FireEye and Fox-IT provide free keys to unlock systems infected by CryptoLocker

Discussion in 'other anti-malware software' started by markloman, Aug 6, 2014.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims:
    http://www.fireeye.com/news-events/...unce-new-service-to-help-cryptolocker-victims

    CryptoLocker ransomware intelligence report:
    http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/

    ------------------------------------------------------------------------------
    In the beginning of September 2013, the CryptoLocker malware variant appeared in the wild, spread exclusively by the infamous P2P ZeuS (aka Gameover ZeuS) malware. CryptoLocker had a simple purpose: to act as ransomware, encrypting important files such as images and documents, and then asking the victim for money to unlock the files.

    In collaboration with FireEye, InTELL analysts at Fox-IT worked on the investigation. By the end of 2013, certain groups that were focused on online banking fraud, were moving to less risky attacks, such as ransomware, click fraud, and crypto coin mining. All of these attack types pose lower risk to the criminals compared to online banking attacks. P2P ZeuS was one of these groups.

    Of the botnets distributing CryptoLocker, infections were mostly limited to victims located in the US, Canada, UK and Australia. These regions were most likely selected for their use of English as the primary language.

    While CryptoLocker infections started in the beginning of September 2013, the largest number of infections in one month occurred during October 2013, with over 155000 systems affected worldwide. This accounts for nearly 29% of all infections between September and May 2014. After October 2013 the rates dropped, but still steadily pacing at around 50,000 infections per month.

    The CryptoLocker infrastructure was separate from the P2P ZeuS infrastructure. It used a fast-flux network offered by a bulletproof hoster and a service hidden in the TOR network. These two channels were terminated on a proxy system that lead directly to the backend system, allowing victims to pay the ransom even though the fast flux network experienced various disruptions by security researchers.

    In the end, 1.3% of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack. Fox-IT InTELL and FireEye provide a free service to victims, to recover the private keys associated to CryptoLocker infections. This gives CryptoLocker victims the ability to recover their files and restore the contents.

    FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker: https://www.decryptcryptolocker.com/

    A big thank you to Kyrus tech for their tool Cryptounlocker. And finally we wish to thank SurfRight for their assistance by providing encrypted files they generated using CryptoLocker.
    ------------------------------------------------------------------------------

    HitmanPro.Alert provides protection against CryptoLocker and its variants, like CryptoWall:
    https://www.youtube.com/watch?v=5M8YYnXIAlw
     
    Last edited: Aug 6, 2014
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,513
    Location:
    USA - Back in a real State in time for a real Pres
    Just going by the title that's pretty cool.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Very interesting... I wonder how they manage to create the key considering that, up to now, encryption was regarded as pretty much bullet proof with the only option of waiting a million years to recover data... Did they receive an help from NSA? :D
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Very nice, I hope it will help a lot of people :thumb:
     
  5. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    433
    Location:
    Hengelo
    Ronald
    Good question! Someone else also asked the same question on Twitter. Answer: "The portal was created after security researchers grabbed a copy of Cryptolocker's database of victims."
     
  6. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    829
    Location:
    UK
    Interesting stuff.

    So in the future if there is an encrypted attack on you computer.
    Take the hard drive out label it and hopefully in the future someone will be able to do the same so you decrypt your data.
    :)
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Uuuhm, they don't really answer... isn't it?
    EDIT: Reading between the lines it seems they got the private keys from the database.
     
    Last edited: Aug 6, 2014
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Mark,

    I guess that site is using a self-signed certificate. Is that right?
    Users (for example) on XP with IE-8 may have a problem getting to that site. Yes, I know that XP and IE-8 are outdated, but I thought that I should mention it.
    If it is indeed a self-signed certificate, maybe it would be a good idea to add guidelines how to handle it. (we are not un-familiar with it here: it is analogue when you want to use the https version of the Wilders board).
     
  9. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Its signed by verisign.
     

    Attached Files:

  10. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK, thank you.
     
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    On my Win7, IE-11, yes it is. On my XP, IE-8, it isn't. I'll have to figure out why it isn't on XP, IE-8.
     
  13. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    On this screenshot you will see that my Dutch XP IE-8 is giving a warning that the certificate was "given" to a different address than the web-address; and for that reason it is blocked.

    (maybe more to come)

    C_XP_2014_08_10_01.gif
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    When I allow nevertheless to go to that website, there is again a certificate-error message (sorry this is in Dutch).

    See screenshot. (maybe more to come)

    C_XP_2014_08_10_02.gif
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Now I am looking at some details of that certificate on my Dutch XP IE-8.
    It is telling me that it was "signed" by Comodo. Hey, Comodo isn't Verisign, isn't it?

    See screenshot (sorry, once again in Dutch). (maybe more to come).

    C_XP_2014_08_10_03.gif
     
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Now, I am puzzled here. What is happening here? Who signed the certificate, Comodo or Verisign?
    Is it me? Is it something on my XP, while using IE-8 ?

    So the question is: are others using XP IE-8 having the same problem?
     
    Last edited: Aug 11, 2014
  17. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    SSL Labs reports verisign too and so does the other SSL checkers.

    Code:
    https://www.ssllabs.com/ssltest/analyze.html?d=decryptcryptolocker.com
    
    http://certlogik.com/ssl-checker/www.decryptcryptolocker.com/
    
    https://www.sslshopper.com/ssl-checker.html#hostname=https://www.decryptcryptolocker.com/
     
    Last edited: Aug 10, 2014
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Interesting is that

    1. The Verisign Certificate "starts" on 16 July 2014
    (according to your screenshot)

    2. The Comodo Certificate "starts" on 06 Aug 2014
    (see screenshot)

    C_XP_2014_08_10_04.gif
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Can't see any trace of Comodo in the certificate here :confused:
     
  20. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://blog.fox-it.com/2014/09/04/update-on-decryptcryptolocker/
     
Loading...