CryptoLocker had struck once more, dodging Symantec anti-malware and spam filtering, says Rick Topping, vice president at Ceeva. CryptoLocker is so "dynamic," Topping remarked, it sometimes manages to evade anti-malware software. Ceeva, too, found it was necessary to go through a back-up and restoration process to regain its files, which in this case took half a day.
Leckie, puzzling over exactly what CryptoLocker infected e-mail hit his partner, says fighting off CryptoLocker was a disruptive experience. Backing up data was critical to the operation of the business, he noted, adding, it makes him glad that at his law firm, "we're still saving the paper."
Anti-malware firms asked about CryptoLocker and what they've seen of it since it was first noticed in the September timeframe say it's primarily targeting the U.S. through phishing e-mail and is likely being run as a criminal operation by a Russian-speaking cyber-gang.
CryptoLocker "mostly targets English-language-speaking people" mainly in the U.S., but also the U.K., Australia and Canada, says Jerome Segura, senior security researcher at Malwarebytes.
Because CryptoLocker uses AES 256-bit encryption to lock up victims' data, it's not possible to really manually break it, malware researchers agree. The best way to ensure that you can get your data back is to use very good back-up in a way that would avoid direct infection by CryptoLocker. "And that backup service should have backups of its backups," says Adam Wosotowsky, McAfee messaging data architect.
CryptoLocker extortionists promise to send the private encryption key for unlocking your encrypted data through its botnet-based command-and-control system if payment, typically $300, is received through Bitcoin. But sometimes the encryption key isn't delivered anyway, if only because CryptoLocker's automated system has put time limits on response from the victims.
Trend Micro has tracked that as typically being 72 hours. But that's subject to change, of course. Trend Micro's threat communications manager Christopher Budd says CryptoLocker does try all tricks possible to be evasive, so sometimes anti-malware software will detect and stop it, other times not.
Anti-malware firm Bitdefender this week said it's been tracking how CryptoLocker works through "sinkholing" its botnet command-and-control servers, determining that in just the Oct. 27 and Nov. 1 timeframe, CryptoLocker managed to hit 10,000 victims.
Razvan Stoica, communications specialist at Bitdefender, says CryptoLocker's targets appear to almost exclusively the U.S. Why here is unknown he says but perhaps, "that's where the money is." CryptoLocker's fast-shifting command-and-control infrastructure, however, lives mainly outside the U.S. in servers in Russia, Germany, Kazakhstan and the Ukraine. A number of malware researchers think that law enforcement is going to eventually catch up with the cyber-criminals operating CryptoLocker, perhaps by tracking them through the Bitcoin system.
CryptoLocker right now appears to be relying solely on sending volumes of phishing e-mail and dangerous attachments as a way to try and trick the victim into opening an attachment and letting CryptoLocker loose in an organization. It doesn't seem to be used as a targeted attack against specific companies but is arriving in waves with the typical kind of spam deceptions, such as seeming to come from FedEx or U.P.S., according to some researchers.