ThreatSTOP Blog

Blocking Cryptolocker Ransomware

Written by francisturner | October 23, 2013

ThreatSTOP and DNS Firewall block Cryptolocker

Stop extortion by cybercriminals using IP and Domain Name reputation.

ThreatSTOP has started blocking a new variety of malware called "cryptolocker" for our subscribers and those of our OEM partner Infoblox. Cryptolocker is a new and widely spreading form of "Ransomware" that encrypts files on an infected Windows computer and any networked file systems it has access to.

We are blocking access to the known Cryptolocker servers and other associated infrastructure. This stops Cryptolocker from working on networks protected by ThreatSTOP and Infoblox DNS Firewall.

Cryptolocker is being spread in many different ways. As a result, the only really effective way to stop it is to block access to the servers that are used to get the key to encrypt your data so they can ransom it.

While no current security solutions can completely prevent you from being infected by Cryptolocker, blocking communications to the criminals' encryption servers does prevent the malware from encrypting your data. This protects you from being extorted, and if you know which internal system was blocked (a key part of the ThreatSTOP and Infoblox DNS Firewall services), lets you clean it up before further damage occurs.

What is cryptolocker?

Cryptolocker is an updated and more virulent on-line version of a very old crime: taking something you really care about or need hostage, and extorting money to get it back.

The first online version of this was called "MoneyPak". Moneypak infected computers that connected to sites advertising illegal or prurient content (mostly child pornography or other obscene content that no-one would admit to looking at), via e-mail, or via trojaned legitimate hosts. Once MoneyPak was on a system, it impersonated their local law enforcement (in the US the FBI, in Europe, Interpol), locked up their system so they couldn't access it, and extorted money to give them back access. Unfortunately for the victims, when they paid, MoneyPak didn't let them back in. The criminals relied (correctly) on the victims unwillingness to have law enforcement evaluate their computers. However, unlike with Cryptolocker, there were ways to regain access without paying if you got hit with MoneyPak.

It was obviously a proof of concept. It was called "ScareWare", but it worked. ThreatSTOP and our associates have been tracking this system for over a year.

The Criminals took notice, and now, just in time for Halloween, they are back with a REAL Vampire: Cryptolocker. The first detailed explanation of how Cryptolocker functions came from Emisoft, who also appear to have been some of the first people to see it in the wild. The way it works is like this: you get the malware on your system, it calls back to a criminal server that generates a key that is kept on the server, the malware then encrypts all the data on your hard disk (and all the network shares it connects to) using that key, and then it pops up a message demanding that if you'd like to see your data again then you have to pay. Oh, and by the way, they will not wait forever before they delete your key from their servers (probably because they need to keep moving servers).

As this Ars Technica article explains - it prices your data at $300 (or €300 so it's better to pay in USD :) ). If you are infected there are a number of ways you can pay the crooks and get them to give you a key.

The Cryptolocker crooks appear to be pretty honest - if you pay them they do give you the removal key - but clearly no one wants to pay $300 and, of course, there's absolutely no guarantee that you won't get reinfected some time later.

Cryptolocker is far worse in a corporate environment because if an infected computer has open connections to other LAN connected files systems, such as shared drives on a file-server, then these may also be encrypted. Even worse, some organizations use a file-server drive as a shared backup drive for multiple users, meaning that all online backup files could be encrypted too.

Another exhaustive examination of Cryptolocker is available from BleepingComputer.

How does ThreatSTOP stop Cryptolocker?

Thanks to work by extremely talented malware researchers the critical command and control (C2) infrastructure of Cryptolocker, and how they move it to the next set of servers, has been identified. We are propagating the result of this work as a block list in both our IP reputation (ThreatSTOP) and RPZ (DNS Firewall) services.

As a result our users stop infected computers from "calling home". By blocking these communications they prevent the malware from creating and sharing the encryption key with the criminals and, as a result, the infected machine's hard disk remains unencrypted.

This is not, and cannot be, a permanent fix. If a computer is infected with cryptolocker then it needs to be cleaned up (reimaging is the only true solution to any active malware) as soon as possible, before cryptolocker finds a way to call home that is not protected by ThreatSTOP.  As an example, when someone takes their laptop home.

How to Protect Yourself

ThreatSTOP and DNS Firewall stop the cryptolocker malware from communicating with its controllers and therefore stops it from actually encrypting your data. Our alerts and log analysis tools tell you which systems tried to contact those servers, and therefore are infected. This allows network and systems administrators to quarantine and clean up infected devices before they can cause data loss.
Implementing ThreatSTOP and/or Infoblox DNS firewall, both of which are available for a 30 day, no obligation, trial, is the simplest and most effective way to identify any systems in your network infected with Cryptolocker, before they actually encrypt your data.

For more information, contact ThreatSTOP Sales or your Infoblox account executive.

About ThreatSTOP 
 

ThreatSTOP is a real-time IP Reputation Service that automatically delivers a block list against criminal malware (botnets, Trojans, worms etc.) directly to a user's firewalls, so they can enforce it. It is a cloud-based service that protects the user's network against the most serious information security problem today—malware designed to steal valuable data perpetrated by organized criminals. ThreatSTOP enables existing hardware and network infrastructure to enforce user defined malware blocking policy without requiring the expense, complexity and time of a forklift upgrade of new equipment. It can be deployed within the hour with simple rule-settings or a script on the user's firewall. Founded in 2009, ThreatSTOP is headquartered in San Diego, CA. For more information, visit http://www.threatstop.com.