WARNING Third Ransomware Strain Called CryptorBit Attacks



cryptorbit screenshot

Welcome to the new world of malware.

There is a third criminal ransomware gang ramping up their attacks. The malware is called CryptorBit, (also known as HowDecrypt), and follows a very similar attack process as CryptoLocker and CryptoDefense, but the malware corrupts the first 512 or 1024 bytes of any data file it finds, regardless of extension. It also seems to be able to bypass Group Policy settings that were put in place to defend against this type of ransomware infection. 

Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, up to $500 ransom in bitcoin is demanded to decrypt the files. It was initially released December 2013, and after debugging their criminal infrastructure, attacks are now increasing.

To add insult to injury, the cybercrims are also installing so-called cryptocoin miner software which utilizes the victim's computer to mine digital coins such as Bitcoin, which will get deposited in the malware developer's digital wallet, making them even more money. The cyber gang uses social engineering to get the end-user to install the ransomware using a fake Flash update, or install a rogue antivirus product. 

When the workstation is infected, the bad guys want you to install the Tor Browser, enter their address, and follow instructions on their website how to pay. They leave a friendly reminder that the sooner you pay, the more chance you have to "recover the files". Once you pay, supposedly you get their CryptorBit Decryptor program. Based on the payments sent to known CryptorBit Bitcoin addresses, quite a few people appear to have paid the ransom.

How To Recover Files

First wipe the infected machine(s), rebuild from the ground up, and restore the files from the most recent backup. If there are no backups, try to restore the files from Shadow Volume Copies. If these are not available, you can try to use a utility called DecrypterFixer written by Nathan Scott. (The link goes to a very good page at the bleepingcomputer forum about this topic.) You can check the owner of the encrypted files, which shows you where the infection started; i.e. which end-user opened the malicious attachment. 

How To Prevent This Infection

First, you cannot just rely on your antivirus (AV). AV products are normally running 6 hours behind attacks like this which is enough for the bad guys to get their "work" done and vanish. It takes a while for AV to become aware of the attack, find out what the malware looks like, and create a definition for it that needs to be downloaded to the workstation. So reactive defenses are not effective. Some AV products also have proactive defenses, blocking whole classes of files. Still those also fail on a regular basis. See the Virus Bulletin tests.

Cyber criminals are using known social engineering tactics to trick users into opening the attachments. That means your defense-in-depth needs to start with stepping your users through effective education like Kevin Mitnick Security Awareness Training. Once they have done that training they will think twice before they open a possibly infected attachment. And you get to schedule (set-it-and-forget-it) a whole year of regular simulated phishing attacks to your users which keeps them on their toes with security top of mind.  

With malware like this out there, security education and behavior management is a must for any organization where users have access to email and the web.




Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews