Security is ever evolving — the moment a threat is borne, security researchers jump in to dissect the malware and derive a signature-based detection rule to pick up and hopefully thwart an infection.
This tried-and-true method has existed since the first publicly documented release of antivirus (AV) programs from several competitors in 1987. While most viruses were limited in scope as to payload (or damage), a lot has changed in the last several years — particularly with the increasing reliance on “always-on” systems for data communications.
Malware creators have embraced this always-on theory and exploited it to usher in a form of dynamism to their viruses, allowing them to not only be lightweight and stealthy, but also easier to modify (creating variants to avoid detection) and, in some cases, updatable like regular software to add features-rich payloads for future targeted attacks.
What is CTB-Locker?
As the CryptoWall (and its previous iteration CryptoLocker) malware has shown, the bar for exploits and potentially damaging payloads continues to rise. CTB-Locker (PDF) — the next in a growing trend of data-encrypting ransomware that is currently making the rounds around the web — is infecting enterprise and consumer stations.
The virus, upon infection, scans the computer and encrypts data based on file-types, targeting many types of files used in the enterprise, such as .PDF, .XLS, and .PPT to name a few. Upon encrypting the files, the virus will create a .TXT and .HTML file with instructions on how to obtain the decryption key, which will be available after paying the ransom stated (up to 3BTC). The decryption key will only be valid for up to 96 hours; after that time, the server will delete the decryption key, and the files will remain encrypted.
Where does it come from?
Its origin is currently unknown. However, perhaps a better question is: Where is it going?
CTB-Locker has been in the wild for sometime; infections were contained to particular parts of the world, yet slowly, more and more infections are popping up in France and Spain, which indicate the malware is proliferating worldwide.
How does it infect a computer?
Infection has been traced primarily back to spam containing the malware as an attachment in a .ZIP file. When this attachment is opened, it creates a copy of itself in the %Temp% folder. Upon launching, it injects malicious code to the svchost.exe process of a Windows computer which, in turn, creates a scheduled task to the file located in the %Temp% folder to run on startup.
A mutex (i.e., a program thread that allows shared resources to run, but not simultaneously) is created to ensure that only one instance of the malware will run at any given time. This injected code in the svchost.exe is the same process that will encrypt the data on the computer based on file-types.
Will I know if my computer is infected?
As with CryptoWall, there are signs that indicate if CTB-Locker has infected your system’s data.
- When attempting to open certain files, such as .xls or .pdf, the files are launched with the correct program, but data may be garbled or not properly displayed. Additionally, an error message may be accompanied when trying to open infected files.
- In some instances of CTB-Locker infection where the files have been encrypted, the filename will include a suffix with a randomly generated set of characters; for instance, filename.pdf will be renamed filename.pdf.siudfh.
- The most common indication will be the appearance of two files at the root of the My Documents directory that contain files that were encrypted by CTB-Locker. The filename is randomly generated, just as in the suffix appended to all encrypted files above.
Additionally, a ransom screen will appear just after successfully authenticating that will display a warning indicating that the computer has been compromised by CTB-Locker, and that the countdown of 96 hours has begun in order to pay the ransom and obtain the decryption key to decrypt the data.
Following the steps included in the .HTML file, the instructions will require the end-user to install Tor in order to communicate with the virus writer’s server and show proof of payment (made in Bitcoin). Once the payment has been verified, the decryption key will be made available to the end-user to decrypt the encrypted files.
Also, the CTB-Locker warning screen allows the end-user to decrypt five files for free to prove the decryption key is valid and upon payment, the end-user will be allowed to regain the use of his/her data.
What options are available if a computer is infected with CTB-Locker?
Confirm that the infection is CTB-Locker by testing it with any of the encrypted files using the upload mechanism built-in to the Tor URL provided. If the file is not decrypted, another virus may have infected the computer, or the time limit has expired on retrieving the files. In either scenario, please read the following section.
If the file is successfully decrypted and you have agreed to pay the ransom, take a few things into consideration (I wrote the following about CryptoWall, but my advice holds true for CTB-Locker as well):
“Paying the ransom is an exercise in and of itself. Unfortunately, the ransom amount must be paid in Bitcoin, a digital currency that’s used to purchase goods and services, similar to US currency. However, due to its lack of regulation and general lack of acceptance, Bitcoin is a niche market and not as common as US currency.
Adding to the difficulty of procurement is that many exchanges that accept US currency for Bitcoins have limited purchases of larger Bitcoin amounts. There are also strengthened company policies that further restrict the accumulation of the necessary amount of Bitcoins to pay off the ransom. Many of these changes have come about as a direct result of the CryptoWall virus, with some exchanges known to cancel transactions and restrict accounts suspected of using their services to pay off the ransom.
Though difficult, it’s still possible to open an account at an exchange to begin funding the purchase of Bitcoins in order to pay the ransom in the time allotted. If neither time nor technology is on your side, another viable option is seeking out the services of an IT consultant with experience in this matter. They may be able to assist you in the overall recovery process of your data and may even be able to do so without incurring any penalty due to non-payment within the specified time frame.”
I cannot/will not pay the ransom. Are other options available to recover the data?
Deciding whether to pay the ransom is a matter of personal choice that comes down to the intrinsic value of the data lost. While paying for the decryption key may be a simpler (and sometimes the less costlier) option than say, hiring a consultant or assigning IT members to work on data recovery, there may be no choice in the matter for certain regulated entities or for those whose time limit has expired.
Fortunately, there are things end-users can do to see if their files are recoverable without paying. Please realize that this is a big IF, and most cases will result with loss of data for non-payment, while those who do pay within the time frame will be able to recover their data through the use of the private key used for decryption.
With that disclaimer in place, the most effective method to recover your files is by using a backup. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files; if they are on there and not infected, you clean the infected computer of infection, and you’ll be able to reconnect the drive to restore your data.
If a cloud-based backup exists, depending on the service provider, you may be able to sanitize the computer before restoring your files from the cloud. Some cloud services (e.g., Dropbox) store a local copy of the data on the host; in these cases, most of the cloud services offer file versioning as a form of added protection against file modifications made in error. By using this feature after sanitizing the computer, you should be able to roll back a file change to the date and time prior to the infection.
If no unaffected local or cloud-based backups exist, then the only chance at file recovery will lay in the VSS, restore previous file versions, or System Restore. Since much of the CTB-Locker infection is automated and the newest variation as of January 2015 executed commands to delete Shadow Copies of files, there are times when a command can’t execute due to a system resource issue or hanging app. In these cases, though rare, recovery may be possible by initiating a system restore to a time and date prior to the infection occurring. Note: This is the exception, not the rule, and each situation should be handled on a case-by-case basis.
Also, you might try using ShadowExplorer to attempt to restore a file or two first to test if this method works for you; if it does, remember to clean the computer first to get rid of any infections before trying to restore all your data. If the system is not cleaned, it will only try to encrypt the files again — and this time, it may succeed in stopping VSS and clearing the cache.
Which steps should be taken to protect computers?
There are several steps that should be taken at all times, regardless of the infection risk. The following suggestions apply to security best practices for computers and not just to a particular virus or subset of malware.
There should be an active AV application installed with the latest virus definition files and real-time scanning of the system at scheduled times and when opening files. Additionally, a malware scanner with active scanning capabilities and updated with the latest definition files should be used and not disabled at all times.
Lastly, a personal firewall is included with every modern computer OS; this firewall should be enabled and configured so that only traffic from known applications can be uploaded/downloaded. All other traffic — especially from unknown origins — should be halted until authorized by the end-user.
With your computer(s) protected, we move on to one of the greatest threats facing security: users. Educating end-users is tantamount to computer-based protections. After all, the end-user may have the ability to disable a firewall because it’s “too annoying” or stop an AV scan because “the computer’s running too slowly.” Moreover, end-users should be trained to be conscious of not clicking unknown links or installing questionable software since many of the malware infections today start out as phishing attempts and later propagate into relayed spam emails that cast a wider net.
Next, securing the network, including reigning in user accounts with unnecessary access to data — both locally and stored on server shares. In the case of CTB-Locker, the degrees to which files become encrypted are limited to the access rights that the logged on end-user has associated to his/her user account. In corporate environments where users are almost always using standard accounts with limited rights, only the files to which they have full-access rights to — namely, their profile folder — will be affected by file encryption; however, for those end-users whose accounts have administrative rights to a system, all files can be potentially encrypted. Security administrators would be well served by performing regular audits of users’ and group’s rights on the network, as well as, on local computers. Best practices based on the principle of least privilege are a good foundation to build from.
Backup or — in some instances — lack thereof. A proper backup system with preferably a local and cloud-based backup schedule will go above and beyond to protect your data. Even when the system is compromised, you can count on being able to restore your data, as needed.
Other considerations for protection include safe internet practices. Don’t visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites!
Lastly, consider enabling software restriction policies if you’re a system administrator on an enterprise network or using a freely available application such as CryptoPrevent to block many of the avenues to which CTB-Locker uses to gain a foothold on your computer.
The bottom line
Security is not IT. Security is not an organizational or operations bullet point. Security is everyone, everywhere that is actively engaged in using technology to communicate, send/receive data or otherwise for personal and/or professional use.
Security is everyone’s responsibility. And while that might not be much to curb malwares existence, it will go a long way toward ensuring that malware infections don’t lead to data loss and corruption or being spied on and having sensitive information leaked.