CryptoLocker is a popular ransomware trojan on Microsoft Windows that can spread via email and is considered one of the first ransomware malware. The .EXE file for CryptoLocker arrives in a .ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF, taking advantage of Windows' default behavior of hiding the extension from file names to disguise the .EXE file extension for the program.
This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from FedEx, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer.
These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection. The user would know they are infected with Zbot as there will be a registry key in the form of:
Under these keys, the user will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch it.
An example Zbot/CryptoLocker email message is:
From: John Doe [mailto:John@mydomain.com]
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form - Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.
CryptoLocker's payload encrypts the victim's files using a method of encryption that is quite difficult to crack or decrypt (RSA-2048) and refuses to unlock the files until the ransom of 500 units of currency ($500, €500, £500, etc.) are paid. However, people who paid the ransom never had their files decrypted. It gives about 72 hours for the user to pay the ransom, and if this is not done, then the program deletes the decryption code (preventing any recovery of data).
When the user first become infected with CryptoLocker, it will save itself as a random named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following autostart entries in the registry to start CryptoLocker when the user logs in:
The infection will also hijack users .EXE extensions so that when the user launches an executable it will attempt to delete the Shadow Volume Copies that are on the affected computer. It does this because the user can use shadow volume copies to restore their encrypted files. The command that is run when the user clicks on an executable is:
"C:\Windows\SYsWOW64\cmd.exe" /C "C:\Windows\Sysnative\vssadmin.exe" Delete Shadows /All /Quiet
The .EXE hijack in the Registry will look similar to the following. Please note that registry key names will be random.
@="\"C:\\Users\\User\\AppData\\Local\\Rlatviomorjzlefba.exe\" - \"%1\" %*"
Once the infection has successfully deleted the user's shadow volume copies, it will restore their exe extensions back to the Windows defaults.
The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm. Some examples of domain names that the DGA will generate are lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate with it and receive a public encryption key that will be used to encrypt the user's data files. It will then store this key along with other information in values under the registry key under HKEY_CURRENT_USER\Software\CryptoLocker_0388. Unfortunately, the private key that is used to decrypt the infected files is not saved on the computer but rather the Command & Control server.
CryptoLocker will then begin to scan all physical or mapped network drives on the user's computer for files with the following extensions:
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .jpg, .jpe, .jpg, .dng, .3fr, .arw, .srf, *.sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c.
When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files Registry key.
Once CryptoLocker has finished decrypting the files, it deletes itself just so the user can retrieve their files and use their computer again. It is one of the only ransomware that actually gives the user their files back after paying for them.
Cryptolocker.B is a Trojan horse that encrypts files on the compromised computer and then prompts the user to purchase a key in order to decrypt them. It also displays a window saying that the victim's computer has been hacked.
CryptoLocker.C is a Trojan horse that downloads files on the compromised computer. The Trojan may perform the following actions:
- Connect to a remote location
- Execute arbitrary commands
- Download and execute files
CryptoLocker.AA or ORXLocker is a Trojan horse that encrypts files on the compromised computer and then demands payment from the user in order to decrypt them. It append the .LOCKED extension.
In early 2014, security firms FireEye and Fox-IT developed an online decryption tool for CryptoLocker victims. The website went offline in August of 2014, but can still be accessed via the Wayback Machine.
Tool link: decryptcryptolocker.com
- Trojan.Ransomlock (Symantec)
- Ransom.C (AVG)
- Trojan-Ransom.Win32.PornoBlocker.cel (NictaTech Free Web Scanner)
- Ransom.Worm.Cryptlocker.a (Kaspersky)
September 6th, 2013: The first reported appearance of CryptoLocker was reported by a member of BleepingComputer's forum in the Cryptolocker Hijack program topic. The user was reporting a popup window called CryptoLocker and how all of their data files were encrypted. News reports immediately started flooding in as other infected users were able to find the topic.
September 9th, 2013: Fabian Wosar of Emsisoft was the first to reverse-engineer the CryptoLocker infection. His analysis was posted on the kernelmode.info forum. A more formal write up was later posted on Emsisoft's blog in the blog post-CryptoLocker â€“ a new ransomware variant.
September 10th, 2013: The ListCrilock tool was released by BleepingComputer.com that can be used to export a list of encrypted files from the Registry.
September 12th, 2013: Suggestion to use Software Restriction Policies to block CryptoLocker executables was posted.
October 8th, 2013: Connection between Zbot being the downloaded for CryptoLocker was reported.
October 10th, 2013: BleepingComputer.com became the subject of a large DNS amplification DDOS attack. This was presumably due to the information they were disclosing about the connection between Zbot and CryptoLocker.
October 18th, 2013: CryptoLocker becomes mainstream news as various AV vendors and news companies start reporting about the infection.
October 18th, 2013: First report of CryptoLocker Command & Control servers started to display a message from the developers on their home page.
October 18th, 2013: Nicholas Shaw, CEO, and developer of Foolish IT, released CryptoPrevent that provides an easy to use a program to create the necessary Software Restriction Policies on a computer.
October 25th, 2013: Omnispear released the CryptoLocker Scan Tool that scans the user's hard drives for files that do not have the proper file identifiers in them. If a file is discovered that does not have the proper file identified based on its extension, the tool will report it as possible encrypted.
October 29th, 2013: CryptoLocker Command & Control server home page changed the message from the developer.
November 1st, 2013: CryptoLocker Decryption Service was released by the malware developers. This new decryption service allowed an infected user to upload an encrypted file and purchase a decryption key and decrypter for 10 bitcoins.
November 4th, 2013: CryptoLocker Decryption Service was updated to state that a user can still pay 2 bitcoins to purchase their decryption service as long as they are within the initial 72 hour period. If they fail to pay the ransom within 72 hours they will then have to pay 10 bitcoins to purchase the decryption key and decrypter.
November 5th, 2013: SurfRight released a new tool called CryptoGuard that monitors the file system for suspicious file operations (CryptoGuard is a driver, installed by HitmanPro.Alert). When suspicious behavior is detected, the malicious code is blocked (write, delete, rename is revoked) and an Alert is presented to the user. So even while ransomware is active, it can't harm the user's files.
June 2nd, 2014: Information about Operation Tovar was released that took down the Gameover distribution network that distributed CryptoLocker.August 6th, 2014: Decryption keys discovered during Operation Tovar were made available by FireEye and Fox IT.