CryptoLock - wow they really are making some money

[D357@RG]

Yesterday we had a client call up in hysterics - only 24 hours left before CryptoLock is going to throw away the encryption keys - all data gone!

If interested, here are the screens she sent us http://imgur.com/a/EHBRb


Last night, we had a poke around the blockchain to see where the ransom monies flow.  Here is the ransom address we were provided: https://blockchain.info/address/1M83NXYuPpjEjYt8baXYxriQNCDyfWU8i3

Ransom address is cleared out with this transaction:
https://blockchain.info/tx/c20079ca4a978a8b6eea1ba7fc2e3603b91dd73e34b7d381fa527d05ab3be375

The address where ransom is cleared to is interesting, to say the least...
https://blockchain.info/address/1AEoiHY23fbBn8QiJ5y6oAjrhRY1Fb85uc

Total Received   4,691.06798731 BTC  and that is from 15-Oct-2013 to now.  It's probably just one of a number of clearing/consolidation addresses.

These guys are probably making USD50,000,000 a year or more!


BTW - we calmed her down, eventually solved her problem.  As a side note: the CryptoLock people need to dumb down the bitcoin thing - there must be hundreds of victims out there, like this lady, who've never even heard of bitcoin.

[AndrewWilliams]

When I read this story I was shocked.

It is so evil-y genius!

Supposedly you have 48 hours to pay the 2 BTC ransom or your PC gets erased, if you wait past then it bumps up to 10 BTC.

Sounds like a friggin' movie!



Crypto Locker Virus Locks Down Critical Files, Demands Ransom
http://www.inquisitr.com/1007454/crypto-locker-virus-locks-down-critical-files-demands-ransom/

The Crypto Locker virus is being called one of the strongest and most devastating computer viruses in history, and it strikes by literally holding computer owners hostage.

The virus infects computers through a legitimate looking email, usually from a reputable company like FedEx or UPS. Once opened, the virus quickly spreads to the computer’s hard drive and then offers the user a chance to rid the program — for a hefty fee.

“Ransomware causes your computer files to be non-accessible and when that happens you have two choices. You can recover if you have a backup which I hope you do or pay the ransom within 100 hours. If you do not pay the ransom you lose all of your data,” technology expert Anthony Mongeluzo told MyFoxPhilly.

Simply ignoring the hostage takers isn’t an option, Mongeluzo said. If the computer has photos or files that are needed, the Crypto Locker Virus puts a lock on them that can only be opened when the ransom is paid.

“The way they’re accepting payments is bitcoin, a new form of cash that’s been making headway on the Internet. It’s used for lot of illegal activities.” Mongeluzo said.

The Crypto Virus struck news station ABC 33-40 in Birmingham, Alabama, leaving the station director with little choice but to pay the ransom.

“You buy this $300 Green Dot MoneyPak, you cannot use a credit card for it, it had to be cash or debit card. Once they claim the funds, they unlock your files. If those files had been lost, it could’ve affected 10 years’ worth of work by several departments,” said Ron Thomas.

Computer experts say there could be one way around the virus. There are already copycats to the Crypto Locker Virus that demand money but don’t actually lock the computer down. Taking an infected computer to an expert can determine if this is the case.

But there are some ways to prevent the Crypto Locker Virus from taking hold, they note. Experts recommend that you never open an email from an unknown source, and back up all important files.

[MysteryMiner]

So far they used single encryption key on all victims... And these addresses with 4k coins probably are mixing service of some kind.

[Mike Hearn]

These transactions are somewhat puzzling. There are an awful lot of many-to-many payments here, lots of which are merging/splitting payments that are much smaller than 2 BTC in size. I wonder if 1AEoiHY23fbBn8QiJ5y6oAjrhRY1Fb85uc is actually some kind of mixing or service address. I see some transactions that look like they were generated by a bitcoinj based wallet as well, and one address that paid in came direct from a miner/coinbase payout.

I'm not totally convinced that 1AEoiHY23fbBn8QiJ5y6oAjrhRY1Fb85uc is actually controlled by the cryptolocker guys. Question is, if I'm right, then - what is it?



edit: this one looks definitely a part of it; https://blockchain.info/address/18iEz617DoDp8CNQUyyrjCcC7XCGDf5SVb

[trout]

those many-to-many tx's look like blockchain.info's new mixer.

[Kluge]

That's kind of awesome. So it just puts all the files in an archive, I guess? Does it install a new bootable "CryptoLock" OS, or does this function inside other OSes? How does a user purchase Bitcoins without access to their usual Internet browsers if they don't have another capable device?

[franky1]

so what is the work-around to fix this, so that the victims are not forced to pay into this scam and then treating bitcoin as a criminal preferred coin. if we as a community help out the victims by solving their woes they wont need to pay into it and think of bitcoin as a bad thing.

secondly this address that the funds get paid into could simply be a mtgox, bitstamp, btc-e deposit address. because once its in an exchange the funds just get split up for other users who are withdrawing.

we don't want criminals tainting the coins, i definitely don't want to withdraw my coins from an exchange and realise they are linked to the deposits of this scammer using the same exchange.

[Kluge]

so what is the work-around to fix this, so that the victims are not forced to pay into this scam and then treating bitcoin as a criminal preferred coin. if we as a community help out the victims by solving their woes they wont need to pay into it and think of bitcoin as a bad thing.

secondly this address that the funds get paid into could simply be a mtgox, bitstamp, btc-e deposit address. because once its in an exchange the funds just get split up for other users who are withdrawing.

we don't want criminals tainting the coins, i definitely don't want to withdraw my coins from an exchange and realise they are linked to the deposits of this scammer using the same exchange.

If it puts all the files in an encrypted archive, there is no cure, only vaccines.

[Lauda]

How to get rich: make CryptoLock v2.0 ---> profit.

[D357@RG]

those many-to-many tx's look like blockchain.info's new mixer.

Yes and no.  I'm 50/50 - to me it looks like all these small amounts, roughly similar value, being bundled together.  For a mixer, they wouldn't all be such uniform size amounts at mixer entry layer, I wouldn't think.

Prior to this, we've had one other CryptoLock victim come to us for assistance.  This was a couple of months back and, at the time, the software demanded an odd number (~3.2BTC).  From this, we had thought it was aiming for USD300.  

Looking at the transactions related to the ransom address, it seems CrytpLock has switched and now aims to collect a round 2BTC.  Quite a lot of money really and certainly a marked increase over a three month period.

[Gabi]

It is funny:
there is a thread about mainstream adoption of bitcoin
and then there is the thread.

It is clear that the mainstream have no hope to adopt bitcoin, since they are even UNABLE to avoid such idiot virus and are UNABLE to properly backup their data. And they should adopt bitcoin? Ahahah nice joke

[DeeSome]

Doesn't seem all that bad for bitcoin, if anything it will bring bitcoin to the attention of more people.

http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

[DeeSome]

Reading further into that article I linked above, I've revised my thoughts on how it could affect bitcoin, I would not be at all surprised if there was some official agency behind Crypto Locker.


http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/

"the service, which is currently hosted at one of several addresses on the Tor anonymity network."

Think about it, get enough people talking about this virus and a Govt. agency can associate bitcoins and Tor with criminal activity and give themselves more leverage to insist on "back doors" being built into the Tor network, even making use of it illegal.

[crazy_rabbit]

Thats terrible. Someone needs to find these people and shut them down. This is terrible PR for bitcoin in general.

[mel2000]

It is funny:
there is a thread about mainstream adoption of bitcoin
and then there is the thread.

It is clear that the mainstream have no hope to adopt bitcoin, since they are even UNABLE to avoid such idiot virus and are UNABLE to properly backup their data. And they should adopt bitcoin? Ahahah nice joke

Backing up your data to a directory that CryptoLock looks for, even if on an external drive, will result in that directory getting encrypted too.

http://www.foolishit.com/vb6-projects/cryptoprevent/

[Dabs]

Does the virus encrypt the whole drive? Or does it just move everything into an archive? Does it securely delete and overwrite the original files? If not, maybe you can undelete them.

[Rupture]

Damn 4600? Must be working well

[Lauda]

It is funny:
there is a thread about mainstream adoption of bitcoin
and then there is the thread.

It is clear that the mainstream have no hope to adopt bitcoin, since they are even UNABLE to avoid such idiot virus and are UNABLE to properly backup their data. And they should adopt bitcoin? Ahahah nice joke

Backing up your data to a directory that CryptoLock looks for, even if on an external drive, will result in that directory getting encrypted too.

http://www.foolishit.com/vb6-projects/cryptoprevent/

What's this about exactly?

[AndrewWilliams]

Hmmm... makes me want to buy one of these:

Aegis Padlock External Harddrive, Real time 256 bit AES encryption, hardware

http://www.staples.com/office/supplies/StaplesProductDisplay?storeId=10001&partNumber=SS2073376&catalogIdentifier=2&langId=-1&ddkey=http:StaplesZipCodeAdd

[superduh]

solution necessary asap
1) everyone should start backing things up
2) block the virus ASAP - have email hosts scan attachments
3) ugh