Summary
The new malware that appeared in 2013 under the names of CryptoWall, CryptoLocker and CryptoFortress; They use encryption to digitally “hijack” their victim's files asking for a monetary reward, the victims were usually only companies from which they easily accomplished their task, but now they are not only limited to “kidnapping” companies, they have data that now its victims are already common users. In this context, their way of operating, how to identify them, their most common victims and how to protect themselves from this new malware will be revealed. All this process was carried out under virtual environments, no physical computer was damaged.
Introduction
As the years pass, the new technologies are increasingly surprising. It is not surprising that the threats were also surprising. The new technologies also require that the ways of protecting themselves be even better and more innovative. Our aim is to better analyze and understand the work of this type of malware and how to protect yourself in order to avoid further damage.
Methods
The methodologies used were: virtual systems in order to avoid damage to the hardware. The malware was tested on a Windows 7 Ultimate operating system, created using a virtual drive using the Oracle VirtualBox program. (FIG. 1)
VirtualBox with Windows 7 created.
Figure 1. VirtualBox with Windows 7 created.
Results
With the tests carried out we reach the result, that the steps carried out by the malware to infect are the following:
- Locate the non-executable files first. That is, it locates text files, photos, documents, etc. Those are the files that will be encrypted. A random symmetric key is created for each file. The files are encrypted with those random symmetric keys. The random symmetric key of each file is encrypted with a RSA symmetric algorithm. This key is added to the encryption file. Each encrypted file overwrites the original, preventing its recovery with forensic techniques. (Fig. 2)
After the infection stage and encryption, the holders of the only access key to the files appear to be the criminals who ask for a cash reward within a random period of time for each victim (Fig. 3)
Once the files are encrypted, criminals allow us to decrypt a single file to convince ourselves that they are serious.
The payment of the "ransom" for the files is made through the use of BitCoin´s generated by a different URL for each affected, if the affected does not know the use of this currency and how to pay, criminals have a section of FAQs (questions Frequently Asked Questions) and another didactic page where they explain the entire process of buying and paying with BitCoin´s.
It is recommended not to make any payments to criminals and to resort to free software that can be found at the end of this context, but this does not ensure the recovery of the files in their entirety. If you decide to pay the ransom of the files, you must do so by making a request to the Central Bank of Bolivia, since on May 6, 2014 the Central Bank of Bolivia prohibited the use of coins not issued or regulated by the states. and thus prohibiting the use of BitCoin.
Malware warning, showing the final result of the encryption.
Figure 2. Malware warning, showing the final result of the encryption.
Purchase notice for decryption to restore files
Figure 3. Notice of purchase of decryption to restore files
If in case you manage to make the requested payment from the criminals, the criminals will give you a URL from which you can download the program to remove the encryption from the “hijacked” files, this software may contain other malware that, for example, can activate the malware original after a certain time, or simply the program does not remove the encryption from the files, it became known cases in which an unknown company was a victim of malware repeatedly and not making a previous backup had to make the payment all the times they were victims; The use of external Backups to the computer is recommended.
What to do if you were a victim of the aforementioned malware
The first step is to get rid of all traces of the malware using software dedicated to that type of work. In our case we opted to use Kaspersky Recue Disk that removes all traces of the virus without having to go through Windows. (Fig. 4)
Software dedicated to removing malware, Kaspersky Rescue Disk
Figure 4. Software dedicated to removing malware, Kaspersky Rescue Disk
How to protect yourself from malware
The way to avoid the spread of this malware in the first line is by the user himself by not opening unknown links or attachments, having the updated antivirus does not ensure the protection of the malware, we can also resort to the CryptoPrevent software (Fig. 5), which removes permissions exploited by malware.
Cryptoprevent in its state of adjustment.
Figure 5. Cryptoprevent in its adjustment state.
Conclusions
The research and testing team concluded that the malware discovered for the first time in 2013 broke the limits of the predecessor malware, since before this type of malware the others were only dedicated to corrupting files and destabilizing the operating system, this malware took criminality one step further, since it anonymously aims to generate monetary income through file hijacking.
Projections
Once all the study and field tests have been carried out, we want to propose the implementation of the security software called Cryptoprevent and that governments have in mind the regularization of the currency called BitCoin in order to hunt down cyber criminals.
References and bibliography
- http://articulos.softonic.com/cryptolocker-cryptowall-cryptofortress-eliminar-desencriptarhttp://www.securitybydefault.com/2014/12/atencion-infecciones-masivas-de.html
