What is the CrytpoLocker Virus?
CryptoLocker is a new family of ransonware whose business model (yes, malware is a business to some!) is based on extorting money from its victims. CryptoLocker hijacks users' documents and asks them to pay a ransom, with a time limit to send the payment. CryptoLocker uses social engineering to trick the user into running it. These emails are often disguised as messages from Australia Post. The victim receives an email with a password-protected ZIP file professing to be from a logistics company.
The trojan gets run when the user opens the attacked ZIP file, by entering the password which is included in the message and attempts to open the PDF it contains. CryptoLocker takes advantage of Window's default behaviour of hiding the extension from file names to disguise the real .EXE extension of the malicious file. As soon as the victim runs it, the trojan goes memory resident on the computer and takes the following actions.
- Saves itself to a folder in the users' project (APP DATA, Local APPData)
- Adds a key to the registry to make sure it runs every time the computer starts up.
- Spawns two way processes to itself. One is the main process, whereas the other aims to protect the main process against termination.
The trojan generates a random symmetric key for each file it encrypts, and encrypts the file's content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits and adds it to the encrypted file. This way, the trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve those using forensic methods.
Once run, the first thing the trojan does is obtain the public key (PK) from it C&C server. To find an active C&C server, the trojan incorporates a domain generation algorithm (DGA) know as 'Mersenne Twister' to generate random domain names. This algorithm uses the current date as seed and can generate up to 1,000 different fixed-sixe domains every day.
After the trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCUSoftwareCryptoLocker Key. Then, it starts encrypting files on the computer's hard disk and every network drive the infected user has access to. CryptoLocker doesn't encrypt every file it finds, but only non-executable files with the extensions included in the malware's code.
When the trojan finishes encrypting every file that meets the aforementioned conditions, it can display the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.
The malware doesn't ask user for the same amount of money, but incorporates its own currency conversion.
This is how to avoid CryptoLocker:
- Being particularly ware of emails from senders that you don't know. Especially those with attached files.
- Disabling hidden file extensions in Windows will also help to recognise this type of file attached.
- A very important reminder to our customers is: the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.
- If you become infected and don't have a backup copy of your files, our recommendation is not to pay the ransom. That is never a good solution as it turns the malware into a highly profitable business model and will contribute to the flourishing type of attack.
If you have any questions regarding this virus, or if you would like to know more about a suitable backup solution for your business, please contact us.