Security Experts:

Cryptolocker Infections on the Rise; US-CERT Issues Warning

The Cryptolocker (also known as Crilock) ransomware attacks are showing no signs of slowing down with one anti-malware company counting more than 10,000 infections in the United States alone.

The malware, which encrypts files on infected machines and demands a ransom for decryption, has been spammed to "tens of millions" of computer users in the U.K., prompting a warning from the National Crime Agency to be on the alert for this virulent threat.

According to Bitdefender, about 12,000 infected hosts tried connecting to domains associated with Cryptolocker during a one-week period at the end of October.

By early November, the malware had infected about 34,000 machines, predominantly in English-speaking countries, according to Microsoft.

"During that period, 12016 infected hosts tried to contact the sinkholed domains; the majority of connection attempts came from US-based IP addresses. in fact, judging by the distribution of infected hosts and the payment methods available, it would seem that only systems in the US are targeted, with the rest being collateral damage," Bitdefender said in a blog post.

The U.S. Computer Emergency Response Team (US-CERT) notes that Cryptolocker is spreading fast through fake e-mails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.

"In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground," US-CERT warned.

Once a machine becomes infected, Cryptolocker finds and encrypts files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.

If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach. Victim files are encrypted using asymmetric encryption, according to an advisory from US-CERT.

The attackers are retrieving payments through third-party payment systems like Bitcoin and MoneyPak but some infected users are claiming they paid the attackers and never received a decryption key.

US-CERT is encouraging computer users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

The following mitigation guidance is available for users dealing with a Cryptolocker infection:

- Immediately disconnect the infected system from wireless or wired networks. This may prevent the malware from further encrypting any more files on the network.

- Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware.

- If possible, change all online account passwords and network passwords after removing the system from the network. Change all system passwords once the malware is removed from the system.

- Backup your data. According to Microsoft, the best defense against your data being encrypted by CryptoLocker/Crilock is to have a backup of your files.

 

*Updated with additional data and mitigation advice from Microsoft

Subscribe to the SecurityWeek Email Briefing
view counter
Ryan is the host of the podcast series "Security Conversations - a podcast with Ryan Naraine". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.