After a few weeks from its first appearance, CryptoLocky is back thanks to a new wave of infected emails containing its dropper. CryptoLocky encrypts data files using .locky extension and demands 3 BTC as ransom. TG Soft's Anti-Malware Research Centre (C.R.A.M.) has acknowledged 2 types of emails containing CryptoLocky's dropper.

INDEX => Infected email: 1st type and 2nd type => The ransom demanded by CryptoLocky => How to stay safe from CryptoLocky => How to contain CryptoLocky encryption damage => How to correctly apply Vir.IT eXplorer PRO updates => Final thoughts

1st Type: Fake delay warnings about a non-existent order, with a fake order copy as attachment.

In this case, these fake emails come from an unknown sender and their subject is "Delay with Your Order #<number>, Invoice #<number>": Delay with Your Order #1629ADCD, Invoice #44196947

Click to show the picture fullscreen

The body of the email is the following: Dear Valued Customer, It is very unpleasant to hear about the delay with your order #<numero>, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region. The local post office should contact your as soon as they will receive the parcel. Be sure that your purchase will be delivered in time and we also guarantee that you will be satisfied with our services. Thank you for your business with our company. Kaye Herman Sales Manager The attachment is a .zip archive that begins with "order_copy_" followed by the order's number: order_copy_1FE21D34.zip Inside the archive, there is the Javascript dropper: statistics_<random>.js important_<random>.js The size of this .js file is about 5 KB (depending on the dropper)

2nd Type: Fake warnings about files or links, that are allegedly being sent.

In this case, emails come from "documents@<receiver's domail>" and their subject is "Emailing: MX62EDO  01.03.2016".

Click to show the picture fullscreen

The body of the email is the following: Your message is ready to be sent with the following file or link attachments: MX62EDO  01.03.2016 SERVICE SHEET Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus The attachment is a .zip archive that begins with "MX62EDO20160301" followed by some numbers: MX62EDO201603016735093.zip Inside the archive, there is the Javascript dropper with a random name: CH8041585235.js. MG6859783386.js The size of this .js file is about 5 KB (depending on the dropper)

The body of the email has a fairly clean layout, but if you don't have relations with the stated company or haven't done purchases then you REALLY SHOULD NOT OPEN/EXECUTE the attachment.

Those emails that have been analyzed (1st type) seem to be different from each other, while retaining the same layout. The user should not be tricked into opening the attachment, which seems to be an order but it is actually something very different:

• order_copy_1629ADCD.zip

The Javascript file contained into the .zip archive, once executed, downloads and runs a cryptomalware called CryptoLocky (a.k.a. LockyCripter).


Once the Javascript files "statistics_<casuale>.js " or "important_<casuale>.js" are executed, the CryptoLocky executable is then downloaded and run.
The executable file, with a random name, is copied inside the user's temporary folder (%TEMP%) with the name reflexResolution.scr

Then, CryptoLocky deletes all "shadow copies" with the command: vssadmin.exe Delete Shadows /All /Quiet

The malware then encrypts data using multiple threads (in our test machine there were 13 threads).

CryptoLocky targets files with the following extensions:

.m4u .m3u .mid .wma .flv .3g2 .mkv .3gp .mp4 .mov .avi .asf .mpeg .vob .mpg .wmv .fla .swf .wav .mp3 .qcow2 .vdi .vmdk .vmx .gpg .aes .ARC .PAQ .tar .bz2 .tbk .bak .tar .tgz .gz .7z .rar .zip .djv .djvu .svg .bmp .png .gif .raw .cgm .jpeg .jpg .tif .tiff .NEF .psd .cmd .bat .sh .class .jar .java .rb .asp .cs .brd .sch .dch .dip .pl .vbs .vb .js .h .asm .pas .cpp .c .php .ldf .mdf .ibd .MYI .MYD .frm .odb .dbf .db .mdb .sql .SQLITEDB .SQLITE3 .011 .010 .009 .008 .007 .006 .005 .004 .003 .002 .001 .pst .onetoc2 .asc .lay6 .lay .ms11(Security copy) .ms11 .sldm .sldx .ppsm .ppsx .ppam .docb .mml .sxm .otg .odg .uop .potx .potm .pptx .pptm .std .sxd .pot .pps .sti .sxi .otp .odp .wb2 .123 .wks .wk1 .xltx .xltm .xlsx .xlsm .xlsb .slk .xlw .xlt .xlm .xlc .dif .stc .sxc .ots .ods .hwp .602 .dotm .dotx .docm .docx .DOT .3dm .max .3ds .xml .txt .CSV .uot .RTF .pdf .XLS .PPT .stw .sxw .ott .odt .DOC .pem .p12 .csr .crt .key wallet.dat

CryptoLocky renames encrypted files in the following way: <victim's ID><random sequence>.locky
For example (victim's ID in bold, random sequence in italic):

• 1DD6FF20B0293D341C12403B3C699ADF.locky
• 1DD6FF20B0293D348FE972E2C3923FEC.locky

Original document files will be completely overwritten with the "U" character and deleted.

The malware edits the following Windows Registry Keys, to be automatically run:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[Locky] = %temp%\reflexResolution.scr


Once the encryption is finished, CryptoLocky creates a file, named _Locky_recover_instructions.txt, containing instructions about the ransom:

!!! IMPORTANT INFORMATION !!!! All your files are encrypted with RSA-2048 and AER-128 ciphers. More information about the RSA and AES can be found here:     http://en.wikipedia.org/wiki/RSA_(cryptosystem)     http://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your file is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links:     1. http://i3ezlvkoi7fwyood.tor2web.org/EF423B59EA8A7266     2. http://i3ezlvkoi7fwyood.onion.to/EF423B59EA8A7266     3. http://i3ezlvkoi7fwyood.onion.cab/EF423B59EA8A7266 If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: i3ezlvkoi7fwyood.onion/EF423B59EA8A7266 4. Follow the instructions on the site. !!! Your personal identification ID: EF423B59EA8A7266 !!!

The desktop background image is changed into _Locky_recover_instructions.bmp:

The following Registry Key is generated:

HKEY_CURRENT_USER\Software\Locky:
[id] = victim's ID
[pubkey] = RSA public key
[paytext] = ransom information
[completed] = if the value is 1 then encryption has ended
 
Once CryptoLocky has encrypted the whole disk, it edits the "pending rename file" Registry Key to delete itself at the next reboot, leaving just the instruction for the ransom.

Back to top

The ransom demanded by CryptoLocky

The amount of money demanded as ransom is set to 3 BitCoin.

Back to top

How to stay safe from CryptoLocky

Never forget that, behind an email attachment or link, a malware may be hiding.
If you receive an email from an unknown address or a known address you were non expecting an email from, you really should not open attachments or links. In the case you accidentally opened an malicious attachment and an encryption started, and you are a Vir.IT eXplorer PRO customer, it it possible to recover lost files thanks to Vir.IT Backup (if it is correctly configured).

Back to top

Come comportarsi per mitigare i danni derivanti da CryptoLocky

Come segnalato per gli altri Crypto-Malware è opportuno, appena ci si accorge della crittografazione dei dati in atto, procedere a:

• UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
• DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption; should the machine reboot, it is advised to turn it off and keep it off, until you get in touch with TG Soft's Tech Support - email assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.

With the release 8.1.13 (18/02/2016) the heuristic-behavioural automaton included in Vir.IT eXplorer PRO has been updated in order to stop CryptoLocky attacks in its initial stages - other cryptomalware families, such as CryptoLocker, CTB-Locker, CryptoWall, CryptoEncoder, VaultCrypt, Crypto.FF, can still be halted.

Back to top

How to correctly apply Vir.IT eXplorer PRO updates

On Windows 8, 8.1 and 10 machines, simply turning the computer off and the on again does not allow a correct update of Vir.IT eXplorer PRO's engine - this applies to every software update.

On Windows 10, you must follow these steps to correctly apply the updates: Open the Start menu, in the bottom left corner of the screen; Click "Power"; Click "Restart".

On Windows 8.1, from the Start screen, you must click the "Power" button next to the user's icon, and then click "Restart".

If your PC is running Windows 10, 8.1 or 8 with a shell replacement installed (i.e. "Classic Shell"), you will have to terminate it and then proceed with the reboot.  

Final thoughts

The criminal organizations that create cryptomalwares, in order to keep them "lucrative", always release newer versions and variants of these in the hope of bypassing antimalware protection softwares.
Our advice is to always perform, on a weekly or even daily basis, backup copies of most important documents, files and folders.

Vir.IT BackUp is a technology built into Vir.IT eXplorer PRO and it is devised to guarantee a great degree of protection to its backup copies, even from new generation cryptomalwares.

Vir.IT Backup-generated copies are safe from:

• accidental deletion attempts, maybe by a careless user;
• encryption caused by a cryptomalware attack.

Of course, both Vir.IT eXplorer PRO and Vir.IT Backup must be correctly installed, configured and functioning.

Since the incidence of cryptomalware attack has increased a lot between December 2015 and February 2016, we strongly encourage all Vir.IT eXplorer PRO customers to:

1. configure Vir.IT BackUp in order to create copies of commonly used files, such as text (.doc, .otd, etc.), spreadsheet (.xls, etc.), database (.mdb, etc.) and image (.jpg, .bmp, .gif, etc.) files, and most important folders;
2. schedule the backup to have up-to-date copies thus reducing losses in case of a cryptomalware attack happening in the lapse between the previous backup and the next one.

Check out our bulletin regarding Vir.IT Backup.

TG Soft - Public Relations