10

I am just asking in case someone has already done the analysis. A customer has a large set of network drives that were mapped to a CryptoLocker infected machine. The infection itself has been treated. I am looking for a tool or just a binary pattern to match to verify that a file is not encrypted based on a header/identifying characteristic of some sort in the file itself.

Yes, I know the list of encrypted files is in the infected machine's registry. We are looking for direct verification.

To clarify: We know what extensions could be affected, I am just looking for a way to check if a specific file is encrypted without having a human double clicking on it. Millions of files potentially affected so a manual test is not an option. Thus far my fallback is good ol' "file" which will give me a confirmed OK, but only on some file types.

I haven't found any commonalities between sample encrypted files yet, other than "that looks random".

Paul Doom
  • 279
  • 1
  • 2
  • 7
  • 3
    CryptoLocker looks for and encrypts the below file extensions, you could do a search and check each file for encryption. *.odt,*.ods,*.odp,*.odm,*.odc,*.odb,*.doc,*.docx, *.docm,*.wps,*.xls,*.xlsx,*.xlsm,*.xlsb,*.xlk,*.ppt,*.pptx, *.pptm,*.mdb,*.accdb,*.pst,*.dwg,*.dxf,*.dxg,*.wpd,*.rtf, *.wb2,*.mdf,*.dbf,*.psd,*.pdd,*.pdf,*.eps,*.ai,*.indd, *.cdr,*.jpg,*.jpe,img_*.jpg,*.dng,*.3fr,*.arw,*.srf,*.sr2, *.bay,*.crw,*.cr2,*.dcr,*.kdc,*.erf,*.mef,*.mrw,*.nef, *.nrw,*.orf,*.raf,*.raw,*.rwl,*.rw2,*.r3d,*.ptx, *.pef,*.srw,*.x3f,*.der,*.cer,*.crt,*.pem,*.pfx,*.p12, *.p7b,*.p7c – Four_0h_Three Oct 24 '13 at 17:48
  • 1
    It also encrypts .zip files, at least in recent versions. – Josh Townzen Jun 03 '14 at 23:28

6 Answers6

10

We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.

http://omnispear.com/tools/cryptolocker-scan-tool

Brad Churby
  • 101
  • 2
  • +1 This tool worked great. I only wish it could do a breadth-first search instead of depth-first. That would make it easier to determine the extent of CryptoLocker damage. – Nic Feb 05 '14 at 00:57
  • 1
    I'm going to click on a random URL to a random program from a random guy on the internet which will help "fix" my computer. – Felipe Alvarez Aug 04 '15 at 02:39
6

CryptoUnlocker can detect (and decrypt, if you have the private key) files encrypted by Cryptolocker. The "CryptoLocker Encrypted File Format" section describes the format of a cryptolocked file, but in short, you can detect one by doing the following:

  1. Read the first 20 bytes of the file (this is a SHA1 hash)
  2. Read the next 256 bytes, and prepend four zero bytes to the result
  3. SHA1 the result from step #2 and compare it to the result from step #1. If they're the same, this file is Cryptolocked.
Josh Townzen
  • 135
  • 3
  • 5
  • Ah, but this is not necessarily true with later "Cryptolocker implementations" which continue to be a pest (likely to get worse). – David Tonhofer Aug 20 '15 at 15:51
2

I found no unique characteristic to draw on that would produce highly reliable results. The zip suggestion did not produce a significant difference with compressed formats like JPG or the newer compressed Office docs.

I turned to a clunky but semi-useful alternative: Comparing the file extension with the results of a "magic" check.

Instead of using the file command from a bash script I cooked up a Python script for some more power. (Here is the code: https://github.com/Citon/strangethings/releases/ ) The results were a decent starting point. Tuning your magic file database and fiddling with exceptions is required to reduce false positives.

To give it a try on a directory hit by CryptoLocker, download StrangeThings package and install following the README directions. Then, copy "strangethings.conf-SAMPLE" to "strangething.conf". Run it like so:

strangethings.py -c strangethings.conf -s cryptolocker DIRECTORYTOSCAN

YMMV. Tested on Linux (Debian and CentOS). See the answer from @brad-churby for a similar tool for Windows from OmniSpear.

Paul Doom
  • 279
  • 1
  • 2
  • 7
0

Normal files aren't supposed to look random. That means they contain patterns tha distinguish them from random noise you would find in most encrypted files.

An encrypted file shouldn't get smaller when you zip it. If a file get smaller you can be pretty certain that it's not encrypted.

Of course it doesn't go the other way around and you might still have to check the files that don't get smaller when you zip them.

Christian
  • 1,876
  • 1
  • 14
  • 23
  • That is a good point, and correct in many cases, however, not a signature that can be reliably scanned for without human intervention. – Paul Doom Oct 25 '13 at 16:11
  • @PaulDoom : A script should be able to automatically zip files and compare their size. – Christian Oct 25 '13 at 16:22
0

What I found when our company got hit was that each file on the server that got encrypted also had it's ownership changed to that of the users that owned the infected PC. For the most part it was a matter of searching all drives for files owned by that person and it was clear that those files also all had the same change dates if they were corrupted. I found program that allows you to search by owner here. www.grinadmin.com It's a free standalone executable that worked VERY well and let you create a csv file for results of each scan. The only problem I had was on server shares where this individual normally had a lot of his own files. That was hopeless as there were over 17,000 files showing owned by him in hundreds of folders. I'll try the crypto locker scan too mentioned about on that share and see. I'm so glad we invested in a sophisticated back system! Whew! Interesting thing to note: The infection came via an email masquerading as one from our headquarters offering a digital voicemail. It was in a wav file! Two of the infected files on his laptop were RealPlayer files so that makes sense.

Steve Southard
  • 1
0

We mounted a backup image from before the attack and ran WinMerge.

Tips on making it very easy to restore:

Under options, set Compare method to "Quick Contents", [x] Stop after first difference, and 1mb Quick compare limit.

And then because Cryptolocker doesn't change the modify date/time, sort by modified time and don't copy all the files marked with a * in the timestamp field.

Dan Buhler
  • 101