IAS Security Hero

Ransomware 2013, holding your data hostage

Cryptolocker is a new piece of malicious software that has started circling the globe in the last half of 2013.  Deemed "rasomware" by security professionals, Cryptolocker encrypts your files and demands payment to receive the key to decrypt them.  The United States Computer Emergency Readiness Team (US-CERT) drafted a briefing about this software, how to protect yourself, and what to do if you are infected.

https://www.us-cert.gov/ncas/alerts/TA13-309A

But wait, this isn't the first time we've seen software like this.  At the end of 2009, Data Doctor 2010 was all the rage running the same scam.  Sunbelt Software had an excellent writeup at the time (unfortunately lost after an acquisition) that was archived on archive.org.

https://web.archive.org/web/20100105062446/http://sunbeltblog.blogspot…

Sunbelt Software was also able to create a decryption tool to help you recover your files that were encrypted by Data Doctor 2010.

http://www.sunbeltsecurity.com/downloads.aspx

What sets Cryptolocker apart from Data Doctor 2010 is the type of encryption used.  Based on this text on Sunbelt Software's site, and the ability for them to reverse engineer the encryption, it appears that a symmetric cipher was used.

"CAUTION: be sure you put ONLY files that are to be decrypted into the target directory before you run dd2010_decrypter.exe."

Cryptolocker, on the other hand, is using an asymmetric cipher.  This means that the key to encrypt the data is different than the key you need to decrypt the data.  Cryptolocker's creators hold onto that key and won't divulge it until you pay.  The cryptography used here is very, very difficult to break or reverse engineer and is the basis for all Internet security used today.

Kudos to Cryptolocker authors for paying attention in their computer science classes.  For the rest of us, the only protection is prevention.  Making sure you keep your devices up to date, installing anti-malware software, backing up your files and being aware of what you are clicking on are really the only ways to protect yourself.  Once you files are encrypted, game over.

US-CERT cautions never to pay a ransom of this type, but I can understand the draw if you haven't taken the steps to backup your data.  So as a reminder, backup your data, update your computer, install and update anti-malware and before you click, "Stop, Think, Connect".

Update: Looks like not everyone is following the US-CERT's recommendation, but it is especially disturbing when those who don't follow are Law Enforcement Agencies.  http://nakedsecurity.sophos.com/2013/11/19/us-local-police-department-p…