16/02/2016
15:55

New attack by Crypto-Malware CryptoLocky alias LockyCripter ==> RED Alarm DO NOT OPEN THOSE MAIL !!!


The C.R.A.M. TG Soft  has found a new type of Crypto-Malware called CryptoLocky alias LockyCripter that encrypts files with extension .LOCKY !!

Today Tuesday 16th February the C.R.A.M. TG Soft has encountered a massive sending of e-mail requesting payment with attached a false invoice having the structure as shown below:
  • Note that the e-mail appears to come from a user, probably unknown to the receiver, as you can see in the RED ellipse highlighted.
  • The company requesting the payment, or alleged creditor, probably is not known to the recipient, as shown in the red box highlighted with rounded edges.
Click to enlarge the image of an example of infected email that, if executed the attachment unleashes LockyCripter
Click to enlarge image
The body of the message, written in an orderly manner, is in English language. If you haven't made foreign purchases and you not have dealings with the indicated companies, it is important NOT OPEN / RUN the mail attachment!!!

The analyzed emails seems to be different from each other, although maintaining the same structure. For the mentioned reasons, should not lead us into temptation opening the attachment even if it would seem to be a Word file, it is quite different:
  • invoice_<random string>.doc
It is a seemingly innocuous .doc files but that downloads and runs the CryptoMalware called CryptoLocky alias LockyCripter.


Avoid absolutely to Open / Run the mail attachment which triggers the encryption of data files in .Locky of the PC / SERVER as well as in shared folders with this.

When the document "invoice_<random string>.doc" is being opened, a macro will be executed that downloads and runs an executable file with a random name that contains the CryptoLocky.
The executable file with random name, it copies itself in the %temp% of the user, named SVCHOST.EXE..

At this point CryptoLocky performs the cancellation of the "shadow copy" with the command: vssadmin.exe Delete Shadows / All / Quiet

When this is done, it performs a series of parallel threads for the encryption of documents (in our test had runs 13 threads).

CryptoLocky malware encrypts each file with the following extensions:

.m4u .m3u .mid .wma .flv .3g2 .mkv .3gp .mp4 .mov .avi .asf .mpeg .vob .mpg .wmv .fla .swf .wav .mp3 .qcow2 .vdi .vmdk .vmx .gpg .aes .ARC .PAQ .tar .bz2 .tbk .bak .tar .tgz .gz .7z .rar .zip .djv .djvu .svg .bmp .png .gif .raw .cgm .jpeg .jpg .tif .tiff .NEF .psd .cmd .bat .sh .class .jar .java .rb .asp .cs .brd .sch .dch .dip .pl .vbs .vb .js .h .asm .pas .cpp .c .php .ldf .mdf .ibd .MYI .MYD .frm .odb .dbf .db .mdb .sql .SQLITEDB .SQLITE3 .asc .lay6 .lay .ms11 (Security copy) .ms11 .sldm .sldx .ppsm .ppsx .ppam .docb .mml .sxm .otg .odg .uop .potx .potm .pptx .pptm .std .sxd .pot .pps .sti .sxi .otp .odp .wb2 .123 .wks .wk1 .xltx .xltm .xlsx .xlsm .xlsb .slk .xlw .xlt .xlm .xlc .dif .stc .sxc .ots .ods .hwp .602 .dotm .dotx .docm .docx .DOT .3dm .max .3ds .xml .txt .CSV .uot .RTF .pdf .XLS .PPT .stw .sxw .ott .odt .DOC .pem .p12 .csr .crt .key wallet.dat


The CryptoLocy will encrypt all documents renaming them with random name and .Locky extension.
The file with .Locky extension will be named .locky
Esempio:
  • 1DD6FF20B0293D341C12403B3C699ADF.locky
  • 1DD6FF20B0293D348FE972E2C3923FEC.locky
After that, the original document files will be fully overwritten with the character "U"and deleted.

The malware modifies the following registry keys to get into automatic run:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[Locky] = %temp%\svchost.exe


After files encryption, CryptoLocky creates _Locky_recover_instructions.txt files containing the instructions for the ransom, which is shown below:

            !!! INFORMAZIONI IMPORTANTI!!!!

Tutti i tuoi file sono stati criptati con algoritmo asimettrico RSA-2048 e algoritmo simmetrico AES-128.
Ulteriori informazioni sugli algoritmi sono disponibili su:
    http://it.wikipedia.org/wiki/RSA
    http://it.wikipedia.org/wiki/Advanced_Encryption_Standard

La decriptazione dei tuoi file è possibile solo con la chiave privata e il programma di
decriptazione che si trova sul nostro server segreto.
Per ricevere la tua chiave privata vai a uno dei seguenti link:
    1. http://6dtxgqam4crv6rr6.tor2web.org/1DD6FF20B0293D34
    2. http://6dtxgqam4crv6rr6.onion.to/1DD6FF20B0293D34
    3. http://6dtxgqam4crv6rr6.onion.cab/1DD6FF20B0293D34
    4. http://6dtxgqam4crv6rr6.onion.link/1DD6FF20B0293D34

Se nessuno dei precedenti indirizzi è disponibile, segui i passaggi successivi:
1. Scarica e installa Tor Browser: https://www.torproject.org/download/download-easy.html
2. Dopo la corretta installazione, avvia il browser e attendi l’inizializzazione.
3. Nella barra degli indirizzi digita: 6dtxgqam4crv6rr6.onion/1DD6FF20B0293D34
4. Segui le istruzioni a video.

!!! Il tuo numero d’identificazione personale è: 1DD6FF20B0293D34 !!!

Change the desktop background image in _Locky_recover_instructions.bmp:


It creates the following registry key:

HKEY_CURRENT_USER\Software\Locky:
[id] = victim id
[pubkey] = RSA public key
[paytext] = redemption information
[completed] = if it is 1 then it has completed the encryption of the entire disk
 
When the CryptoLocky completed the entire disk, the malware modifies the registry key "pending rename file" in order to cancel itself the next reboot of the computer, leaving only the instructions for the redemption.


The ransom demanded by CryptoLocky:

Encrypted files by CryptoLocky to be deencrypted require the payment of a ransom of 0.5 or 1.00 BitCoin.

Clicca per ingrandire l'immagine di un esempio di email infetta che, se eseguito l'allegato, scatena LockyCripter


How to protect yourself from CryptoLocky

As a general rule, we should never forget that behind every link or any attachments of each email could hide malware or Crypto-Malware.
Good practice would avoid clicking on links or on e-mail attachments that arrive as strangers or by people who seem known but with unexpected attachments. If you unfortunately has been executed the mail attachment which unleashes the hell of this new family of Crypto-Malware called CryptoLocky and you are customer Vir.IT eXplorer PRO, you can restore any files encrypted by the attack using da Vir.IT BackUp, when properly configured and used.

To keep safe your valuable work we invite you to proceed as quickly as possible, in case you hadn't already done so, to configure and activate Vir.IT BackUp in order to have always available a recent backup protected by encryption from any new generation of Crypto-Malware like this. Clicca per accedere all'informativa su Vir.IT BackUp

What to do to mitigate the damage from CryptoLocky

As reported for other Crypto-Malware is appropriate, as soon as we notice the encryption of data in place, proceed to::

  • DISCONNECT the LAN cable to prevent the Crypto-Malware might accidentally encrypt network drives (NAS, Server, etc.)
  • DO NOT reboot the machine to prevent the restart of encrypting files by Crypto-Malware; if you restart the machine you should turn it off and keep turned it off until you get in touch with the technical support of TG Soft at phone numbers 049/631748049/631748 and 049/632750049/632750 from Monday to Friday 8:30 a.m. to 12:30 p.m. / 14:30 p.m. to 18:30 p.m.

This new Crypto-Malware family, till now, is being analyzed..

Final thoughts

We invite you to keep calm and, if not already done that, proceed to activate Vir.IT BackUp on the main folders where the data files of your valuable work are being saved.


TG Soft
External Relations
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: