Cryptolocker Ransomware

Number: AL13-008
Date: 26 November 2013

Purpose

The purpose of this alert is to provide readers with information and guidance regarding Cryptolocker ransomware. This document also provides mitigation advice which may reduce the risk associated with this threat.

Assessment

Cryptolocker is a variant of ransomware that restricts access to infected computers by encrypting files while demanding that victims pay a ransom in order to regain their data. Once a computer is infected with this malware, a pop-up window appears demanding a sum of money, usually between $100 to $300, paid via GreenDot, MoneyPack or Bitcoins. The victim is then given a window of 72 to 100 hours to pay the ransom, after which time they are told they will lose the ability to decrypt their files.

Cryptolocker has unique characteristics, as it not only encrypts files on the local computer, but it may also encrypt files located within shared network drives, USB drives, external hard drives and even some cloud storage drives. This means that if the malware infects one user who has access to all the shared file drives within an organization's network, it is possible that all those files may become encrypted.

At this time, the primary means of infection appears to be phishing emails that contain malicious attachments. Reports indicate that these emails use the following themes, however other themes may also be used.

Email subject examples:

Suggested action

Should a ransomware infection occur, CCIRC does not recommend paying the ransom. Even if users pay the ransom and regain their data, there is no guarantee that the malware has been removed or won't re-infect the computer at a later date. Instead, CCIRC encourages users and administrators experiencing a ransomware infection to report the incident to local law enforcement.

Other suggested actions include:

References

CCIRC's Malware Infection Recovery Guide http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-eng.aspx

CCIRC's Ransomware Guide http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2013/in13-004-eng.aspx

US-CERT Cryptolocker Ransomware Infections http://www.us-cert.gov/ncas/alerts/TA13-309A

http://www.cod.edu/about/information_technology/security/pdf/ransomware20131031_cryptolocker.pdf

http://www.securelist.com/en/blog/208214109/CryptoLocker_Wants_Your_Money

http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

http://www.tripwire.com/state-of-security/top-security-stories/public-utilitys-systems-shut-cyber-attack/

http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: