CryptorBit
Ransomware - aka "Son of CryptoLocker" ? ? ?
CryptorBit
is a ransomware program that was released around the beginning of December 2013
that targets all versions of Windows including Windows XP, Windows Vista,
Windows 7, and Windows 8. It’s a
derivative of the more widely known CryptoLocker but uses some different installation
and encryption techniques than its predecessor.
How is it delivered?
CryptorBit is an infection that activates by
clicking links in a spam message or malicious email, or websites while browsing
the web, or by opening an attachment in an email from a malicious source.
Victim's
reports indicate that their files became corrupted right after installing a
fake Flash update or being infected by a rogue anti-virus program of some sort.
However, at this time, these reports haven’t been confirmed.
What does it do?
Once
on your computer, this ransomware will scan your computer (and network!) and
encrypt any data file it finds regardless of the file type or extension. When
it encrypts a file, it will also create a HowDecrypt.txt file and a
HowDecrypt.gif in every folder in which a file was encrypted. The GIF and TXT
files contain instructions on how to access a payment site to pay the ransom.
This payment site is located on the Tor network and you can only make the
payment in Bitcoins.
The
impact to a business network can be devastating within minutes. At a recent infection that we were asked to
repair, this malware rendered useless tens of thousands of files on the
network in under 10 minutes from a single infected user PC.
Differences in
encryption technique from CryptoLocker
When
CryptorBit modifies your files it is actually not encrypting the entire file,
but rather corrupting it by replacing the first 512 bytes of the file. It
appears to copy the first 512 bytes of the file header, encrypting those bytes,
and storing them at the end of the file. It will then create a different 512
byte header and replace the file's normal header with it. This effectively
corrupts the file because a program that would normally open this type of file
would see an unknown header and not be able to open it.
The
malware claims it uses 2048-bit encryption but examples tested indicate it’s
much less sophisticated than it claims. Still, it creates a huge mess!
What can you do?
If
your computer is connected to a network, disconnect your computer from the
network immediately. This malware moves
very quickly so it’s probably too late to keep your server safe but it can't hurt to be extra cautious. All files have probably already been
encrypted on every network drive that you connect to. Do it just to be safe and notify your network administrator immediately.
You
should try to scan your computer with an antivirus or anti-malware program that
has been updated immediately. Many antivirus vendors are able to detect the
infection files and clean them. The
program MalwareBytes has been proven to detect and remove this malware but you’ll
have to insure that your registry has been cleaned manually. As these Cryptorbit files are widely detected
by AV programs, there is a possibility that your infection may actually have been
installed remotely by someone hacking into a server or computer. There is also
the real possibility that the software or hacker has been able turn off your AV programs or at least stop it
from starting when you boot your PC.
It's possible, but unproven, that the hacker may have installed Cryptorbit, encrypted your files, and then clean up
the installer. This would also explain why no one has been able to find the
installer for this malware yet.
What to look for –
The
results of an infection of this type are pretty easy to spot. All affected files and folders usually have
the identical date and time stamps. You'll also see those 3 files called HowToDecrypt mentioned earlier in every folder that is infected.
The
most common windows folder location where the Cryptorbit virus lives is -
"%AppData%" and can be easily removed using Antivirus tools. Unlike previous (and more sophisticated) ransomware, you can sometimes decrypt your files using
a system utility called 'System Restore'.
As
for the registry and file paths, we know that it will create random files and
folders under the %AppData%, %LocalAppData%, or %ProgramData% system folders.
It
will also create HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce entries
to start the infection when Windows starts.
It’s also a BitCoin
Thief –
Another
component that is commonly bundled with CryptorBit is a crypto-coin miner. This
component will utilize your PC's CPU to mine digital coins, such as Bitcoin or
other coins, for the malware developer that will then be deposited into their
wallet.
Also
make sure you change your passwords on your computer and if you use remote
desktop, please consider changing your remote desktop port designation and
consider instituting VPN access if you don’t already have it.
Useful Tools –
A
utility called DecrypterFixer, has been able to recover some files that were
supposedly encrypted by this malware. Due to our ability to now help users with
this infection we have put together a guide that contains all known information
about the CryptorBit infection.
Kaspersky Labs has also developed a couple of nice tools to clean up
after this ransonware.
Jeff Hoffman is an IT Security and Data Protection Specialist with ACT Network Solutions. For help with your network, he can be reached at (847) 639-7000 or jhoffman@act4networks.com
No comments:
Post a Comment