Wednesday, October 16, 2013

CrypoLocker: When Good Encryption Goes Bad

There is a new ransomware trojan horse called CryptoLocker infecting computers with Windows operating systems. You might be thinking, "Hey great! Wait, what is ransomware, and what is a trojan?". So, before I dive into CryptoLocker let me offer a brief explanation of ransomware, encryption, and trojan horses.

Ransomware is a kind of computer infection that encrypts your computer files. This encryption takes place without your knowledge. At some point in the encryption process a message will appear on your computer screen alerting you to pay money to decrypt your files. Encryption scrambles the files so they can't be read by just anyone. You need a key to decipher it. Think "Enigma machine" from World War II and you'll understand that encryption is meant to disguise the real message. And, so it is with computer encryption. Computer file encryption is used to keep data secure and private. Only those who have the key can decode it.

Trojan Horses are a reference to the Greek's use of a wooden horse to gain entry to the city of Troy during the Trojan War. In technology a trojan horse (commonly referred to as just "trojan") is a program that looks legitimate, but in reality isn't. The Greeks are said to have built the wooden horse to hide in. They presented the horse as a gift, and then climbed out of the horse to slaughter the enemy. The term is fitting for computer malware because the hacker hides his nefarious code in software that looks to be safe. When you download, install, or run the software it infects your computer with some variant of malware.

CryptoLocker typically hides inside of an email attachment that may come from a seemingly legitimate source. When the attachment is opened the ransomware is unleashed and begins to randomly encrypt the files on the computer. This can include network drives and flash drives that are connected to the computer at the time encryption is taking place. Any drives that are attached to your computer using a drive letter such as (C:\) are susceptible to infection. You will know you have been infected with CryptoLocker when the message appears telling you your files are encrypted and it requests payment (in the ballpark of about $300 to $400 US dollars). The malware includes a timer that counts down. You need to pay the ransom before the timer expires or risk having your files encrypted forever. To add insult to injury it offers you "convenient" methods of payment. You can pay in US dollars, Euros, or Bitcoin through an anonymous prepaid cash voucher such as Ukash or MoneyPak. Once payment is received you will be given the key to decrypt your files. Interestingly, nearly half of all people infected choose to pay the ransom. From everything I have read, the Hackers are at least cordial enough to honor their end of the deal by handing over the key. I suppose that if word got around that they didn't honor their end fewer people would pay, and let's face it, they want your money not your files.

CryptoLocker is not too difficult to remove with standard anti-malware tools, though some can't detect it at all, and some detect it after the damage has already started. These tools also cannot decrypt your files. CryptoLocker uses the best practices of file encryption and is so strong that security experts have said that traditional brute force methods of trying to decrypt it don't work. Brute force attacks essentially try to guess what the key might be, and the strongest encryption could take years to break.

In extreme cases, such as this, having backups of your data are essential. If you are religious about backing up your data it may be possible to restore your files and not have to pay the ransom. I have to stress the word "may". Backups can get encrypted too if they are not kept "offline". In other words, if your backup drive is always connected to your computer, turned on, and has a designated drive letter it too could have been encrypted. If you are fortunate to have a backup, that predates the encryption, you can safely restore your files. Naturally, you would do this after you are confident you have successfully removed the malware.

It is a good idea to backup to a drive that you turn off, and/or disconnect from your computer once backup has completed. If you backup to the cloud be sure that your service does not treat your connection like a local drive, or require you to have a drive letter assigned to it. For more information on cloud services you can refer to my blog post: Today's Forecast: Cloudy with a Chance of Data.