A new ransomware for Windows PCs is roaming on-line, it’s called CryptoLocker and brings a very dangerous destructive potential. Security enterprise Sophos warns – via Naked Security – users and system admins about the new threat, its features and the fact that the “prevention is better than a cure” rule is true now more than ever. Curing the damages of a CryptoLocker infection, Sophos warns, is impossible for the time being.

CryptoLocker – detected by the Sophos antivirus software as Troj/Ransom-ACP – behaves like the most typical ransomware software, taking files hostage and asking the user/admin for the payment of a money sum (300 dollars/euros) to regain access to data. The malware tries to enter the system through an e-mail attachment or as an additional malicious code downloaded by a malware already present on the machine (botnet), once the infection is started it makes sure to be executed at every boot of the PC and starts searching for files with “sensible” extensions (.doc, .docx, .psd but also .raw, .jpg and .mdf) on all the available local and network drives while encoding them.

CryptoLocker’s main risk factor is the way such encoding is performed, ie through an asymmetric cryptography routine based on the use of a public+private key pair: every infected machine is identified with a unique “CryptoLocker ID”, and for every one of these IDs the remote server controlled by the cyber-criminals – chosen among a list of random addresses generated by the malware – creates a pair of 2048-bit RSA keys. The private key – needed for decoding – is archived on the server away from prying eyes, while the public one is used to encode the files found during the scanning phase.

If the user doesn’t pay up the requested sum in Bitcoins or with a MoneyPak card in the USA, the pop-up shown by the ransomware a few minutes after the infection explains, after 72 hours the private key is erased from the server and no one – not even the malware creators – will be able to decode the encrypted files anymore. Sophos explains that the malware removal is a task relatively easy to perform, unfortunately the same isn’t true for the recovering of the files “damaged” by the malicious software payload: in this case the only two alternatives are paying the criminals in time or restoring the files from a “clean” backup copy.

The risk posed by CryptoLocker is a real one, as shown by the witnesses of users and system repairers which had to deal with tens of thousands of encrypted files or hundreds of Gigabytes of company data become useless after an employee opened a malicious e-mail attachment. In cases like these even the much hyped cloud storage services aren’t helpful, Sophos researchers warn, because the trojan is perfectly capable of infecting files archived on remote servers when such files can be accessed like the local ones.

Leggi questo post in italiano

Similar posts: