tumblr hit counter

CryptoLocker

Nov 11

CryptoLocker is a new family of ransomware whose business model (yes, malware is a business to some!) is based on extorting money from users. This continues the trend started by another infamous piece of malware which also extorts its victims, the so-called ‘Police Virus’, which asks users to pay a ‘fine’ to unlock their computers. However, unlike the Police Virus, CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a time limit to send the payment).

crypto-main

 

Malware installation

CrytoLocker uses social engineering techniques to trick the user into running it. More specifically, the victim receives an email with a password-protected ZIP file purporting to be from a logistics company.

The Trojan gets run when the user opens the attached ZIP file, by entering the password included in the message, and attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.

As soon as the victim runs it, the Trojan goes memory resident on the computer and takes the following actions:

  • Saves itself to a folder in the user’s profile (AppData, LocalAppData).
  • Adds a key to the registry to make sure it runs every time the computer starts up.
  • Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.

File encryption

The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.

Once run, the first thing the Trojan does is obtain the public key (PK) from its C&C server. To find an active C&C server, The Trojan incorporates a domain generation algorithm (DGA) known as ‘Mersenne twister’ to generate random domain names.  This algorithm uses the current date as seed and can generate up to 1,000 different fixed-size domains every day.

crypto-code

DGA pseudocode

After the Trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCU\Software\CryptoLocker\Public Key. Then, it starts encrypting files on the computer’s hard disk and every network drive the infected user has access to.

CrytoLocker doesn’t encrypt every file it finds, but only non-executable files with the extensions included in the malware’s code:

crypto-list

List of extensions found in a CrytoLocker sample

Additionally, CrytoLocker logs each file encrypted to the following registry key:

HKEY_CURRENT_USER\Software\CryptoLocker\Files

When the Trojan finishes encrypting every file that meets the aforementioned conditions, it displays the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.

crypto-main

 

Curiously enough, the malware doesn’t ask users for the same amount of money, but incorporates its own currency conversion table.

crypto-table

 

Conclusions

This malware spreads via email by using social engineering techniques. Therefore, our recommendation is to be particularly wary of emails from senders you don’t know, especially those with attached files. Disabling hidden file extensions in Windows will also help recognize this type of attack.

Additionally, we’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.

If you become infected and don’t have a backup copy of your files, our recommendation is not to pay the ransom. That’s NEVER a good solution, as it turns the malware into a highly profitable business model and will contribute to the flourishing of this type of attack.

 

Post to Twitter

  • (10) Comments

Comments

  1. Now that you know all about this threat, what are you doing to protect your customers? Will GP14 detect this Trojan?

  2. MrXintax says:

    Is the Cryptolocker virus more dangerous then the Zeus Virus?

    • Luis Corrons says:

      It is different, both Trojans are really dangerous. The main problem with this one is that you can lose all your data. Zeus won’t destroy your information, but it will probably send it to cybercriminals.

  3. Netstar says:

    We’ve seen what the cryptolocker virus can do – nasty thing. Bitcoins, which is the currency the criminals want payment in, have gone up in value by a ridiculous amount since this virus came onto the scene.

    We managed to restore our clients’ data from our datacentre

  4. Alex Bos says:

    Quote:
    Netstar says:

    December 10, 2013 at 11:38 am

    We’ve seen what the cryptolocker virus can do – nasty thing. Bitcoins, which is the currency the criminals want payment in, have gone up in value by a ridiculous amount since this virus came onto the scene.

    We managed to restore our clients’ data from our datacentre

    Bitcoins and the upswing in market value has nothing to do with Cryptolocker, or the hackers who are using Cryptolocker to force payment. Bitcoins just happen to be completely anonymous, with no tracability back to the user. It would be rather easy to trace someone requesting EUR/USD, now wouldn’t it?

    Regards,
    Alex

    • alex says:

      @Alex Bos.
      “Bitcoins and the upswing in market value has nothing to do with Cryptolocker,”
      “Bitcoins just happen to be completely anonymous, with no tracability back to the user.”

      So what you’re saying is, bitcoins has EVERYTHING to do with cryptolocker. Otherwise, it would be completely unsuccessful.

Trackbacks

  1. […] Further information on Cryptolocker can be found here. […]

  2. […] you lose files, and there are a number of excellent pieces of software on the market. McAfee, PANDA, ESET and Symantec have already produced guides for the best anti-Cryptolocker practices. If you […]

  3. […] malware attached to an email is to password protect it. Which CryptoLocker has been known to do [1] [2] [3]. This leaves a handful of options in detecting the email: Either have a signature for the […]

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories