FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims: http://www.fireeye.com/news-events/...unce-new-service-to-help-cryptolocker-victims CryptoLocker ransomware intelligence report: http://blog.fox-it.com/2014/08/06/cryptolocker-ransomware-intelligence-report/ ------------------------------------------------------------------------------ In the beginning of September 2013, the CryptoLocker malware variant appeared in the wild, spread exclusively by the infamous P2P ZeuS (aka Gameover ZeuS) malware. CryptoLocker had a simple purpose: to act as ransomware, encrypting important files such as images and documents, and then asking the victim for money to unlock the files. In collaboration with FireEye, InTELL analysts at Fox-IT worked on the investigation. By the end of 2013, certain groups that were focused on online banking fraud, were moving to less risky attacks, such as ransomware, click fraud, and crypto coin mining. All of these attack types pose lower risk to the criminals compared to online banking attacks. P2P ZeuS was one of these groups. Of the botnets distributing CryptoLocker, infections were mostly limited to victims located in the US, Canada, UK and Australia. These regions were most likely selected for their use of English as the primary language. While CryptoLocker infections started in the beginning of September 2013, the largest number of infections in one month occurred during October 2013, with over 155000 systems affected worldwide. This accounts for nearly 29% of all infections between September and May 2014. After October 2013 the rates dropped, but still steadily pacing at around 50,000 infections per month. The CryptoLocker infrastructure was separate from the P2P ZeuS infrastructure. It used a fast-flux network offered by a bulletproof hoster and a service hidden in the TOR network. These two channels were terminated on a proxy system that lead directly to the backend system, allowing victims to pay the ransom even though the fast flux network experienced various disruptions by security researchers. In the end, 1.3% of victims paid a CryptoLocker ransom, therefore, a large amount of victims likely permanently lost files due to this attack. Fox-IT InTELL and FireEye provide a free service to victims, to recover the private keys associated to CryptoLocker infections. This gives CryptoLocker victims the ability to recover their files and restore the contents. FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker: https://www.decryptcryptolocker.com/ A big thank you to Kyrus tech for their tool Cryptounlocker. And finally we wish to thank SurfRight for their assistance by providing encrypted files they generated using CryptoLocker. ------------------------------------------------------------------------------ HitmanPro.Alert provides protection against CryptoLocker and its variants, like CryptoWall: https://www.youtube.com/watch?v=5M8YYnXIAlw
Very interesting... I wonder how they manage to create the key considering that, up to now, encryption was regarded as pretty much bullet proof with the only option of waiting a million years to recover data... Did they receive an help from NSA?
Ronald Good question! Someone else also asked the same question on Twitter. Answer: "The portal was created after security researchers grabbed a copy of Cryptolocker's database of victims."
Interesting stuff. So in the future if there is an encrypted attack on you computer. Take the hard drive out label it and hopefully in the future someone will be able to do the same so you decrypt your data.
Uuuhm, they don't really answer... isn't it? EDIT: Reading between the lines it seems they got the private keys from the database.
Mark, I guess that site is using a self-signed certificate. Is that right? Users (for example) on XP with IE-8 may have a problem getting to that site. Yes, I know that XP and IE-8 are outdated, but I thought that I should mention it. If it is indeed a self-signed certificate, maybe it would be a good idea to add guidelines how to handle it. (we are not un-familiar with it here: it is analogue when you want to use the https version of the Wilders board).
On my Win7, IE-11, yes it is. On my XP, IE-8, it isn't. I'll have to figure out why it isn't on XP, IE-8.
On this screenshot you will see that my Dutch XP IE-8 is giving a warning that the certificate was "given" to a different address than the web-address; and for that reason it is blocked. (maybe more to come)
When I allow nevertheless to go to that website, there is again a certificate-error message (sorry this is in Dutch). See screenshot. (maybe more to come)
Now I am looking at some details of that certificate on my Dutch XP IE-8. It is telling me that it was "signed" by Comodo. Hey, Comodo isn't Verisign, isn't it? See screenshot (sorry, once again in Dutch). (maybe more to come).
Now, I am puzzled here. What is happening here? Who signed the certificate, Comodo or Verisign? Is it me? Is it something on my XP, while using IE-8 ? So the question is: are others using XP IE-8 having the same problem?
SSL Labs reports verisign too and so does the other SSL checkers. Code: https://www.ssllabs.com/ssltest/analyze.html?d=decryptcryptolocker.com http://certlogik.com/ssl-checker/www.decryptcryptolocker.com/ https://www.sslshopper.com/ssl-checker.html#hostname=https://www.decryptcryptolocker.com/
Interesting is that 1. The Verisign Certificate "starts" on 16 July 2014 (according to your screenshot) 2. The Comodo Certificate "starts" on 06 Aug 2014 (see screenshot)
