, but then he did get it) and asked if anybody wanted to "play with it" he would send them the file. I decided to take a chance and he sent me a link to the file. I have an old netbook that was doing nothing but collecting dust, so I installed Windows 7 on it and then I added some photos and documents to the drive so it would have something to work with since I wasn't sure if it only targeted the Documents folder. Then, nervously, I extracted the .exe file and double-clicked it. I was expecting something immediate, but nothing happened.

Image 1
(Image 1) The top two processes are CryptoLocker, and the CPU usage will pin at 100% during the initial process. These processes cannot be stopped.

I had to leave the house for a few hours, so I left the computer running while I was gone. When I returned home there was a message on the screen...
(Image 2) The Netbook has a small screen, but there is a "Next >>" button at the bottom of the window.

Image 2
I originally tried the test in Sandboxie, but when I ran it and nothing happened immediately, I decided to run it in the clear. The first successful test took place in the open, unprotected right on the hard drive. In order to get the computer back to normal, I reinstalled Windows 7 and insured that there was no sign of the malware. Then I installed 7-zip (to extract the file) and Sandboxie, and ran the malware in the default sandbox. Doing a quick calculation from when I left the house and the time remaining on the countdown when I came home, I figured it would take 15 to 20 minutes. Sure enough, the window above pops up. Also, a sandbox window pops up telling me that there files ready to recover. It appears that CryptoLocker copied the files from my entire hard drive and encrypted them within the default sandbox. I closed the Sandboxie window without recovering and went into the sandboxed Documents folder. There I found all of the same .xls, .rtf and .doc filenames (I've read that it's upward of 60 different file types affected), but upon opening, were nothing but gibberish. Back outside of the sandbox, my files were in perfect shape. I then went the main CryptoLocker screen and clicked the Next >> button (not seen in the picture), and checked out the "Convenient Payment Methods". MoneyPak (USA only), Ukash, cashU, and Bitcoin (most cheap option). According to Steve Gibson, the payment options are hardwired into the program and this is an old copy of CryptoLocker.

(Image 3) The Bitcoin screen. Needless to say, the CryptoLocker folks will not be getting any money out of me.

Then I tried one last test on this infection, I emptied the default sandbox. I kept the Task Manager running when I hit delete and the two processes that were CryptoLocker went away. There was no sign of it anywhere. I let the computer sit for a while, I ran system updates, opened files, and surfed the internet. It was gone.

I shut the computer down overnight while CryptoLocker was still running in the sandbox, but when I started the computer in the morning, CryptoLocker wouldn't run. So, I emptied the sandbox and ran it again.

This is not an ad for Sandboxie, but it is the best known free sandbox program available. As I have demonstrated here, it can protect your files from CryptoLocker and can be cleared out quickly and easily. Would I run this experiment on my main PC which contains tons of at-risk, work-related documents using Sandboxie? If I had to, sure. Will I? No.

I would not recommend running this experiment at all unless you are willing to take the risk or are a professional (I am not the latter at all). The only reason I did it is because I happened to have a computer laying around doing nothing. I also kept careful watch on my main computer's Task Manager, but it does not wander around the network apparently.

No comments:

Post a Comment