[Every1is=]

Price for decryption just went up to about 2100 dollars for people who've "lost" the key by means of AV software etc. removing it upon detection.

http://www.bleepingcomputer.com/forums/ ... n-service/

[patriq]

C&C at hxxp://93.189.44.187/ now showing this message form:

Code: Select all

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.
Select any encrypted file and click "Upload" button.
The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours. 

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.
OR if you already know your order number, you may enter it into the form below. 

This service accessible through the Tor network:
http://f2d2v7soksbskekh.onion/

[erikloman]

We've just released a BETA version of HitmanPro.Alert 2.5 which contains CryptoGuard. Our universal solution against crypto ransomware that works at the file system level. More information, including a demonstration video, can be found here: http://www.hitmanpro.com/alert/cryptoguard

[Xylitol]

Hi Erik, on the demo video i see that the ransomware is still running and not suspended on background, did he encrypt stuff during this time ?

[Quads]

A User Report for HMP Alert 2.5 beta

"Now when I try and open Norton 360 the GUI flashes onto the screen then disappears. Once it's gone I can't bring it back. Uninstalled hmp beta and restarted, now Norton is working again."

[patriq]

Anyone have a new sample?

[Grinler]

Latest.

[AliveNoMore]

Are these droppers VM-aware? They seem to do nothing when I run them in a VM or in Sandboxie. And I have a specific VM without additions, changed hardware names/ids, etc.

[RP-Tech]

Has anyone seen this attached to zero-access rootkit ? Maybe have a sample of both, I am testing to see what can be done to prevent Cryptolocker from running.

Fellow tech and myself have had 2 users infected with Cryptolocker but also had zeroaccess attached which from some research seems to be point of entry in our case and Kaseya AV & Kaseya Malwarebytes Pro do not detect it at all KAV gets encrypted and rendered useless. KAM does not detect either, but the free download version picks up the rootkit and virus. Just wondering if anyone else has ran into this at all or not.

[ilyuha79]

According to the malware authors, only the first 1024 bytes of a file is uploaded to the C&C server in order to search for the matching private key in cases where you lost the public key, which could take up to 24 hours. So it sounds like the C&C uses some brute force method for searching for the key. So what would that do? Try every single private key that it has generated to decrypt the first 1024 bytes until it finds the right one? But how does it know which is the right key after the decryption process? If AES key is truly random, you wouldn't be able to tell just by looking at it what you've decrypted is an actual AES key. In order to tell, you could potentially add some kind of constant bit of data that will show up in the decrypted data once the right private key is used to decrypt it. Or, in a more complex case, you'd have to go a step further and use the supposed AES key you've decrypted to decrypt the actual file header (which I presume might be stored in the first 1024 bytes) and then check if the header looks like a document that might have been originally encrypted on the infected machine.
I'm curious if anyone knows if there is anything else besides the AES key that the CryptoLocker encrypts using the RSA public key that eventually gets stored together with the file?