Better Encryption Makes CryptoLocker a Threat

 
 
By Robert Lemos  |  Posted 2013-11-29
 
 
 

For two months, a pernicious piece of malware has spread to consumer and business computers, encrypting files and demanding payment for the key to unlock the information.

The malware, known as CryptoLocker, or Crilock, gains a foothold in networks when unwary Windows users open an attachment in an email that appears to be a customer complaint. The malware contacts a server on the Internet from which it downloads a unique code key and then encrypts the most important files on the infected computer, displaying a message to the user demanding a ransom for the key to unlock their data.

Known as ransomware, such programs are not new, but the latest version has raised the bar among the category of malicious software, Nick Levay, chief security officer of Bit9, told eWEEK. In the recent past, ransomware has typically just used a variety of tricks or weak encryption to lock a system, whereas CryptoLocker uses strong encryption and gives users a deadline to pay up.

"In the past, the user would go to their go-to IT guy and get the stuff cleaned up pretty quick," he said. "But CryptoLocker actually has some teeth."

Ransomware is not a new type of attack. In 1989, a program that purportedly taught users about AIDS and HIV locked the host system when it ran for the 90th time, encrypting filenames and directories, and demanding $378 for the unlock code. Fortunately, the encryption algorithm implemented in the virus was extremely weak, and the program reused the same key, so security firms were able to work out the unlock code, according to a post by Paul Ducklin, head of technology for security firm Sophos.

"This century's ransomware has lifted the bar rather dramatically," he wrote. "The crooks scramble your files using strong encryption with a randomly-chosen key. Then they send the key to themselves, using a secure upload."

In 2008, a program known as GPCode encrypted files and demanded ransom for the key. Security firm Kaspersky Lab found a way to break the 660-bit RSA key and provided tools to affected consumers to recover their data. Soon after, the criminals behind GPCode upgraded the key strength to 1,024 bits, making it much more difficult, if not impossible, to recover the key.

First detected by security firms in September, CryptoLocker improves on that approach, downloading a unique key for each infection using a server linked to a randomly generated domain name. Typically, using a domain generation algorithm (DGA) makes it more difficult for security firms to enumerate and block the domains used by malware to communicate with their criminal operators, but security firm OpenDNS has been able to calculate many of the domain names and has begun blocking them. While such a tactic does not prevent an infection, it does block the malware from encrypting the affected PC's files.

"We are not doing the traditional tactic of preventing the binary from coming down," Dan Hubbard, chief technology officer of OpenDNS, told eWEEK. "In most cases, the machine has already run the binary, and now it is trying to beacon out and get the encryption key. We disconnect that channel."

The program has likely infected thousands of computers, according to data from Kaspersky Lab. More than 2,700 computers attempted to contact the domains that served up the encryption keys to infected systems, according to the firm.

As the first line of defense against ransomware, companies need to keep good backups, experts said. In addition, protecting machines with updated antivirus programs and training employees to look critically at potential phishing email messages can help.

While the criminals behind CryptoLocker have reportedly sent keys to those victims who have paid the ransom, security experts stress that paying up supports the criminals' model and will lead to more attacks in the future.

"People have to be encouraged not to pay," Bit9's Levay said.

Rocket Fuel