
You’re infected—if you want to see your data again, pay us $300 in Bitcoins - elux
http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/
======
blhack
You can work to prevent this by creating a group policy that disallows

    
    
         %AppData%\*.exe 
    

and

    
    
         %AppData%\*\*.exe
    

A good discussion of this happened here:
[http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care...](http://www.reddit.com/r/sysadmin/comments/1mizfx/proper_care_feeding_of_your_cryptolocker/)

sidenote: this virus actually scares me, and it sounds like it actually scares
most people who work in IT. This is the shittiest thing anybody has ever seen,
it sounds like.

~~~
crb
Doesn't Google Chrome run under %AppData% in a default (non-MSI) install?
(This is how it's able to silently update itself, even when run as a non-
administrator.)

~~~
Silhouette
_Doesn 't Google Chrome run under %AppData% in a default (non-MSI) install?_

Yes, and from a security point of view it should be treated as hostile
accordingly.

There is no need to actively circumvent Windows security like this. Firefox,
among many other examples, is quite capable of automatically updating itself
using a proper Windows service mechanism.

It's long past time that Google were called out on this one. Not only is it a
potential security risk, it also interferes with backups of %AppData%, which
is generally an area of Windows PCs that you do want to save regularly in case
of disasters.

~~~
Pxtl
Installing into %AppData% is, iirc, Microsoft's intended approach with
ClickOnce installers (which Chrome uses). The difference is that ClickOnce
installers have a far more restrictive permissions model than old MSIs.

ClickOnce-installed applications are limited to "Internet Zone" permissions.
This can make them immensely frustrating to develop with, actually, since many
of MS's own development frameworks fail miserably in Internet Zone even when
they have no reason to do so (mostly they generate temporary files in places
they aren't allowed).

I'm not sure how Google Chrome gets permissions to save files into your
documents and whatnot from there - I don't recall Chrome requesting a
permissions escalation during install or anything.

~~~
Silhouette
Fascinating. Thanks for sharing this information. I had no idea this was
actually a sanctioned installation option, but clearly it is if you know what
to look for[1]. That's actually rather disturbing, from a security point of
view...

[1] [http://msdn.microsoft.com/en-
us/library/142dbbz4%28v=vs.90%2...](http://msdn.microsoft.com/en-
us/library/142dbbz4%28v=vs.90%29.aspx)

------
MiguelHudnandez
I was hit by this, or a variant, at my place of business. Hundreds of
thousands of files on our shared drive were overwritten, about 2 TB worth of
files. Office documents, PDFs, and Adobe documents like PSD and INDD were
encrypted. JPEGs were altered but still viewable. All files increased in size
by a few hundred bytes.

Pull-only backups were the savior here, although because we didn't notice
until the next day, the pulled backups on that system were also overwritten
with encrypted/corrupt files. Luckily we had VSS versioning on the pull-only
backup location. There was a close call in that the 2 TB or so of "new" data
ended up pushing VSS over quota and we almost lost our good versions of the
files that way. If not for the VSS versions, we would've had to resort to cold
backups which would've been a bit older. As it stood, no file recovered was
more than a few hours old.

Auditing on the file share indicates which workstation was infected.
Pertaining to that: it surprises me that in 2013, a default install of Windows
will not log any useful information about shared folders by default. You must
enable object auditing in Group Policy and specifically declare which users or
groups are subject to said auditing on a share-by-share basis. In a world
without logrotate, I suppose a sensible default is to just let a bunch of shit
happen without recording it.

What gets me wound up most of all is the amount of engineering involved for an
average home user to protect themselves. I thought a Mac with Time Machine was
enough, but a similar virus would easily corrupt those backups if they were
available to it over a mapped drive.

It is the goddamn 21st century, and users are still losing work by overwriting
documents by accident, or opening a document as an e-mail attachment and not
being able to find the actual file they edited. Should people really need an
IT guy with ten years of experience to be protected from simple mistakes?
Google has made progress on that front with the Chromebook, I suppose.

~~~
tempestn
Something like CrashPlan provides good protection against this sort of thing
for home users. It includes versioned, off-site backups -- either on their
servers for around $6 a month, or on a "friend's computer" for free. Either
way, the backups are saved via crashplan, not with direct drive access, so it
should be safe against this kind of thing.

No affiliation, just a user.

~~~
MiguelHudnandez
Thanks! I am looking at BackBlaze, Arq + Glacier, and now CrashPlan as
relatively cheap additions for extra peace of mind.

------
antihero
I think the interesting thing here is the shift from the target - the "best"
target used to be compromising the OS, so OS's made moves to protect
themselves from programs running as unprivileged users. Now, it's trivial to
wipe an OS and restore from a backup. The real value is the things people
store on a computer, which are usually going to be accessible via a user
account.

One trivial solution would be OS level automatic versioning of files (ala
Dropbox or Sparkleshare) - the original files would be written to location
that is read only to the user and only accessible via the OS, hence, backups
could always be restored from it, but never destroyed without admin rights.

Of course, with people having great internet and whatnot, an automatic cloud
based solution would be much more likely and useful.

I think with Windows 8.1 and onwards, Microsoft are automatically doing this
by setting up the "Documents" type folders in SkyDrive - a great think moving
forward.

Backups are, obviously, a much better solution but require extra storage and
usually cost money.

So there might be a niche for a freeware product that runs as an admin that
automatically versions files - perhaps even as simple as having an admin-owned
.git repo for the Documents folder.

The worrying thing about this attack is that targeting user data is trivial on
all OSs, because of the way we think about privileges - it could be done to us
Linux users through something nasty in our shell rc using GPG or whatever.
There is no need to compromise anything.

~~~
Silhouette
_I think the interesting thing here is the shift from the target - the "best"
target used to be compromising the OS, so OS's made moves to protect
themselves from programs running as unprivileged users. Now, it's trivial to
wipe an OS and restore from a backup. The real value is the things people
store on a computer, which are usually going to be accessible via a user
account._

You make an excellent point, but there is a second and perhaps even more
sinister side to it. Encrypting your data and holding it hostage is one thing,
but even if you have indestructible backups, there are probably still many
sensitive pieces of information that can be acquired by a blackmailer with
only user-level privileges: bank details, company trade secrets, personal
mail/photos/videos, etc.

Having a back-up of these is important, but probably so is ensuring that they
aren't distributed to people they shouldn't be. This requires a very different
model of access control and user/application privileges, and unfortunately I
don't think any mainstream OS is even close to solving this one yet.

~~~
AnIrishDuck
> This requires a very different model of access control and user/application
> privileges, and unfortunately I don't think any mainstream OS is even close
> to solving this one yet.

I'm not sure it does require a different model of access control. It just
requires people to _actually use_ the access control mechanisms that exist
already.

You should not access banking details or any other sensitive information in
the same user-level context as you use to generally browse the internet. The
privileges needed for each task ("browse the internet" vs. "check bank
statements") should be different. I personally have a separate user account on
my machine set up specifically for "sensitive" tasks.

Separation of data access via privileges is nothing revolutionary, nor is it
something that can't be done on any modern OS. Unfortunately, online services
are still behind. For example, I would probably switch to an online banking
provider that let me create one account for viewing balances and another for
transferring cash. But these services will get there in time.

User education is a different story.

~~~
Silhouette
Your proposal is OK if accessing sensitive information is something you only
do occasionally, but it's not very practical to switch users completely if you
deal with sensitive information often, which many people do.

On the other hand, if only explicitly authorised applications can create
outbound Internet connections at all, and if applications like browsers and
e-mail clients need explicit permission to read a general user file (as
opposed to, say, accessing their own designated configuration or data files),
then you significantly decrease the degree of vulnerability a user has to data
leakage attacks (among other types).

~~~
FedRegister
>Your proposal is OK if accessing sensitive information is something you only
do occasionally, but it's not very practical to switch users completely if you
deal with sensitive information often, which many people do.

    
    
        $ sudo -u banking gnucash &
        $ firefox &
    

Done. My banking files and my Firefox session are now separated.

~~~
antihero
Interestingly, you may have just fucked yourself, because the sudo session is
maintained whilst launching Firefox.

If we create a script 1:

    
    
       #!/bin/sh
       echo "I'm doing something secure"
    

And then script 2:

    
    
       #!/bin/sh
       echo "I'm doing something insecure".
       sudo echo "I'm doing something malicious".
    

Then run:

    
    
      $ sudo ./script1.sh; ./script2.sh
    
    

Looks like Firefox has access to your banking user :)

~~~
FedRegister
Not if sudo is set to only allow gnucash! :-)

------
ggchappell
I get annoyed when people are warned not to open some attachment. The real
problem here is that in 2013 we're still using the flawed language of "opening
attachments" \-- as if running a native executable with full permissions is an
action that belongs in the same category as viewing an image, reading a text
file, or listening to music.

Well, it doesn't. This is a problem that should have been solved at the level
of OS permissions/UI long ago. Why does a modern OS include UI functionality
allowing a standard user to run an uninstalled executable in a non-sandboxed
environment? There's no good reason for it.

In some cases the problem been solved (e.g., restrictions that allow only
signed apps to be executed). But I guess none of those cases include Windows,
its standard UI, and popular e-mail programs. :-(

~~~
kuschku
The best solution would be the one used by Linux: Separate Data and Software.

On Linux there is a specific flag that has to be set and is not set per
default to make a file executable.

So if you run something, you know that you are running it as a program and not
opening it as data.

Windows on the other hand marks everything as executable which begins with MZ
and whichs filename ends in .exe or .com

~~~
timv
Except in this case (original article) it was an executable inside a zip file.

In the normal case, unzipping a file on linux will result in the executable
bit being restored if it was included on the original file.

This is normally what you want - imagine an app that was distributed (over
https) as a zip file where you then had to go and manually add the executable
bit to each relevant file.

But a zip file that was opened as an email attachment is largely
indistinguishable from one that was opened from an HTTPS download (it need not
be that way, but it is), so the OS has no reliable way to allow you to run
executables you download in a zip, but not ones you received as an email in a
zip file.

There are certainly ways around it, but the executable bit isn't really the
solution here.

------
susi22
In a corporate environment I'd expect crucial data to be on the network drive
and snapshotted every few hours. We run ZFS on our network and all the
secretaries have to do their doc/excel work on the drive. Nowadays that
everybody has a Gigabit Ethernet connection read/writes are extremely quick.

Use ZFS and make read only snapshots that are only accessible to the
sysadmins. You'll solve many problems that way. We do snapshots at 6am,noon
and 6pm and then keep the 6pm one for 7, 14 and 30 days.

~~~
marcosdumay
In about any corporation you look, crucial data will be in a Windows server
(no ZFS available, sorry), and backed up on intervals that are some integer
multiple of 24 hours.

Or, better, the above is the best case scenario that IT dreams of achieving
some day. In practice, a huge share of the crucial data sits on people's
machine, with no backups, and go on vacation every year.

~~~
j00lz
Most corporate windows file servers (since 2003) use shadow copy, which saves
previous versions of files every couple of hours. Any decent IT dept will use
folder redirection, which redirects deskop, my documents to the local file
server.

------
Fuzzwah
Victims don't even get the enjoyment of having to make their payments in some
far flung corner of an MMO, like the plot of Reamde.

[https://www.goodreads.com/book/show/10552338-reamde](https://www.goodreads.com/book/show/10552338-reamde)

~~~
Uhhrrr
That's the first thing I thought of, too. This is just about exactly the model
of the Reamde crew.

~~~
officemonkey
Which means the Islamic terrorists coincidentally live upstairs (which I
believe is one of the stupidest coincidences of any book I have read and
enjoyed.)

------
amalag
A company I work with was hit when the employee opened a phishing email
supposedly from another employee in the same company. It hit about 50 gb of
data on the shared drive. We had Crashplan and restored from a few days
previous. I then turned on DKIM and enabled quarantining non DKIM emails via
DMARC.

~~~
sillysaurus2
_I then turned on DKIM and enabled quarantining non DKIM emails via DMARC._

Translation for techies who aren't familiar with email's many acronyms?

~~~
swombat
All those acronyms are easily googleable. Not being a techie does not mean you
get to be lazy about looking things up.

~~~
DanBC
The ten thousand readers of HN who don't know these acronyms can use a search
engine to look them up, or someone can ask a question and someone else can
answer it and save 9,998 other readers the bother.

1 Google search = 1/35 of a boiled kettle.

So asking the question just saved about 285 boiled kettles of carbon
footprint.

([http://green.tmcnet.com/topics/green/articles/216400-google-...](http://green.tmcnet.com/topics/green/articles/216400-google-
defends-its-carbon-footprint.htm))

~~~
anonymous
And having a flamewar on how people should google things for themselves wasted
how many kettles? Anyway, if you don't want to tell people things, then don't
tell people things, but going on and on on how OP should just google things
themselves, is reaching 4chan levels of elitism. It's a really shitty kind of
elitism.

~~~
swombat
A single-line comment is not going on and on.

------
andybak
Everyone is talking about post-infection. However - this passage from
[http://www.bleepingcomputer.com/virus-
removal/cryptolocker-r...](http://www.bleepingcomputer.com/virus-
removal/cryptolocker-ransomware-information) seems fairly key also:

"This infection is typically spread through emails sent to company email
addresses that pretend to be customer support related issues from Fedex, UPS,
DHS, etc. These emails would contain a zip attachment that when opened would
infect the computer. These zip files contain executables that are disguised as
PDF files as they have a PDF icon and are typically named something like
FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show
extensions by default, they look like normal PDF files and people open them."

I haven't got a Windows box handy to try this on but I assume there is at the
very least an extra warning dialog when opening an exe - even a zipped exe?

Not that that mitigates this at all. The inability to distinguish executables
from data files - and although that doesn't apply in this case - the ability
of data files to hide executable payloads either via design or error - is a
major and currently uncorrected flaw in the system.

~~~
pbhjpbhj
Why doesn't MS Windows use magic numbers to establish file types, or does it
now?

~~~
gbl08ma
It does (I think), but even if it doesn't, it uses the file extension to
determine it. However, EXE files are free to set their own icon. In this case,
the icon of the EXE was a "PDF" icon.

The silly bit is the fact that the file extensions are hidden by default, and
users can only use the icon to check the file type.

------
coryfklein
Ah, I guess it is time to send the annual email to mom, dad, and the in-laws
to be very wary of downloading anything or clicking on links in suspicious
emails.

I find this is good insurance against the inevitable phone calls I receive as
the only computer-literate member of the family: "Hey Cory, all my documents
disappeared and I can't get them back. Do I have a virus?"

------
mariuolo
I'm sorry, but if a firm doesn't compartimentalise access and a single
infected workstation can bring down everything, then they deserve what they
get.

Hadn't been ransomware it could have very well been a disgruntled employee, to
the same effect.

~~~
pavel_lishin
While you're technically right - we are responsible for our security, and we
should lock down our networks just like we lock our front doors - this is
basically blaming the victim.

~~~
mariuolo
In a nice neighbourhood one could probably leave the door unlocked, but
unfortunately internet is more like Gangland than Wonderland.

This said, I'm not blaming home users, but IT folks who failed to secure
corporate data and should have known better.

------
fekberg
I've been trying to raise awareness in my social medias, since my family,
friends and co-workers might not spend time on HackerNews.

If you want, copy my message and share with your family, friends and co-
workers:

"Hi folks,

There's a new virus out there that I want to raise awareness of, it's called
CryptoLocker. Basically what this virus does is that it tracks all your files
- hard drives, flash drives, usb sticks, network drives/shares - then it
encrypts the files it finds.

The only way to unlock the files again is to pay $300 to get the key used for
the encryption. The encryption used is RSA with a 2048 bit key which makes it
extremely hard to crack, I'd say impossible with the time span and todays
computers.

You have 72 hours before they trash the key making it impossible for you to
get your data back.

This can be extremely devastating if you are running a business and all your
files are gone. If you sync your files to the cloud, you're still not safe, it
syncs the encrypted files as well. If you are able to restore to previous
versions of your files in the cloud - great.

Let your friends, family and co-workers know about this.

Here are some simple ways to avoid getting a virus in general:

1\. Don't open e-mails from people you don't know

2\. Don't open attachments in e-mails unless you were waiting for the
attachment

3\. Don't go to websites/click links that you don't fully trust

4\. Don't download and execute files that you don't fully trust

It might seem obvious to the most of us to don't do the above, but to a lot of
friends, family and co-workers it might not be.

Imagine waking up and having to pay $300 to get your data back. However, the
police tracked down one of the servers that serves the keys and shut them down
which means the keys were not delivered and the data was lost, this means even
if you do pay the $300, there is no guarantee that you will get the data back.

Raise awareness of this and avoid having your files lost."

~~~
jonhohle
5\. Consider alternatives to Windows so you won't have to deal with these
silly things that have largely only been affecting Windows users for the last
decade+.

~~~
fekberg
Sure, I'll ask my 70+ year old relatives that have been using PC with Windows
since they first got their computer to download an Ubuntu ISO, burn that and
re-install their system.

Joking aside. I'd love for everyone to just jump on a virus free OS, but as
soon as that OS is mainstream there will be viruses.

The problem isn't the OS, the problem is that people trust everything that is
for instance sent to them via e-mail. Users need to be educated on security,
no matter the OS.

~~~
code_duck
You should, actually. Ubuntu has an it efface 90% close enough to windows
these days, and back in 2010 I did exactly what you say - got my mother to
start using Linux instead. It's filled her needs perfectly and my support
calls have dwindled to near-nothing.

------
ChuckMcM
Central to the plot in the book Reamde but these guys don't offer a 'pay in
WoW gold' choice.

Given the cost of computers these days, at least in business a separate
'browsing' machine and 'business' machine seems to be the best solution. I
wonder if you could provide wireless for employees to bring their own laptops
which had no 'office' connectivity (but internet connectivity) and machines
that were hard wired and MAC filtered to the 'business' network.

------
alec
Since the Bitcoin blockchain is public, couldn't you follow the money? Make a
list of all wallets that accepted these funds initially, and then do graph
analysis, either to see where the money went or provide others with a tool to
avoid transactions with those wallets?

~~~
sltkr
Yes, but this is somewhat like saying you could mark the banknotes used to pay
off a person that's blackmailing you. If you catch someone with a marked note
that doesn't prove they are the perpetrator; it just means that they received
your money somehow.

------
ryan-c
I've gotten a few copies of this, all to an email address that was only ever
given out to AT&T, and is not guessable.

~~~
gknoy
Would you consider posting a screenshot of what the initial (infection) e-mail
looks like?

~~~
ryan-c
Wouldn't be particularly meaningful since I use mutt.

------
PilateDeGuerre
This scenario - minus the Bitcoins - was a plot device in Neal Stephenson's
"Reamde".

------
gwern
The only new thing about this ransomware is that the payment method is through
Bitcoin, right?

~~~
smtddr
yup. But the fact they're using bitcoin shows a clever way for ransomware to
collect payment with virtually zero-risk; since it's not possible(that I know
of) to really trace exactly who, in real life, got those bitcoins. Which
means, ransomware might make a strong comeback since the risk is now basically
zero, this program isn't that difficult to write and there's real money to be
made. Even if you only charged 50 USD, this idea would make hundreds, if not
thousands, a month. Change the binary every once in awhile so its signature
doesn't match popular anti-virus databases and you got free money coming in
for... well ...forever[1]

1\. Educating users to stop running random programs in zip files attached to
emails, is apparently impossible. Maybe email-clients should scan the contents
of any zipfile it receives and if it finds any kind of executable, put up all
kinds of warning dialogs saying _" You really don't want to run this. There's
no reason to get a program in zipped email attachment nowadays. Please go
consult your IT-admin or somebody who knows about computers for a 2nd-
opinion"_

~~~
donpdonp
the bitcoin pseudo-anonymity is a plus, but i feel the real value in this new
round of ransomware is that the unlocking actually _works_. Its possible for
the ransomware app to verify payment and unlock itself, with no contact or
control from the ransomware author, greatly reducing the author's risk.
Actually, its easier for the victim too - rather than wiring funds to some
bank account in far off lands, a quick anonymous digital payment instead. Im
speculating but its possible for the app to query blockchain.info for a
deposit for a given address, or (less likely) for the app to download the
blockchain itself, and then unlock after a certain balance. If there is high
confidence that the data will actually get unlocked, that swings the balance
of fight the app or pay the app towards the pay the app side. The author sits
back and waits for those wallets to fill up.

~~~
cheesylard
That won't work, it could be prevented by a man-in-the-middle attack on the
victim's own computer. Just spoof the blockchain signatures required as if the
payment was sent on an ad-hoc network and the program would unlock itself.

~~~
smtddr
If blockchain.info was queried over ssl, the spoofing would be a bit harder to
pull off.

------
scotty79
I wonder if amount of $300 was determined via A/B testing as optimal for
bringing maximum profit.

~~~
c23gooey
The article mentions that there is a $100 variant floating around.

Makes me wonder whether they use the $100 variant in markets that $300 would
be too much to pay.

If, is as reported, this virus is pulling in around ~$5million / annum, then
that is a great basis for setting up a professional organisation to run the
virus and extract maximum value from it.

------
DigitalSea
This is one of the scariest forms of attack on computing since viruses became
prevalent in the nineties. The fact they were up until recently relatively
undetectable adds another eerie dynamic to the situation. It highlights the
aged old problem of people not pro-actively backing up their data offline
until it's too late. Go out and buy a couple of cheap 1tb external drives and
back your data up now and keep doing it, there are even tools and drives that
handle this automatically for you.

While ransomware isn't anything new, the fact that the authors of such
software are using currencies like Bitcoin make it that extra bit harder to
track and stop these people from extorting data. I sense a new wave of
ransomware is about to hit the scene now that Ars have revealed specifics
about potentially making millions a year from such a racket. It's hard
informing people about these things without encouraging others to go and try
writing their own ransomware and expect Bitcoin as payment.

This really worries me.

~~~
crazypyro
The first thing I thought when I read the $5 million dollar figure was "Oh
shit, imitators are coming..."

------
pkinnaird
Called it in July. Read more...

[http://blog.kinnaird.us/the-coming-age-of-ransomware-
cloud-s...](http://blog.kinnaird.us/the-coming-age-of-ransomware-cloud-
services-meet-bitcoin/)

------
grecy
When I first saw the title, I thought it went like this:

1\. Your machine is infected, and it encrypts everything it can.

2\. The 72 hour countdown begins, and during that time your machine has been
re-purposed to crunch BitCoins.

3\. All you have to do is wait 72 hours, and everything will un-encrypt and
uninstall, leaving you perfectly fine.

Creators profit by having millions of machines crunching BitCoins in their
name.

~~~
pbhjpbhj
These machines were probably already crunching BitCoins for years but now
that's not profitable ...

~~~
grecy
Even if you had millions of infected machines crunching on your behalf it
wouldn't be profitable?

------
mcphilip
While I'd like to think I'm sophisticated enough about security to avoid this,
it makes me concerned about the vast majority of people (e.g. my parents, my
girlfriend) that are clueless about such dangers.

Are there any recommendations of a simple way to at least enable automated
backups of local documents to the cloud on a windows box?

~~~
ballard
Tarsnap is the only sensible backup provider given the recent history of
warantless secret searches in America. SpiderOak is also a contender for file
sharing. Both use end-to-end encryption knowable only to the end-user.

~~~
dasil003
I can't afford to have my family photos backed up to tarsnap. Let the NSA have
'em.

~~~
ballard
It's funny you mention that.... I implore 'cperciva to consider a glacier-
level service. It is hard to compete with backblaze, but capping network bwdth
is proly one way to skin that cat.

------
verytrivial
This is the difference between crime and organised crime. People would not
hand over the money to the burly visitors each month if their shop was burnt
down anyway.

Evidence that paying the ransom actually results in the files coming back is
the most troubling aspect here - these people are looking to establish a
longer term criminal enterprise.

------
readme
I got a similar virus once but it was before bitcoin was popular. It just
asked for money via credit card. The virus hid my files, and I needed them for
work too.

Fortunately the virus did that by some filesystem driver level hack, because
after I booted into Linux I was able to mount the partition and get my files
back.

------
tbarbugli
And than the police shut down the ransomware servers and dooms data from many
infected victims to garbage, brilliant!

~~~
tempestn
Unfortunate for those folks, but if it can prevent many more people from being
infected, then still worthwhile.

~~~
pavel_lishin
Would it actually help? Does the ransomware contact the servers prior to
encrypting everything?

~~~
tempestn
Even if it encrypts regardless, preventing the perpetrators from profiting
will remove their incentive to keep spreading this stuff. Once antivirus
catches up to the copies in the wild, the problem would be solved. Of course,
whether it's actually _possible_ to shut down enough servers to prevent them
from profiting is another question. But it seems to me anything that makes it
more difficult is a good thing, even though it does suck for those who lose
data.

~~~
elliottcarlson
This wouldn't really prevent them from profiting - an unsuspecting user could
still pay the ransom, and then never receive a decryption key, so would be
both out of the money and lose their data.

~~~
tempestn
Sure, it wouldn't prevent it completely, immediately. But 1) many users will
do a search beforehand to see whether paying actually works. The less often it
has worked for others, the less likely they will be to pay, and more
importantly, 3) it would prevent them distributing new versions of the
malware, which would prevent them profiting once antivirus caught up to the
existing versions.

------
daveid
The article didn't mention, what systems does this ransomware primarily
target? Is it cross-platform?

~~~
nvk
That i know, only MS

~~~
jerf
But note that's only due to popularity. Socially engineering your way into a
user running an executable means that executable will simply run with user
privs. No trickery or hacking required, no OS holes. And that will mean that
the executable will have full access to do everything a user could do, which
will effectively certainly include sending a new encryption key over the
network, and encrypting every file that user can get a hold of.

(One of the little problems with the UNIX-style user permissions is that it is
designed to defend the OS, not the user. Sure, that little executable may not
be able to corrupt "the system", which may amount to 5 or 10 GBs of easily-
replaced code, but it will have its way with the 2TB of the single user's
media files.)

The only faint defense Linux/UNIX can claim is the slightly higher probability
that you'll be on a checkpointing file system and can roll back, and I say
only "slightly" because they still aren't very popular yet compared to
conventional file systems.

~~~
millstone
OS X defaults to only running applications that have been signed with a valid
developer ID. It’s not difficult to get such an ID, but Apple can also
blacklist them, which would prevent the malware from running once Apple
notices it. So I think the Mac has a good defense against this kind of attack.

~~~
mkup
Malware developer can make 256 valid developer IDs, compute 256 signatures and
switch them automatically and randomly during the propagation of malware. Once
Apple blacklists one developer ID, another one pops out, and so malware
continues to propagate.

~~~
dmdeller
That would cost $25,600 and require 256 valid Social Security or DUNS numbers.

~~~
makomk
Alternatively, it would require compromising the machines of 256 Apple
developers. Guess what kind of person is likely to be capable of doing that.

~~~
dmdeller
Still, it's not as easy as the person I was replying to made it sound.

How many Macs would you have to compromise before you randomly stumble upon a
registered developer, let alone a registered _Mac_ developer (of which there
are far fewer than iOS developers)? And how much more secure is a developer's
machine likely to be, and how much less is the user of such a machine likely
to fall for common email attachment-based infection attempts?

At some point, the feasibility is low enough not to bother. That's what all
security ultimately is, since nothing is foolproof.

------
wentkenko
People on here are talking about attachments and being smart enough not to
fall for sham downloads, but this isn't how most of ransomeware is spread to
its victims. They use exploit packs and 0 days. Visiting a website that's been
hijacked with an Iframe or a proxy that embeds an Iframe or any other data to
the HTML that is returned could get you infected. There is no full proof way
around this unfortunately.

------
haberman
You could imagine the Bitcoin community deciding to blacklist any wallets to
which funds like this were demanded and disbursed. That seems like a great
idea until you then realize that this would be a way of denying anyone access
to their own funds, by specifying their wallet as the recipient even though
the attacker doesn't control it. There really doesn't seem to be any good
countermeasure to this.

~~~
marcosdumay
Or the police could just investigate the wallet, because it there is a feature
that Bitcoin does not have, it's anonymity.

~~~
kbart
Which police? The guys behind this virus may as well be somewhere deep in
China or Russia, good luck reaching them. It's not a terrorism or child
pornography to get serious international attention.

------
joeblau
Wow what a scheme. I mean it's almost the perfect situation for whoever wrote
the system. It creates an extortion mechanism with a sense of urgency.
Normally, users just carry malware around on their machine for weeks or
months. The most frustrating part of this whole thing is that if you don't get
the private key back and you're not backing up; you're toast.

------
jasonlfunk
"you need to pay 300 USD / 300 EUR / similar amount in another currency"

How about 300 VND? Seems similar to me. :)

------
bfell
This happened to someone I know (really, it wasn't me). Not only did it
encrypt the local drives it also hit all of their network drives. As
reprehensible as it is to pay the ransom they really had no choice since the
encryption happened the prior night before the last backup.

------
dutchbrit
Our company was hit by this yesterday, caused a lot of issues. Thank god we
had backups, but they were 2 days old (frustratingly enough, the backup failed
the previous day - first time in months...)

------
revelation
This is why a RAID setup is not a backup.

------
GillesB67
For hacker having both an original file and the encrypted version that file
should be relatively easy to retrieve the key? Especially if the virus XOR all
or a part of the file. Otherwise a hacker may look at the random function that
generate the key in the source code of the virus it may be weak and take
values from the computer and time of infection.

------
howlett
How is this any different from a virus that _wipes_ (not just deletes) your
data? It takes the same amount of time (actually wiping data would be faster)
and the result is the same: No data.

Maybe the psychological part of "Oh God the file is there but I can't use it"
or the fact it's ransomware?

------
spajus
It's a pity to see that Windows haven't died off yet and things like this are
still happening. Using Linux / Mac for years, never looked back.

And for those who say "my mother can't use Linux", don't be a cheapskate, get
your loved ones a Mac - they will definitely know how to use it.

~~~
wbkang
Keep in mind this is not a virus in a traditional sense. The user has to
explicitly run the executable to run this malware.

------
AsakiIssa
I know a customer that got hit by this Tuesday morning. Unsurprisingly, Avast
did nothing. I just told her the bad news and clean-installed Windows.

I have tried to find the private key with sample files, using known file byte
headers, the public key and brute force on the private key. Sadly, no luck
yet.

~~~
duskwuff
That's assuming the private key is even reused. If they're generating a new
key for each user (which they very well could be), you're boned.

------
kbart
I imagine that this combined with virus capabilities (so it can spread itself
via network) would be an overkill. Strange that they didn't do it, once you
have an access to the local network (as soon as the initial victim runs .exe
received by email) it shouldn't be too hard.

------
foundlogin
Finally viruses are doing what they're supposed to - wreck your computer
instead of staying under the radar as long as possible. If people are
motivated to protect themselves from this they'll also be preventing botnets
and doing good to the rest of the internet.

------
fmax30
Huh , that is pretty scary add a physical packet snooper on all the traffic
sent from my computer , it might be possible to mitm the private key as it is
sent to the server. That way i might have a fighting chance against this.(if
the traffic was unencrypted that is )

------
tete
What I find funny is that this piece of software actually tells you more about
what it does than software you pay money for and even uninstalls itself, after
it is not needed anymore. It's kinda weird how malware is better quality than
most other software.

------
simonw
I talked to a small shop owner just the other day that had been hit by this.
They said they spent the $300 on a new PC instead - but I'm pretty sure they
lost a bunch of irreplaceable data (mailing lists, supplier details etc).
Pretty heart breaking.

~~~
amalag
Crashplan is really easy to setup. Won't save their data in hindsight, but
they should have it or something like it.

------
phogster
Never heard of ransomware before, but the trend is alarming:
[http://www.google.com/trends/explore?q=ransomware#q=ransomwa...](http://www.google.com/trends/explore?q=ransomware#q=ransomware&cmpt=q)

------
jpalioto
Nasty stuff. Fortunately for me, this would set off the "why the heck are my
fans running so loud right now" alarm that I have in my head (that honestly, I
wish I could turn off sometimes ... curse you trustedinstaller.exe!!).

------
abstractConcept
Has anyone attempted to run this using Wine?

As long as you keep all drives (/ or ~/) unmounted, I assume it would be
`safe' to test it.

Might be a simpler environment to analyze CryptoLocker in, as apposed to a
full Windows install.

~~~
marcosdumay
I'd try it in a virtual machine just in case.

------
coin
"When the receiver clicked on it, he saw a white box flash briefly on his
screen but didn't notice anything else out of the ordinary"

What email client automatically unzips AND executes any containing .exe files?

------
Pxtl
Well that's moderately horrifying. I've dealt with ransomware before, but
mostly it just used scary messages, not literally encrypting all your data.

~~~
mrtksn
but this one seems to do what it claims to do. it's pretty scary for people
who don't have decent backup system. but these same people live with the risk
of losing their data due to a drive failure, so...

~~~
Pxtl
A lot of "decent backup systems" would be vulnerable to this too. Say you back
up all your local stuff to a RAID that you've mapped as a drive, as well as a
mapped Google Drive?

It's still all toast.

That level of backup would handle any kind of physical failure - a dead drive,
the destruction of your house, the failure of Google... but still, this thing
would kill it.

There's only so much you can expect from a person when it comes to keeping
their personal documents and family photos.

I mean obviously, if you're running a company you need a _real_ backup
solution, but for family files or a one-man-show business? There is no
reasonable precaution.

~~~
XorNot
Firstly _RAID is not a backup_.

This type of thing only works because the backup user has identical
permissions to the backup contents as the user being backed up (because
they're the same).

It wouldn't work on any system where the backup user is a separate, privileged
process that is the only one with write access to the stores of backed up
files.

ZFS with a snapshot script is a good way to implement this for a networked
drive on Samba, since it's implicit, automatic, and the point at which it hits
would be really _really_ obvious since your snapshot sizes would suddenly
explode. The same story is true of volume shadow copy (but MS idiotically
limits the user's ability to set a known and trustworthy shadow copy
schedule).

------
anonymous
Wouldn't it be possible to attach a debugger to a running instance of the
virus and extract the key while encryption is taking place?

~~~
devcpp
Problem is, the prompt doesn't appear until the encryption has ended, the key
has been sent to the servers (it's kind of complicated, it apparently tries to
find servers on its own, I wonder if it can be fooled) and that key has been
locally destroyed.

So, by the time the user is notified that there is malware on their PC, it's
too late. People who know to detect viruses while they're running don't run
attachments in the first place.

~~~
Wicher
According to the KernelMode thread¹ the keypair is generated on the server.
The public key is retrieved from it, but its private counterpart will never be
on your machine. No key is sent to the server.

¹[http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2945](http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2945)

------
swat535
I have a question regarding this, does anyone know what happens if your data
is already encrypted ? will it encrypt the encrypted files?

~~~
fantnn
Yes.

------
kalesoup11
The wave of the future. Why break computers when you can just have the user
pay you to avoid breaking it.

------
headShrinker
Is it the case that Mac OS default security setting would prevent an unsigned
app like this from running?

------
roasty
Disabling or limiting your use of JavaScript and Java in the browser will go a
long way towards protecting against delivery of this as it is likely delivered
by an exploit kit. If you do hit an exploit kit, Microsoft EMET (free) will
probably mitigate the exploit/s.

------
doubt_me
How long will it take until the FBI gets rid of these guys?

~~~
xdd
just run it at NSA once. 24hours I bet.

~~~
doubt_me
Naw. One of their assets built it

------
gngeal
This is what Venti (of the Plan 9 fame) is for!

------
zalzane
It looks like the patent trolls have finally found their true calling.

------
__abc
REAMDE

------
computerhead
or dont use windows...

------
nvk
Stop using Windows, is a good start.

~~~
GhotiFish
I primary use linux, but even I feel threatened by this. This is Sony's
rootkit all over again.

edit: never mind, I thought this was novel. Never heard of ransomware before.

------
nsxwolf
Get a Mac.

~~~
bickfordb
Running Windows just became a lot more expensive

------
sergiotapia
Who are the creators? Are the FBI going to take them to federal-pound-me-in-
the-ass prison?

