CTB-Locker virus: How to protect your systems, and what to do if infected

I recommend CryptoPrevent. Click the picture.

         I recommend CryptoPrevent. Click the picture for information.

Security is ever evolving — the moment a threat is borne, security researchers jump in to dissect the malware and derive a signature-based detection rule to pick up and hopefully thwart an infection.

This tried-and-true method has existed since the first publicly documented release of antivirus (AV) programs from several competitors in 1987. While most viruses were limited in scope as to payload (or damage), a lot has changed in the last several years — particularly with the increasing reliance on “always-on” systems for data communications.

Malware creators have embraced this always-on theory and exploited it to usher in a form of dynamism to their viruses, allowing them to not only be lightweight and stealthy, but also easier to modify (creating variants to avoid detection) and, in some cases, updatable like regular software to add features-rich payloads for future targeted attacks.

What is CTB-Locker?

As the CryptoWall (and its previous iteration CryptoLocker) malware has shown, the bar for exploits and potentially damaging payloads continues to rise. CTB-Locker (PDF) — the next in a growing trend of data-encrypting ransomware that is currently making the rounds around the web — is infecting enterprise and consumer stations.

The virus, upon infection, scans the computer and encrypts data based on file-types, targeting many types of files used in the enterprise, such as .PDF, .XLS, and .PPT to name a few. Upon encrypting the files, the virus will create a .TXT and .HTML file with instructions on how to obtain the decryption key, which will be available after paying the ransom stated (up to 3BTC). The decryption key will only be valid for up to 96 hours; after that time, the server will delete the decryption key, and the files will remain encrypted.

Where does it come from?

Its origin is currently unknown. However, perhaps a better question is: Where is it going?

CTB-Locker has been in the wild for sometime; infections were contained to particular parts of the world, yet slowly, more and more infections are popping up in France and Spain, which indicate the malware is proliferating worldwide.

How does it infect a computer?

Infection has been traced primarily back to spam containing the malware as an attachment in a .ZIP file. When this attachment is opened, it creates a copy of itself in the %Temp% folder. Upon launching, it injects malicious code to the svchost.exe process of a Windows computer which, in turn, creates a scheduled task to the file located in the %Temp% folder to run on startup.

A mutex (i.e., a program thread that allows shared resources to run, but not simultaneously) is created to ensure that only one instance of the malware will run at any given time. This injected code in the svchost.exe is the same process that will encrypt the data on the computer based on file-types.

Will I know if my computer is infected?

As with CryptoWall, there are signs that indicate if CTB-Locker has infected your system’s data.

  • When attempting to open certain files, such as .xls or .pdf, the files are launched with the correct program, but data may be garbled or not properly displayed. Additionally, an error message may be accompanied when trying to open infected files.
  • In some instances of CTB-Locker infection where the files have been encrypted, the filename will include a suffix with a randomly generated set of characters; for instance, filename.pdf will be renamed filename.pdf.siudfh.
  • The most common indication will be the appearance of two files at the root of the My Documents directory that contain files that were encrypted by CTB-Locker. The filename is randomly generated, just as in the suffix appended to all encrypted files above.

RANDOM_FILENAME.txt

RANDOM_FILENAME.html

Additionally, a ransom screen will appear just after successfully authenticating that will display a warning indicating that the computer has been compromised by CTB-Locker, and that the countdown of 96 hours has begun in order to pay the ransom and obtain the decryption key to decrypt the data.

Following the steps included in the .HTML file, the instructions will require the end-user to install Tor in order to communicate with the virus writer’s server and show proof of payment (made in Bitcoin). Once the payment has been verified, the decryption key will be made available to the end-user to decrypt the encrypted files.

Also, the CTB-Locker warning screen allows the end-user to decrypt five files for free to prove the decryption key is valid and upon payment, the end-user will be allowed to regain the use of his/her data.

What options are available if a computer is infected with CTB-Locker?

Confirm that the infection is CTB-Locker by testing it with any of the encrypted files using the upload mechanism built-in to the Tor URL provided. If the file is not decrypted, another virus may have infected the computer, or the time limit has expired on retrieving the files. In either scenario, please read the following section.

If the file is successfully decrypted and you have agreed to pay the ransom, take a few things into consideration (I wrote the following about CryptoWall, but my advice holds true for CTB-Locker as well):

“Paying the ransom is an exercise in and of itself. Unfortunately, the ransom amount must be paid in Bitcoin, a digital currency that’s used to purchase goods and services, similar to US currency. However, due to its lack of regulation and general lack of acceptance, Bitcoin is a niche market and not as common as US currency.

Adding to the difficulty of procurement is that many exchanges that accept US currency for Bitcoins have limited purchases of larger Bitcoin amounts. There are also strengthened company policies that further restrict the accumulation of the necessary amount of Bitcoins to pay off the ransom. Many of these changes have come about as a direct result of the CryptoWall virus, with some exchanges known to cancel transactions and restrict accounts suspected of using their services to pay off the ransom.

Though difficult, it’s still possible to open an account at an exchange to begin funding the purchase of Bitcoins in order to pay the ransom in the time allotted. If neither time nor technology is on your side, another viable option is seeking out the services of an IT consultant with experience in this matter. They may be able to assist you in the overall recovery process of your data and may even be able to do so without incurring any penalty due to non-payment within the specified time frame.”

I cannot/will not pay the ransom. Are other options available to recover the data?

Deciding whether to pay the ransom is a matter of personal choice that comes down to the intrinsic value of the data lost. While paying for the decryption key may be a simpler (and sometimes the less costlier) option than say, hiring a consultant or assigning IT members to work on data recovery, there may be no choice in the matter for certain regulated entities or for those whose time limit has expired.

Fortunately, there are things end-users can do to see if their files are recoverable without paying. Please realize that this is a big IF, and most cases will result with loss of data for non-payment, while those who do pay within the time frame will be able to recover their data through the use of the private key used for decryption.

With that disclaimer in place, the most effective method to recover your files is by using a backup. If your files have been backed up regularly, connect your backup drive to a non-infected computer to check your files; if they are on there and not infected, you clean the infected computer of infection, and you’ll be able to reconnect the drive to restore your data.

If a cloud-based backup exists, depending on the service provider, you may be able to sanitize the computer before restoring your files from the cloud. Some cloud services (e.g., Dropbox) store a local copy of the data on the host; in these cases, most of the cloud services offer file versioning as a form of added protection against file modifications made in error. By using this feature after sanitizing the computer, you should be able to roll back a file change to the date and time prior to the infection.

If no unaffected local or cloud-based backups exist, then the only chance at file recovery will lay in the VSS, restore previous file versions, or System Restore. Since much of the CTB-Locker infection is automated and the newest variation as of January 2015 executed commands to delete Shadow Copies of files, there are times when a command can’t execute due to a system resource issue or hanging app. In these cases, though rare, recovery may be possible by initiating a system restore to a time and date prior to the infection occurring. Note: This is the exception, not the rule, and each situation should be handled on a case-by-case basis.

Also, you might try using ShadowExplorer to attempt to restore a file or two first to test if this method works for you; if it does, remember to clean the computer first to get rid of any infections before trying to restore all your data. If the system is not cleaned, it will only try to encrypt the files again — and this time, it may succeed in stopping VSS and clearing the cache.

Which steps should be taken to protect computers?

There are several steps that should be taken at all times, regardless of the infection risk. The following suggestions apply to security best practices for computers and not just to a particular virus or subset of malware.

There should be an active AV application installed with the latest virus definition files and real-time scanning of the system at scheduled times and when opening files. Additionally, a malware scanner with active scanning capabilities and updated with the latest definition files should be used and not disabled at all times.

Lastly, a personal firewall is included with every modern computer OS; this firewall should be enabled and configured so that only traffic from known applications can be uploaded/downloaded. All other traffic — especially from unknown origins — should be halted until authorized by the end-user.

With your computer(s) protected, we move on to one of the greatest threats facing security: users. Educating end-users is tantamount to computer-based protections. After all, the end-user may have the ability to disable a firewall because it’s “too annoying” or stop an AV scan because “the computer’s running too slowly.” Moreover, end-users should be trained to be conscious of not clicking unknown links or installing questionable software since many of the malware infections today start out as phishing attempts and later propagate into relayed spam emails that cast a wider net.

Next, securing the network, including reigning in user accounts with unnecessary access to data — both locally and stored on server shares. In the case of CTB-Locker, the degrees to which files become encrypted are limited to the access rights that the logged on end-user has associated to his/her user account. In corporate environments where users are almost always using standard accounts with limited rights, only the files to which they have full-access rights to — namely, their profile folder — will be affected by file encryption; however, for those end-users whose accounts have administrative rights to a system, all files can be potentially encrypted. Security administrators would be well served by performing regular audits of users’ and group’s rights on the network, as well as, on local computers. Best practices based on the principle of least privilege are a good foundation to build from.

Backup or — in some instances — lack thereof. A proper backup system with preferably a local and cloud-based backup schedule will go above and beyond to protect your data. Even when the system is compromised, you can count on being able to restore your data, as needed.

Other considerations for protection include safe internet practices. Don’t visit questionable websites, never click links found within emails, and certainly never provide anyone any form of personally identifiable information in chat rooms, forums, discussion boards, or social media sites!

Lastly, consider enabling software restriction policies if you’re a system administrator on an enterprise network or using a freely available application such as CryptoPrevent to block many of the avenues to which CTB-Locker uses to gain a foothold on your computer.

The bottom line

Security is not IT. Security is not an organizational or operations bullet point. Security is everyone, everywhere that is actively engaged in using technology to communicate, send/receive data or otherwise for personal and/or professional use.

Security is everyone’s responsibility. And while that might not be much to curb malwares existence, it will go a long way toward ensuring that malware infections don’t lead to data loss and corruption or being spied on and having sensitive information leaked.

Advertisements

For PC Virus Victims, Pay or Else

By  – New York Times
Published: December 5, 2012

In the past year, hundreds of thousands of people across the world have switched on their computers to find distressing messages alerting them that they no longer have access to their PCs or any of the files on them.

The messages claim to be from the Federal Bureau of Investigation, some 20 other law enforcement agencies across the globe or, most recently, Anonymous, a shadowy group of hackers. The computer users are told that the only way to get their machines back is to pay a steep fine.

And, curiously, it’s working. The scheme is making more than $5 million a year, according to computer security experts who are tracking them.

The scourge dates to 2009 in Eastern Europe. Three years later, with business bo
oming, the perpetrators have moved west. Security experts say that there are now more than 16 gangs of sophisticated criminals extorting millions from victims across Europe.

The threat, known as ransomware, recently hit the United States. Some gangs have abandoned previously lucrative schemes, like fake antivirus scams and banking trojans, to focus on ransomware full time.

Essentially online extortion, ransomware involves infecting a user’s computer with a virus that locks it. The attackers demand money before the computer will be unlocked, but once the money is paid, they rarely unlock it.

In the vast majority of cases, victims do not regain access to their computer unless they hire a computer technician to remove the virus manually. And even then, they risk losing all files and data because the best way to remove the virus is to wipe the computer clean.

It may be hard to fathom why anyone would agree to fork over hundreds of dollars to a demanding stranger, but security researchers estimate that 2.9 percent of compromised computer owners take the bait and pay. That, they say, is an extremely conservative estimate. In some countries, the payout rate has been as high as 15 percent.

That people do fall for it is a testament to criminals’ increasingly targeted and inventive methods. Early variations of ransomware locked computers, displayed images of pornography and, in Russian, demanded a fee — often more than $400 — to have it removed. Current variants are more targeted and toy with victims’ consciences.

Researchers say criminals now use victims’ Internet addresses to customize ransom notes in their native tongue. Instead of pornographic images, criminals flash messages from local law enforcement agencies accusing them of visiting illegal pornography, gambling or piracy sites and demand they pay a fine to unlock their computer.

Victims in the United States see messages in English purporting to be from the F.B.I. or Justice Department. In the Netherlands, people get a similar message, in Dutch, from the local police. (Some Irish variations even demand money in Gaelic.) The latest variants speak to victims through recorded audio messages that tell users that if they do not pay within 48 hours, they will face criminal charges. Some even show footage from a computer’s webcam to give the illusion that law enforcement is watching.

The messages often demand that victims buy a preloaded debit card that can be purchased at a local drugstore — and enter the PIN. That way it’s impossible for victims to cancel the transaction once it becomes clear that criminals have no intention of unlocking their PC.

The hunt is on to find these gangs. Researchers at Symantec said they had identified 16 ransomware gangs. They tracked one gang that tried to infect more than 500,000 PCs over an 18-day period. But even if researchers can track their Internet addresses, catching and convicting those responsible can be difficult. It requires cooperation among global law enforcement, and such criminals are skilled at destroying evidence.

Charlie Hurel, an independent security researcher based in France, was able to hack into one group’s computers to discover just how gullible their victims could be. On one day last month, the criminals’ accounting showed that they were able to infect 18,941 computers, 93 percent of all attempts. Of those who received a ransom message that day, 15 percent paid. In most cases, Mr. Hurel said, hackers demanded 100 euros, making their haul for one day’s work more than $400,000.

That is significantly more than hackers were making from fake antivirus schemes a few years ago, when so-called “scareware” was at its peak and criminals could make as much as $158,000 in one week.

Scareware dropped significantly last year after a global clampdown by law enforcement and private security researchers. Internecine war between scareware gangs put the final nail in the coffin. As Russian criminal networks started fighting for a smaller share of profits, they tried to take each other out with denial of service attacks.

Now, security researchers are finding that some of the same criminals who closed down scareware operations as recently as a year ago are back deploying ransomware.

“Things went quiet,” said Eric Chien, a researcher at Symantec who has been tracking ransomware scams. “Now we are seeing a sudden ramp-up of ransomware using similar methods.”

Victims become infected in many ways. In most cases, people visit compromised Web sites that download the program to their machines without so much as a click. Criminals have a penchant for infecting pornography sites because it makes their law enforcement threats more credible and because embarrassing people who were looking at pornography makes them more likely to pay. Symantec’s researchers say there is also evidence that they are paying advertisers on sex-based sites to feature malicious links that download ransomware onto victims’ machines.

“As opposed to fooling you, criminals are now bullying users into paying them by pretending the cops are banging down their doors,” said Kevin Haley, Symantec’s director of security response.

More recently, researchers at Sophos, a British computer security company, noted that thousands of people were getting ransomware through sites hosted by GoDaddy, the popular Web services company that manages some 50 million domain names and hosts about five million Web sites on its servers.

Sophos said hackers were breaking into GoDaddy users’ accounts with stolen passwords and setting up what is known as a subdomain. So instead of, say, www.nameofsite.com, hackers would set up the Web address nameofsite.blog.com, then send e-mails to customers with the link to the subdomain which — because it appeared to come from a trusted source — was more likely to lure clicks.

Scott Gerlach, GoDaddy’s director of information security operations, said it appeared the accounts had been compromised because account owners independently clicked on a malicious link or were compromised by a computer virus that stole password credentials. He advised users to enable GoDaddy’s two-step authentication option, which sends a second password to users’ cellphones every time they try to log in, preventing criminals from cracking their account with one stolen password and alerting users when they try.

One of the scarier things about ransomware is that criminals can use victims’ machines however they like. While the computer is locked, the criminals can steal passwords and even get into the victims’ online bank accounts.

Security experts warn to never pay the ransom. A number of vendors offer solutions for unlocking machines without paying the ransom, including Symantec, Sophos and F-Secure. The best solution is to visit a local repair shop to wipe the machine clean and reinstall backup files and software.

“This is the new Nigerian e-mail scam,” Mr. Haley said. “We’ll be talking about this for the next two years.”

Lost Your Windows Logon Password?

Lost/forgot your windows logon password?…….Hold down the f8 key while booting your PC, and start it in safe mode. After it boots, click on the “Administrator” logon/icon, and after you get to the desktop do the following:

Go to Control Panel

Click on Users

Click on your User Profile (or the one you do not have the password for)

Select Change Password

Enter enter a new password, or leave the boxes blank for no password

Click OK

Restart the PC

When prompted click on the user, enter the new password, or just wait for it to boot into the desktop if no password is needed.

Now if that does not work -THEN call PC Experts!