Dealing with Cryptowall and Ransomware

by Michael Perklin

As a digital investigator who spent years tracking cyber criminals online, and as someone who has launched a Bitcoin security consulting company, I’ve been contacted a number of times by victims of digital ransom, looking for ways out. The story is always the same: they see a warning on their computer screen telling them that their files are encrypted, and unless they pay a hefty ransom (with Bitcoin) before the clock runs out, they will never gain access to their files again.

I’ve decided to write this blog post to answer some questions about this type of ransomware and help the thousands of Canadians who must be affected by it.

Jump to the bottom to read the four suggestions on how to deal with this ransomware, or continue reading for more details about it.

In late 2013, a new form of ransomware titled CryptoLocker hit the Internet, indiscriminately encrypting portions of every file it could get its hands on. Files stored in “My Documents” folders, external drives and even shared folders hosted on other computers in the local network had portions of the contents encrypted using an RSA encryption key. The decryption key was made available to victims of this attack for the price of $300, paid in Bitcoin.
Although the CryptoLocker’s command and control servers were taken down in May 2014 thanks to a joint US Department of Justice raid on servers hosted in Kiev and Donetsk, this hasn’t stopped ransomware from spreading.

A new piece of ransomware has made its rounds lately: CryptoWall. My research into CryptoWall shows it is essentially the same code as CryptoLocker, but is designed to use a different command-and-control methodology to hopefully outlive its CryptoLocker predecessor. It also asks for $500 in ransom instead of CryptoLocker’s $300. Thankfully, this newest variant seems to use much of the same code as the old one, including all of its flaws.

The older CryptoLocker software had a few flaws in how it a) chose encryption keys to encrypt the victim’s files, and b) how it used these keys to encrypt the files in the first place.
Performing cryptographic operations with software in a secure manner is not easy. Care must be taken when using the encryption key in software to ensure it is only used to encrypt, and is removed from the system immediately afterwards. If this care isn’t taken, the encryption key can linger in a few places including RAM, pagefiles on the hard drive, and even cached locations on disk. These can be written inadvertently by the application, the application’s framework (.NET, JavaVM, Rails and other frameworks) or by the Operating System itself (in this case, Windows).
This is one of the services that my company, Bitcoinsultants, provides our clients: advice on using cryptography properly to ensure their applications don’t succumb to any of the 7 classes of attacks on information systems (Information Leakage being one).

In a true case of irony, this difficulty of securely using encryption keys has left CryptoLocker insecure, leaving copies of the key on victims’ computers. Where this would normally be an example of an Information Leakage vulnerability, in this case it is a bastion of hope for all of CryptoLocker’s (and CryptoWall’s) victims.

Dealing with Ransomware

There are a few suggestions that I regularly give to people looking for help. I’ve listed them here:

1. Keep a backup of your data before you get hit. This may seem like a cop-out suggestion, but the fact is if you have a safe copy of your encrypted data you don’t need to pay a ransom to recover the files; you already have them. External hard drives and large USB keys make this easy; simply drag and drop your files to your external drive, and unplug it when the copy is finished. This hard drive can be used to recover your files in the event your system becomes infected;
2. Try to decrypt the files on your own. If you have experience with programming and are an advanced technical user of computers, you may want to visit these technical resources which can help you understand and decrypt the files on your machine. Keep in mind this will take a significant amount of time and experience with the more technical aspects of computers in order to execute.
   • http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month
   • https://github.com/kyrus/crypto-un-locker
   • Take a look at the contents of your %UserProfile%Application DataMicrosoftCryptoRSA folder
3. As much as I hate to suggest this, consider paying the ransom. Every case I’ve helped with has had their files decrypted after paying the ransom. As dishonourable as the attackers may be in writing this ransomware, they at least keep their word when it comes to decryption. I’ve had people offer to pay for my services to decrypt their files for them out of principle – they’d rather pay a whitehat hacker than a ransom – but the fact is the amount of time and effort required costs more than the ransom. I believe the authors of this ransomware priced the ransom purposely to ensure that it will always be cheaper to pay than to hire professionals to decrypt it on their own.
4. Canadians can report the incident to the Canadian Anti-Fraud Centre. They keep tabs on scams affecting Canadians and coordinate resources where necessary to combat them. Residents of other countries can find the counterparts to the CAFC in their country, such as the Fraud.org website in the United States;

One of the victims that I’ve helped made a comment regarding this virus and its use of Bitcoin:

“This just proves that Bitcoin is illegal, and it’s only a matter of time until governments ban it for taking advantage of people like me.”

I sympathize with all of the victims of this ransom, but personally I feel that blame should be placed squarely on the attacker and not on the medium of payment demanded. After all, people have held others hostage in demand of $1000s of dollars in unmarked bills; should the Canadian or US dollars be banned for taking advantage of people? Making these counter-arguments helped this victim see that the payment processor was not at fault, however I imagine many others who are less familiar with Bitcoin have jumped to the same erroneous conclusions, making the job of the Bitcoin Alliance of Canada that much more difficult.

The fact is, the easiest way to deal with these types of attacks is to be prepared in advance. If you don’t have a backup of your data, now is the best time to make one.

Until next time,

Michael Perklin