CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Every1is= » Sat Nov 02, 2013 2:02 pm

Price for decryption just went up to about 2100 dollars for people who've "lost" the key by means of AV software etc. removing it upon detection.

http://www.bleepingcomputer.com/forums/ ... n-service/
Every1is=
 
Posts: 36
Joined: Tue Aug 03, 2010 11:27 am
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby patriq » Sat Nov 02, 2013 6:09 pm

C&C at hxxp://93.189.44.187/ now showing this message form:

Code: Select all
This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.
Select any encrypted file and click "Upload" button.
The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours.

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.
OR if you already know your order number, you may enter it into the form below.

This service accessible through the Tor network:
http://f2d2v7soksbskekh.onion/
You do not have the required permissions to view the files attached to this post.
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

CryptoGuard

Postby erikloman » Tue Nov 05, 2013 4:07 pm

We've just released a BETA version of HitmanPro.Alert 2.5 which contains CryptoGuard. Our universal solution against crypto ransomware that works at the file system level. More information, including a demonstration video, can be found here: http://www.hitmanpro.com/alert/cryptoguard
Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com
erikloman
 
Posts: 70
Joined: Sun Mar 14, 2010 8:53 am
Reputation point: 36

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Xylitol » Tue Nov 05, 2013 9:46 pm

Hi Erik, on the demo video i see that the ransomware is still running and not suspended on background, did he encrypt stuff during this time ?
User avatar
Xylitol
Global Moderator
 
Posts: 1649
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 505

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Quads » Thu Nov 07, 2013 9:50 pm

A User Report for HMP Alert 2.5 beta

"Now when I try and open Norton 360 the GUI flashes onto the screen then disappears. Once it's gone I can't bring it back. Uninstalled hmp beta and restarted, now Norton is working again."
Quads
 
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand
Reputation point: 22

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby patriq » Fri Nov 08, 2013 5:46 pm

Anyone have a new sample?
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby Grinler » Fri Nov 08, 2013 6:38 pm

Latest.
You do not have the required permissions to view the files attached to this post.
BleepingComputer.com
Grinler
 
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm
Reputation point: 5

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby AliveNoMore » Mon Nov 11, 2013 10:27 pm

Are these droppers VM-aware? They seem to do nothing when I run them in a VM or in Sandboxie. And I have a specific VM without additions, changed hardware names/ids, etc.
AliveNoMore
 
Posts: 4
Joined: Sun Apr 25, 2010 10:34 pm
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby RP-Tech » Mon Nov 11, 2013 11:26 pm

Has anyone seen this attached to zero-access rootkit ? Maybe have a sample of both, I am testing to see what can be done to prevent Cryptolocker from running.

Fellow tech and myself have had 2 users infected with Cryptolocker but also had zeroaccess attached which from some research seems to be point of entry in our case and Kaseya AV & Kaseya Malwarebytes Pro do not detect it at all KAV gets encrypted and rendered useless. KAM does not detect either, but the free download version picks up the rootkit and virus. Just wondering if anyone else has ran into this at all or not.
RP-Tech
 
Posts: 2
Joined: Fri Nov 08, 2013 7:06 pm
Reputation point: 0

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Postby ilyuha79 » Mon Nov 11, 2013 11:28 pm

According to the malware authors, only the first 1024 bytes of a file is uploaded to the C&C server in order to search for the matching private key in cases where you lost the public key, which could take up to 24 hours. So it sounds like the C&C uses some brute force method for searching for the key. So what would that do? Try every single private key that it has generated to decrypt the first 1024 bytes until it finds the right one? But how does it know which is the right key after the decryption process? If AES key is truly random, you wouldn't be able to tell just by looking at it what you've decrypted is an actual AES key. In order to tell, you could potentially add some kind of constant bit of data that will show up in the decrypted data once the right private key is used to decrypt it. Or, in a more complex case, you'd have to go a step further and use the supposed AES key you've decrypted to decrypt the actual file header (which I presume might be stored in the first 1024 bytes) and then check if the header looks like a document that might have been originally encrypted on the infected machine.
I'm curious if anyone knows if there is anything else besides the AES key that the CryptoLocker encrypts using the RSA public key that eventually gets stored together with the file?
ilyuha79
 
Posts: 1
Joined: Fri Nov 01, 2013 8:32 pm
Reputation point: 0

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 14 guests