Backup the best defense against (Cri)locked files

Crilock – also known as CryptoLocker – is one notorious ransomware that’s been making the rounds since early September. Its primary payload is to target and encrypt your files, such as your pictures and Office documents. All of the file types that can be encrypted are listed in our Trojan:Win32/Crilock.A and Trojan:Win32/Crilock.B descriptions.

Crilock affected about 34,000 machines between September and early November 2013.

Once Crilock encrypts your file types, they are rendered unusable. The malware shows a message that covers your desktop and demands you pay a ransom to have access to your files again. The ransom can be paid with various online currencies such as BitCoin, CashU, MoneyPak, Paysafecard, and Ukash. Once you pay, the malware author will supposedly give you back the private keys used in encryption. However, we don’t recommend doing this as there is no guarantee that paying will lead to recovering your documents and, in effect, you’re giving criminals some of your hard-earned money.

Crilock message

Figure 1: The message that Crilock might display on your desktop

Crilock document upload

Figure 2: Crilock asks you to upload your encrypted documents and recover them for a fee

The Crilock authors have even setup an online payment scheme on the Tor network where affected people can upload their encrypted files for recovery.

Crilock encrypts your files using an AES-256 key that is unique to each file and then encrypts the file-specific AES key using a 2048-bit RSA public key. This is similar to the GpCode ransomware, which first came out in 2006 and used the same technique, but with RC4 first, and then 1024-bit RSA for encrypting the per-file key.

Crilock can be downloaded onto your computer by exploits or malware. For instance, we have seen Upatre download Zbot, which in turn downloads Crilock. Upatre has been heavily spammed in the past few months, and spam runs can be an effective way to distribute malware. This is discussed in detail in the blog post Upatre: Emerging Up(d)at(er) in the wild.

As shown in the chart below, Crilock has predominantly affected English-speaking countries, although it does have a comparatively small presence in non-English speaking locations as well. Every Crilock variant we’ve seen so far has a ransom message written only in English.

Crilock affected countries graph

Crilock affected countries map

Figure 3: Crilock-affected countries from September 2013 to early November 2013

Can you recover your documents without paying?

In some cases, you can recover previous versions of encrypted files. However, the following conditions must be in place:

  • System Restore Point must have been turned on before you were infected with Crilock.
  • You must already have detected and removed Crilock, and there can be no traces of it on your PC.
  • Your files must be on the same PC you're using to recover them (that is, the files aren't on a network or removable drive).

SkyDrive for Windows 8.1 also has a means of restoring previous versions of Microsoft documents. Similar to System Restore Point, you can look at the version history and recover files from a previous state.

Right-click on the file to see available version history

Figure 4: Right-click on the file to see available version history

Restore file from older known working versions

Figure 6: Restore file from older known working versions

You can find more information about restoring previous file versions below:

We’ve also added signatures based on Crilock behaviors to our antimalware products. This detection, Behavior:Win32/Crilock.A, can detect an infection before it infects and encrypts files.

Crilock is not the first malware to extort money by encrypting files and it certainly won’t be the last. However, you can help prevent Crilock and other malware, from infecting your PC by:

  • Keeping your operating system and antivirus product up-to-date.
  • Being careful about which files you download (and where you download from).
  • Being cautious about which attachments and links you open.

Ransomware such as Crilock also emphasizes the importance of backing up your files on a regular basis. You can back up files by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive.

Marianne Mallen and Karthik Selvaraj
MMPC

No Comments