CryptoLocker Gang Earns $30 Million In Just 100 Days

DavidGilbert99 writes "A report from Dell Secureworks earlier this week reported that up to 250,000 systems have been infected with the pernicious ransomware known as CryptoLocker. Digging a little deeper, David Gilbert at IBTimes UK found that the average ransom being paid was $300, and than on a very conservative basis just 0.4% of people paid the ransom. What does this all add up to? $30 million for the gang controlling CryptoLocker — and this could be 'many times bigger.'"

hey dummies

[Anonymous Coward]

The link is wrong

Re:hey dummies

[bondsbw]

And so is the $30 million figure. 0.4% * 250,000 * $300 = $300,000.

Re:hey dummies

[girlintraining]

And so is the $30 million figure. 0.4% * 250,000 * $300 = $300,000.

You can't expect journalists to have a grasp of basic math. Or the general public for that matter. Otherwise the headline "Company X settles 'largest lawsuit in history' at Y billion dollars" wouldn't have the impact it does after realizing Company X's revenue was Z trillion dollars. And who knows -- with the instability of bitcoin pricing, it might well be worth $30 million next week... -_-

Re:hey dummies

[girlintraining]

Wal-Mart has the highest revenue in the US - 469.2 billion according to the Fortune 500.

You seem to be laboring under the delusion that companies only exist, and earn profit, for one year. Then they return to their ancestral home in the profit river, where they lay their nest eggs and golden parachutes for the next generation, and then die.

Alas, companies make revenue year over year... and some of the biggest frauds this country has seen have taken decades before the government acted to stop it. So "Trillions of dollars of revenue" is not an inaccurate statement. At least not if you have more brains than an anonymous coward...

Re:

[LordLimecat]

WHen youre talking about revenue, its typically a yearly thing, so no, "Trillions of dollars of revenue" is not accurate for any company on the face of the earth unless you were to append "over X many years".

Are you really being so pedantic as to point out that technically I could project a revenue of several hundred million dollars over the next several decades? Noone discusses revenue in those terms.

Re:

[GameboyRMH]

Things Slashdot editors aren't so good with: Junior-high level math, URLs.

Re:

[Dynedain]

So the author confused .4% with 0.4 (aka 40%) to get the $30M figure. So much for editors in publishing.

Re:

[bondsbw]

The author changed the article. You can tell because the link is "www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607" but the headline now says "CryptoLocker Gang Earns Millions in Just 100 Days" (changing from "$30 million" to just "millions").

Where before the headline was based on bad math, the new headline is based on fuzzy math because someone indicated that the earnings could be many times more than what was reported.

Re:

[bondsbw]

The article never mentions this as "per day". And the author has since changed the number from $30M to $300K, so I'm pretty sure it meant over the 100 day period.

Broken article link

[KublaiKhan]

Or was this meant to trick us into reading about Zuckerberg?

Re:Broken article link

[stewsters]

Or is Mark Zuckerburg the gang behind cryptolocker, and this was a Freudian slip?

So, Zuckerberg is behind cryptolocker????

[wbr1]

Here is the correct link: http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607 [ibtimes.co.uk]

Re:So, Zuckerberg is behind cryptolocker????

[war4peace]

...And it's a fun read, too:

"English is not the CryptoLocker Group's first language" - apparently it's not IB Times's, either, as seen in the article: "CryptoLocker is not currently being sold to anyone other criminal gangs".
"it was being distributed by the Gameover Zeus malware, in some cases via the renowned Cutwail bonnet."
"malware is typical among cyber-criminals in Russia and easter Europe,"
"this was quickly cut to 1 bitcoin, 0.5 bitcoin and at the time of publication, 0.5 bitcoin." - yes, there's a deep cut from 0.5 to 0.5, for sure. We should all rejoice!

Correct Link

[DavidGilbert99]

Here is the correct link to the CryptoLocker story http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607 [ibtimes.co.uk]

Re:Correct Link

[bondsbw]

Here is the correct link to the CryptoLocker story http://www.ibtimes.co.uk/cryptolocker-criminals-earn-30-million-100-days-1429607 [ibtimes.co.uk]

DavidGilbert99, please fix your damn article. You wrote the article, you wrote the summary, both with attention-getting headlines. And they both passed different sets of editors (assuming the editors even exist) and they are both incorrect with the $30M figure.

The only story behind this is how little they netted, not how much.

Re:

[bondsbw]

Ok, you fixed the numbers in the article but have decided that with a bit of fuzzy math it's alright to keep perpetuating the attention-grabbing headline.

Re:

[gnasher719]

DavidGilbert99, please fix your damn article. You wrote the article, you wrote the summary, both with attention-getting headlines. And they both passed different sets of editors (assuming the editors even exist) and they are both incorrect with the $30M figure.

The article that got linked now correctly says $300,000.

It also shows the value of a solution like Time Machine, which keeps older versions of files around for a long time.

Better Than Commercial Software?

[Anonymous Coward]

Does CryptoLocker actually do what it says when a person pays? That's better than a lot of commercial software I've used. The gaming, media, and high-level engineering software industries are particularly bad on this point.

Re:

[SJHillman]

We got hit by CryptoLocker twice back in November (in one case, it wreaked havoc on network shares because the user had way more permissions than necessary due to office politics). We didn't pay the ransom, but we worked with a vendor who was very familiar with CryptoLocker. According to them, every time people paid, they got the key as promised.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SJHillman]

That seems unlikely, as this vendor has a long-term support contract with us and gained nothing extra from giving us help with it. But make sure you know who you can trust ahead of time.

Re:Better Than Commercial Software?

[ekgringo]

We knew someone at a sister company that was infected with CryptoLocker. He had no backups (they have no IT infrastructure) so he paid the ransom to recover his files. It appeared to start decryption, but the machine was old and we had to let it run over the weekend to complete. Windows Security Essentials had to be disabled in order for the decryption to work, but it re-enabled itself and blocked the decryption. By the time Monday rolled around, the decryption sever had been shut down or his ransom window had expired and so he ended up losing his data anyway.

Re:Better Than Commercial Software?

[i kan reed]

So, you made a donation to organized crime. How charitable.

Re:Better Than Commercial Software?

[zeugma-amp]

So, you made a donation to organized crime. How charitable.

As did this police department ...

US local police department pays CryptoLocker ransom [sophos.com]

=snip=

A local police department in Swansea, Massachusetts, has paid cybercrooks behind the CryptoLocker [sophos.com] ransomware attack to decrypt files locked up by the malware on police computer systems, according to local press reports [heraldnews.com].

The police department spokesman claimed that the infection had been mopped up and their systems secured, with no personal information stolen.

=end snip=

Re:

[Kardos]

They have absolutely no way of knowing if any sensitive information was stolen from a PC that has been owned by crypto ransomware.

Re:Better Than Commercial Software?

[Bill, Shooter of Bul]

Yes they do. Just delcare everything to be non-sensitive. Much easier than doing any kind of research.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jody Bruchon]

They should have proper backup procedures. Sadly, most don't back up at all. If they're hit with this thing, they have to weigh the negative of paying criminals against the value of the data to them. If it's important enough, they don't really have many options.

Re:

[LordLimecat]

Proper backups may or may not protect against this. The encryption is non-obvious, so if its with important-to-archive files that you dont use daily, it is very possible that the backups with good copies of the data will have grandfathered out by the time you realize you were hit.

Re:

[TheCarp]

> I have to admit, it was ingenious. They seemed to put as much effort into the decryption/restoration
> part of the virus as they did the infection/encryption. I suppose this is because if it was known that
> even if you paid there was a good chance you wouldn't get your data back then you wouldn't pay -
> but still - i was impressed.

If you think about it, the story where they hit the police, who paid, and got their files back is amazing advertising for them. There is now a high profile, widely ci

Re:

[wbr1]

No one can -fix- cryptolocker. It is pay and hope the key is delivered and works of have a recent backup. Otherwise you and all your attached storage are fucked.

Re:

[Jody Bruchon]

A company with a proper data backup plan will not be seriously affected by this thing. Unfortunately, the vast majority of the small businesses I work with don't have a backup plan at all. Plugging in an external hard drive and setting up the backup software that came with it is NOT a sufficient backup plan, people! They unfortunately found this out the hard way and lost everything on one of their computers. Giving hundreds of dollars to a criminal enterprise was not an acceptable solution to the business o

Re:

[SJHillman]

A proper data backup plan will prevent crippling devastation, but to say "not seriously affected" is somewhat ignorant. On a large network, it can take significant time to restore all affected files - especially if you need to bring in your offsite backups like we did because it wasn't detected until that set had been moved to our other location. In the meantime, we had hundreds of users calling in and complaining they couldn't access many files. We didn't want to do a blanket restore because that would wip

Re: Better Than Commercial Software?

[Jody Bruchon]

Most of the people I work with are smaller corporations with less than 100GB of data, and the way I set them up guarantees that if the server hardware and filesystem aren't part of the problem, I can restore the data very quickly. Typically there are no network services at all other than Samba, so they don't even have databases to worry about. I can see how a larger or more active technical environment wouldn't be nearly so simple to recover though...my own office included. Having a 3TB mirror of everything

Re:

[lw54]

I'm aware of several consulting clients who were hit by CryptoLocker to various degrees. Most restored their data from a previous backup. Two paid the ransom. Several waited too late to get us involved and were left without a backup and unable to pay the past due ransom.

Alright NSA, why is this going on?

[Anonymous Coward]

You're in every goddamn device on the planet but you can't shut this sort of shit down?

Another reason to execute y'all for treason.

Re:Alright NSA, why is this going on?

[Anonymous Coward]

oh, you've just made cold fjord sad, you insensitive clod

Re:

[Anonymous Coward]

cold fjord is to Slashdot what Jeffrey Toobin is to the mainstream media, a fucking government shill that spills lots of lies and distortions.
So when one talks about executing his buddies for treason, it can only get on his sensibilities.

After 9/11, anything is "aid and comfort"

[tepples]

Since 2001-09-12, the day after a terrorist attack on the World Trade Center, the list of things deemed "giving [enemies] Aid and Comfort" has exploded.

Re:

[tepples]

Yes. When the United States expanded its police state, certain far-right religious fundamentalists in the Middle East achieved their goal of reducing Americans' freedom. The terrorists won.

See? Business model entirely without DRM.

[Erikderzweite]

Just look at those guys: they don't need to take our freedoms with draconian DRMs and bought legislation. Their programs can be freely copied, in fact, their whole business model depends on the software being copied at no cost!

What do they earn their money with, you ask? With high-quality cryptographic security service! Truly, a business model of the future.

They are not blaming pesky pirates for their losses, they don't whine that someone uses their work without permission. They work harder, are creative and produce high-quality product. And that is their key to success!

Re:

[tibit]

That's what makes it even sadder. True but oh so sad...

Re:

[wvmarle]

I would say this malware IS DRM. Because what it does is it encrypts the content, and then demands money to have it decrypted. Sounds very much like your average DRM scheme.

A key difference appears to be that this one actually works - at least there is no mention in the article of it having been broken yet.

Re:

[mrchaotica]

Nah, it's just regular cryptography. The definition of DRM requires that the owner of the data and the attacker be the same entity.

Attacker *is* the 0wn3r

[tepples]

The definition of DRM requires that the owner of the data and the attacker be the same entity.

If CryptoLocker has a chance to run, then the attacker has pretty much owned the machine.

Re:

[gnasher719]

Nah, it's just regular cryptography. The definition of DRM requires that the owner of the data and the attacker be the same entity.

DRM = Digital Rights Management. If I download videos or audiobooks with DRM, I have rights to use them, and the DRM controls these rights. My rights, not the rights of the movie or book company. So does this software. It controls _my_ rights to access the data. The only difference is that one makes sure I don't exceed my rights, while the other makes sure I can't execute my rights without paying ransom.

Re:

[mrchaotica]

The only difference is that one makes sure I don't exceed my rights, while the other makes sure I can't execute my rights without paying ransom.

Both DRM and cryptolocker encrypt your data with a key you don't know.

The difference is that DRM attempts to let you use that key (to decrypt your data under the conditions that the DRM-imposer "allows") while simultaneously hiding the key from you (so that you can't decrypt your data under other conditions).

Cryptolocker, on the other hand, just gives you the key (

Re:

[mlts]

Don't forget highly reliable, dependable software coupled with (as per previous postings) top tier customer support.

NSA etc

[RichMan]

Where are the vaunted security agencies in providing protection for citizens? Should not the government have a hand in protecting its citizens?

Re:

[SJHillman]

Get this labeled as "cyber-terrorism" (which is basically is) and they'll be all over it.

Re:

[KiloByte]

You got it wrong: the NSA does cyber-terrorism, it doesn't fight it. Just like the PATRIOTUSA act was 100% promoting terrorism (spreading fear for political gain) rather than combatting it.

Said every IT person. Ever.

[girlintraining]

"So, do you have a current backup?"
-- Every tech support number you'll call, anywhere. Ever.

And yet, the single most basic thing you can do to protect your data gets overlooked by hundreds of millions of people, because it's just too burdensome to drag and drop from "My documents" to "My external drive". Viruses, malware, and crap like this would have gone the way of the dodo bird if people would just follow the most basic. advice. ever. regarding the maintenance of their computer. You wouldn't run your car out of oil after neglecting to change it for 15,000 miles, would you? So why do you do it to your computer?

Re:Said every IT person. Ever.

[thebes]

And yet, the single most basic thing you can do to protect your data gets overlooked by hundreds of millions of people, because it's just too burdensome to drag and drop from "My documents" to "My external drive".

And how many people that do use an external drive actually unplug it after the fact?

Re:

[tepples]

And how many people that do use an external drive actually unplug it after the fact?

Anyone who uses an external USB flash drive, for one.

Re:

[LordLimecat]

Clearly you dont work with many end users. Most that I know DO leave them plugged in; for those that dont, it tends to screw any automatic backup system they might have.

Laptop appendage

[tepples]

Good luck fitting your laptop back in its case with the USB flash drive hanging out of it. Or do you work only with desktop users?

Re:

[Anonymous Coward]

your forgetting that almost no one changes their own oil any more, people are just too lazy and that's the only answer. that is why certain companies have stopped including dip sticks with their engines and instead require you to go to a service center to check your oil levels. one failed sensor and your engine is toast..

and you expect people to perform their own backups? your analogy is correct but you miss the fact that you are not the average person as you have the common sense not to run your car for 15

Re:

[girlintraining]

for the vast majority of people an automobile is an appliance, one that they care for about as much as their toaster

I don't agree. A toaster can be abused and run into the ground without hurting your wallet too much. People tend to sit up and take notice when you start talking about dropping half their yearly net income on something. Now, that doesn't mean they have common sense -- plenty of people have all the sense of a turnip, but to suggest they put a car in the same category as a toaster is absurd.

As for those sensors... no, it takes more than one failed sensor to blow up your engine. There is an oil pressure sensor

Re:

[Bob the Super Hamste]

Engines that are low on oil tend to run hot, and they tend to run hard. They don't accelerate, they feel like they're losing power, and dear god do they make noise as they die. All that overheating metal is going rat-a-tak-tak and war-warrrrr-waaaaahhhhhrrrrr.... as it dies, smoking and belching steam.

Sadly you have just described all of the vehicles my mother and step father have owned over the last 25 years. Far too many people treat things like they are disposable, even big ticket things like vehicles, so not taking care of relatively inexpensive things like a computer doesn't surprise me much at all.

Re:

[HornWumpus]

Heard from an old lady who just ruined her new car:

I know I had oil, every time I started my car a light came on and told me I had oil.

Re:Said every IT person. Ever.

[wbr1]

Unfortunately, an external drive backup using your scheme is of little to no use against this threat. It will encrypt all attached drives, network, USB or otherwise, so long as the user has permissions. It will start with commonly needed file extensions first.

Unless your backup is not visible to the virus, you are toast. This is a situation where unattached, or off-site backups and cloud solutions win. A simple user with an always attached USB drive will still be toast.

Re:

[joe_frisch]

Can it encrypt files on a different type of system? If you backup from a PC to a linux server, if the PC is infected can it corrupt the files on the linux machine. (sorry if this is an ignorant question)

I generally have one addition layer of protection - the linux server has a backup that only has root write permissions, so the windows machines can't write to the backup disks (though I assume this can be hacked as well). Then I have offsite backups, but they are only updated monthly.

Re:

[wbr1]

File system and location matter not. If it is seen as a drive letter or sub folder in windows on the infected machine, and it has write/modify access, you are done.

Re:

[Jody Bruchon]

For small business Linux storage servers, I personally use rsync to maintain a mirror of a Linux server's shared folder repository and copy out mirrored files that change to a rolling backup snapshot structure which is also shared out as read-only. If something encrypts all their documents, they have 60 days worth of backup snapshots and one of those will be massive from the huge number of files changing out when cron fires off rsync. Recovery is so simple, too.

rsync -av $BACKUP/backup.$AGE_IN_DAYS/ $SAM

Re:

[mlts]

This may be archaic, but this is one application where tape backups can come in handy. Once data is stashed on a tape and the tape dismounted, it is out of reach to malware looking for anything online to disrupt. WORM tapes even more so, since once the session is closed, it is there for good, so malware can't erase the data that is previously written.

Maybe one idea that might help with this is an external hard drive with a large UDF filesystem. Files can be easily copied to it, but once written, they can

Re:

[Cro Magnon]

So, that means it would also f**k up my Dropbox stuff?

Re:

[Solandri]

Unless your backup is not visible to the virus, you are toast. This is a situation where unattached, or off-site backups and cloud solutions win. A simple user with an always attached USB drive will still be toast.

An always-attached USB drive is not a backup. It's just additional storage where you happen to be keeping a copy of your files.

The whole point of a backup is that you have a safe copy of your files should you accidentally delete the wrong thing, a lightning bolt fries your equipment, burglars

Re:

[swb]

And you also need enough of the right kind of backups.

Basic drag-and-drop copy backups for desktop users where they keep the backup device connected and online for convenience or scheduling would be of limited value due to the fact that they do could be crypto-lockered. Your backup needs to be of a type that can't be compromised by cryptolocker, either in a format it doesn't attack or on a system/media that is isolated from a desktop infection.

Further, you need enough retention in your backup so that you

Re:

[tlhIngan]

And yet, the single most basic thing you can do to protect your data gets overlooked by hundreds of millions of people, because it's just too burdensome to drag and drop from "My documents" to "My external drive". Viruses, malware, and crap like this would have gone the way of the dodo bird if people would just follow the most basic. advice. ever. regarding the maintenance of their computer. You wouldn't run your car out of oil after neglecting to change it for 15,000 miles, would you? So why do you do it t

Re:

[mlts]

The only non-enterprise backup utility that can do this client-server motif these days is Retrospect. However, the licensing fees for the server version are atrocious. It works OK with disks, but apparently with optical media like Blu-Rays, it has a very limited hardware list, and anything not on the list will not be allowed to even read backups.

Of course, there is always NetBackup, but the ticket for entry into that ballgame will be six digits.

Re:

[LordLimecat]

drag and drop from "My documents" to "My external drive".

Reality check: That backup system almost never works; users as a practical matter tend not to remember to do something like that, because its tedious and takes forever and requires you to do it by hand.

Suggest an automated backup solution that they can periodically check, or stop yelling at them because you failed to provide a decent solution. Crashplan is a rather good one that I recommend, because it starts reliably blasting emails out when backups dont happen, and it does "incrementals forever" in a wa

Re:

[Capt.DrumkenBum]

You wouldn't run your car out of oil after neglecting to change it for 15,000 miles, would you?

You have obviously never met my mother.

Brain-dead default: the gift that keeps on giving

[istartedi]

Microsoft's brain-dead default of "hide file extensions" is cited in the article as part of the social engineering aspect that gets users to click on the files. It's the gift that keeps on giving... to black hats.

Hiding the file extension does NOTHING to make things easier on the user or make the UI any cleaner. It's not like we have 40 column displays where the file extension is "too long" and going to take away "screen real estate".

This has been going on literally for DECADES NOW. How can Microsoft be so blind? Whenever I get a new Windows box, it's the first thing I disable because if I don't, I'll just end up creating files with names like, "DailyLog.txt.txt".

Whoever is at MS, insisting that this remain the default needs to be hauled out, shot, drawn, quartered, and the pieces sent to be displayed in the lobbies of their 4 largest offices.

Re:

[NoImNotNineVolt]

I'm seriously in love with your sig. Thank you for making the interwebs a better place.

Try this to fix the infection...

[weeboo0104]

I believe I got hit by this about a week ago when I clicked on an advert linked on Chicago Tribune's website.

A fullscreen message appeared saying my computer had been encrypted and I had to pay $300 to decrypt it. I pulled my network cable out and had to power off my PC because the keyboard would not work. I was able to boot back up, but when I logged in both regularly and in Safe-Mode, a full white screen saying "please connect to the Internet" appeared and I couldn't use the keyboard again.

I pressed F8 on boot and booted into Safe-Mode Command line only. Once I logged in and saw the command line, I typed rstrui.exe (windows System Recovery) and using the Restore Wizard, restored to a checkpoint from a day earlier. I restarted my PC again and let it boot normally and once I was able to log in without seeing the message, reconnected my network cable.

My PC was never encrypted. The message only said it was. The clincher was before I booted Windows in Safe-Mode, I used a Knoppix DVD to mount the Windows partition and copy off my personal data before I started the recovery process. The data was perfectly readable and not encrypted.

Re:

[NoImNotNineVolt]

So I've got to ask... why were you clicking on advertisements?!

Re:

[Taibhsear]

I did the same thing to fix a friend's laptop. It was windows 8 though and giving me shit so I ultimately had to just rip the drive out and mount to another system. It was a pain in the ass but still recoverable.

Re:

[SJHillman]

I can't tell if you're a troll or just an average AC....

Re:

[tibit]

You must be so confused. It's ransomware: it encrypts your files with a public key. The private key is controlled by the gang. You don't pay, you end up with a bunch of random-looking data substituted for your files, since the gang destroys the unique private key after the time is up. Yes, you're basically just back to where you were, before you "installed" the software. The "bother" is with the software being ransomware. It's malware. It installs itself when you don't pay attention, like most people out th

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sunsurfandsand]

It's ransomware: it encrypts your files with a public key. The private key is controlled by the gang. You don't pay, you end up with a bunch of random-looking data substituted for your files, since the gang destroys the unique private key after the time is up.

Unfortunately, I couldn't afford the $300. Fortunately, I never liked my data anyway.

Zuckerberg

[Frankie70]

That's where the Mark Zuckerberg Link comes in. Zuckerberg will sell FB stock worth 2.3 billion$ & give the CryptoLocker guys 30 million $ from that.

Re:Error

[Drethon]

Are you sure it is unrelated? Facebook seems to be asking a lot of money for nothing tangible too...

Re:

[JWW]

Maybe this technology is related to Facebook.

Imagine, Facebook's users are generating unique, pithy, substantive and deep posts to put on Facebook, but this crypto locker stuff is just converting those awesome posts into worthless drivel about piddly silly details about the Facebook breakfast or exercise routine.

Re:

[SJHillman]

We got hammered by CryptoLocker twice in November. Unfortunately, the backups of one of our affected fileservers crashed the same day, but we still lost very little data (none critical). The worst part is that it hits every mapped drive that the user has write-access to, and some of our legacy accounting and payroll systems require exactly those permissions. It's a real eye-opener, but what really gets you going is when you realize that CryptoLocker is actually pretty tame compared to what it could be - it

Re:

[stewsters]

Your data is far more important to most people that windows. You could just re-install if that is the case (which you probably should consider if you were hit with this). One issue I have with security is that almost everyone stores their most valuable files in a location that any program they start can edit. Its really easy for users, but means things like this are so much worse.

They should popularize a system where you can choose what programs have access to particular directories. I would imagine

Re:

[SJHillman]

One issue is that it doesn't just affect the infected machine, but also every mapped drive. Reinstalling all of those systems would have been a nightmare's worth of downtime. Unfortunately, most of the mapped drives are a result of legacy systems with very finicky requirements that we can't move off of yet for one reason or another. I agree, your access control system would be nice (although I imagine the initial implementations would be a minor nightmare as proprietary apps try to lock out other programs t

Re:

[mlts]

I've been hacking together a system on a Windows Server 2012 box, where the clients copy their documents to a directory in their own individual shares, then when done, the directories get moved to another directory not accessible to the clients. Then, later in the night, the deduplication process fires off, so for the most part, only changed in the stored documents are stored. Of course, this may not help if the malware is smart enough to do its dirty work slowly over a period of time where old backups ar

Re:

[JaredOfEuropa]

This. I found this bit of info on Bitlocker surprising as well: "When first run, the payload installs itself in the Documents and Settings folder with a random name, and adds a key to the registry that causes it to run on startup." Is this still even possible on modern (ish) operating systems (Windows 7 / Windows 8). Windows seems to ask for permission whenever an .exe is executed, and you'd certainly think it would ask for permission when a program modifies that part of the registry.

Re:

[SJHillman]

It requires the user to run it in the first place, usually as an email attachment. And users have long since been conditioned to click Yes/Run/Continue on every pop-up box that gets between them and their perceived goal. As annoying as it is, I like the things that ask "Block? Yes/No" rather than "Allow? Yes/No" because it helps stop some of this click-yes-without-reading behavior.

The bright side of CryptoLocker's registry access is that it leaves a list of every file that it hit, which helped a lot when re

Re:

[mlts]

Depends on the OS. Server operating systems will have a SmartScreen filter that requests to be set up once the machine is running, and will immediately prompt if it encounters unsigned applications and disallow them to run.

This capability is present in Windows 7 and newer (AppLocker), but it isn't turned on unless someone has the "pro" version and access to gpedit.

Re:Justice

[mlts]

IMHO, CryptoLocker is just the first shot across the bow.

Long term, maybe it will be a good thing, similar to the old PC days where BIOS killing viruses finally got people to actually care about average security or else keep buying new computers.

Of course, malware like this pretty much trashes almost every single backup system known to man. The enterprise is less affected because of programs like NetBackup that pull data, so malicious software is unable to touch previous backups. However, the main form of backups people do (if they bother to do anything) is copying to a secondary hard disk, which allows the backups to be accessed by malware and destroyed. Services like Mozy sort of help, but they might not keep a previous version of a file that hasn't been corrupted by ransomware, especially if the software is relatively slow and encrypts files over a long period of time to escape detection.

What I am waiting to see is Cryptolocker's descendant. This software will install itself through a hole in a Web browser or add-ons. It will install a low level Windows driver. It will then generate a private key and keep it local to the machine, sending a backup to the ransomware's servers. The software will gradually encrypt files over time. However, when an encrypted file is accessed, it will decrypt it on the fly... for a time.

Then, once it completes encrypting files, it will stop decrypting on the fly, purges the private keys it used, then demand ransom. Since this was done over a period of weeks to months, even backups stored on Mozy or other places will be locked out.

Re:

[JesseMcDonald]

What I am waiting to see is Cryptolocker's descendant. [...] The software will gradually encrypt files over time. However, when an encrypted file is accessed, it will decrypt it on the fly... for a time.

Then, once it completes encrypting files, it will stop decrypting on the fly, purges the private keys it used, then demand ransom. Since this was done over a period of weeks to months, even backups stored on Mozy or other places will be locked out.

Wouldn't the backup software also get the decrypted data? Or is the ransomware treating requests by the backup software differently than requests by other programs?

Re:

[mlts]

Depends on OS. Windows uses snapshot functionality, and in theory, it wouldn't be hard for malware to not bother intercepting the files opened under a backup context so they get backed up encrypted compared to files opened directly by the user.

EFS on NTFS works in a similar fashion. If I back up a directory full of EFS protected files, they are stored encrypted. If I fire up a utility like WinRAR which opens files as an application does, Windows will decrypt the files automatically.

Re:

[TheloniousToady]

You're right, it must be one of those. But they're actually doing you a service if you think about it. You see, all conspiracies exist solely to feed the paranoia of conspiracy theorists. Otherwise, there would be nothing for us to be afraid of. And what fun would that be?

Like roads and bridges, government conspiracies actually are built for the public good, but not for the obvious reasons: not for charitable reasons such as gathering data to protect The People, and not even for the cynical reasons of w

Re:

[houstonbofh]

Who, Zuckerberg?

I am still deciding...

Re:

[tqk]

If Zuckerberg is 50% as sleezy as depicted in "The Social Network", ...

Not that I'm defending him, but you do know that was a Hollywood production, yes? When have that bunch *ever* portrayed an actual event with any degree approaching accuracy?

Re:

[wile_e_wonka]

I wish I had some mod points to mod this side conversation about .4% as "funny." Like, who exactly has infiltrated /. that doesn't understand this? Soon, they're going to need to remove "News for Nerds" as false.

Re:

[suso]

Now if we can only determine the connection between Zuckerberg and Verizon, we can blow this CryptoLocker thing wide open.
http://verizonmath.blogspot.ca/2006/12/verizon-doesnt-know-dollars-from-cents.html [blogspot.ca]

Its amazing that this is the only comment that mentioned Verizon math. Maybe I'm not on the right site. This is Slashdot correct?

Re:

[tompaulco]

First, make them pay back everybody they ransomed, times 10, then execute them. If they don't have the money to pay back times 10 then we can find a company to pay back everybody times 10 and then make the perpetrators have to work for that company for free until their debt is paid off.