Clever email campaign delivers deadly ransomware to orgs

A new type of ransomware that obviously concentrates on targeting organizations instead of home users has been spotted by Emsisoft researchers.

Dubbed CryptoLocker, the ransomware is cleverly delivered to employees of various organization via emails purportedly sent by disgruntled customers complaining about a service or product.

The Trojan downloader is contained in the attachment, which the employee is asked to open to get more details – and many will, as a good relationship with customers is paramount for any business.

Once installed, the downloader downloads and runs the ransomware, then immediately ensures that it will start automatically every time the computer is rebooted by making changes in the OS’s registry.

The ransomware then tries to connect to its C&C server – either on a static, hardcoded domain (which has already been taken down) or by using a domain generation algorithm to create random domains each day.

When it succeeds, it sends out information about the system (language, network’s name, etc.) and receives a unique RSA public key that it can then use to encrypt the files to be held for ransom.

It’s obvious by the files it targets that the ransomware is interested only in those that are crucial for organizations: Open Office files, Outlook Express, MS Office, Adobe Suite (Photoshop, Illustrator, etc.), AutoCAD, server response files, digital certificate files, digital image files specific to certain camera types, etc.

“For each file matching one of these patterns, the malware will generate a new 256 bit AES key. This key will then be used to encrypt the content of the file using the AES algorithm,” the researchers explained.

“The AES key is then encrypted using the unique RSA public key obtained earlier. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USER\Software\CryptoLocker\Files registry key. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption.”

Unfortunately for those who fall for the trick and get their computer infected, there is no feasible way to decrypt the files without the help of the cyber crooks operating the C&C server – the only place where the RSA public key generated for the victim’s system can be found.

As you can see in the screenshot above, the crooks demand the victim hand over “300 USD / 300 EUR / similar amount in another currency” in order to get the files decrypted but, unfortunately, there is no guarantee that they will hold up their part of the bargain once they get the money.

In cases such as these, the only thing that remains to be done is to wipe the computer and restore the files from backup.

You do back up regularly, don’t you?