One of the latest ransomware threats, Cryptolocker, is having success in infecting PC users because its encryption has been difficult to crack, researchers said. However, how much success may change after researchers sinkholed domains.
The malware’s encryption scheme has yet to be cracked and the question still is whether it can be, said Kaspersky Lab researchers.
“For each victim, it connects to its command-and-control (C2) to download an RSA public key that is used to encrypt the data. For each new victim, another unique key is created and only the Cryptolocker authors have access to the decryption keys,” said researcher Costin Raiu.
Victims get a message saying they have three days to pay up, otherwise the encryption key will end up destroyed, and their files lost forever if they did not perform a back up.
One question researchers are looking to find an answer to is how many users fell for the ploy?
By using the malware’s domain generation algorithm which was reverse-engineered by ThreatTrack Security’s Dimiter Andonov, Kaspersky researchers sinkholed three domains that serve as C&C servers for the malware. They found in just four days, 2,764 unique victim IP addresses contacted them, mostly from the U.S., UK, India and Canada.
But, they point out, if the victims react quickly, they can prevent the malware from encrypting the files.
“If your data has already been encrypted, the worst thing to do is to pay the bad guys. This will encourage them to expand and strengthen the attack techniques,” Raiu said, adding the best thing to do for protection is to keep AV and host IPS solutions updated, and to back up regularly.