Hey guys, Aura here with another [WARNING] thread.
In the last year (or two years), a new kind of malware emerged from the Black Hat Forums, a combinaison of Ransomwares and Encryption malware, that comes together under the name of "Cryptowares". These malwares encrypt files with pre-defined extensions on a system (like .png, .mp3, .docx, etc.) and then totally lock down your computer, and ask you to pay for a ransom in order to decrypt these files. There's no ways to actually decrypt these files, except to pay the ransom, find a flaw in the malware, retrieve the private key used for the encrypted and decrypt the files yourself, or to restore the encrypted files from a back up or Windows Shadow Volume Copy service. These malwares became so popular, that many developpers started creating their own variants, making Cryptowares one of the most efficient malware-related way to make money. However, this Cryptowares method boum attracts a lot of malware developpers, experienced like inexperienced.
ZeroLocker, a new variant of the first Cryptoware, CryptoLocker has been released and is now being spread. ZeroLocker encrypts your files using the AES encryption pattern and once its done, it will display a warning note explaining you the situation and telling you that it can actually "help" you regain your files for a starter price of $300 in BTC, that will raise to $600 in 5 days and $1000 in 10 days (all in USD). A new feature in that Cryptoware is that it will actually encrypt EVERY files on your C: drive, even executable files except if they are in specific "white-listed" folders (the ones that contains the words Windows, WINDOWS, Program Files, ZeroLocker and Desktop) or if they are larger than 20MBs of size. Once a file has been successfully encrypted, ".encrypted" will be appended to its file name . After that, the following command will be ran :
Code:
C:\Windows\system32\cipher.exe /w:C:\
This command overwrites all the deleted data on your C: drive, which then prevents the user from using data recovery tools (such as EaseUS Data Recovery Wizard, Recuva, GetDataBackNTFS, etc.) in order to recover the data and restore the files. A folder called "ZeroLocker" will be created directly on the C: drive, and it will contain various files and the executable of the decryptor used to decrypt your files if you pay the ransom, called ZeroRescue.exe. This executable is called on Startup via the registry when you login to your computer.
However, here comes the biggest flaw that makes this Cryptoware the most dangerous one to this day. When ZeroLocker uploads the decryption key used to encrypt the files on a system to the Command and Control (C&C) server, it will returns a 404 status error code, which means that the request page on the server doesn't exist on the server. Usually, this upload should return a HTTP 200 status code, which means that the webpage was accessed successfully. In the end, this will result in the loss of the decryption key used for the encryption of the files on a system. Which means that even if you pay the ransom, your private key will not be returned by ZeroLocker in order to be used to decrypt your files. Which means that you'll basically pay the ransom and receive nothing in exchange. The only way to recover that key would be to manually explore the HTTP access logs, if the developper even keeps them or go through them. And this is if they aren't being deleted or rotated (overwritten) already. This is a big coding mistake (flaw) from the developper that released the product too quickly and didn't test it first. Without the private key, there's no way to decrypt your files as the encryption used is too strong to be broken.
However, there's one solution left for those who would get infected with ZeroLocker. This malware does not delete the Windows System Restore Points, which means that you can restore precedent version of your files using programs like Shadow Explorer or use the in-built "Previous Version" feature in Windows (requires you to have the Windows Shadow Volume Copy service enabled however).
To this day, this Cryptoware is the most dangerous there is, not only because it also encrypt your executable files and have the highest ransom of all the Cryptowares, but because of it's coding flaw, it offers you NO CHANCES AT ALL to recover your encrypted files via the ransom you pay and the only way to get that data back is to restore it from the Previous Versions or a back-up you took.
Researchers at Kaspersky's Lab analyzed the malware and state that this malware, is inspired by CryptoLocker, borrows a few of it's features but also add its own to make it more dangerous, not even counting the loss of the private key along the process.
I wrote this article by reading Grinler's post on BleepingComputer here :
ZeroLocker - a new destructive encrypting ransomware
The credits for the pictures and information contained in this thread goes to him entirely, good job Grinler.
Another article on ZeroLocker has been published on ZDNet, here :
New ZeroLocker crypto-ransomware offers discount for paying up quickly - or $1,000 in Bitcoin
Once again, I cannot stress enough of how backing up your data is important these days with these Cryptowares around, and even with the other malwares. Having an external HDD or Cloud Storage with scheduled back-up operations is a must-have now a day in order to have a rescue plan in case something bad really happens, and not only something caused by malwares.
CryptoPrevent, developped by FoolishIT can also be used to prevent ZeroLocker (and other Cryptowares and even other malwares) from being executed on your system. This tool have both a free and a paid version, however, the free should do a good job by itself.
Once again, be very, very careful of what you do on the web and your computer guys.
Stay safe and secure.