Skip to main content

CryptoLocker - The Latest in a Long Line of Ransomware

October 31, 2013

Since early September 2013, a new version of ransomware has been spreading around the globe using email attachments, embedded internet links and/or botnets to propagate. The effect of this malware is particularly nasty as the infected user may in fact be unable to recover their files without paying the ransom fee due to the encryption component.

Email attachments are the primary means of exposure for this type of malware, so the “happy c licker” is the main concern for organization’s security departments, and the organization should be aware of this threat and its potential to spread via the insider threat.

Ransomware has been a significant threat for users dating back to the late 1980’s with varying degrees of complexity. While most versions of ransomware have targeted the various Microsoft operating systems, a few have been developed to infect Macintosh systems as well (FBI Ransomware). This type of malware (aka: malicious software) is commonly designed to extort money from infected users by holding their personal files “hostage” until the user pays a ransom fee via some defined process.

By delivering this ransomware via email attachment, CryptoLocker is nothing new. Taking advantage of the individual’s curiosity, the application is typically installed when the user opens a .zip email attachment on a system that is not protected with an antivirus solution or the solution is not updated regularly with current definitions.

The malware then installs itself to the infected user’s Documents and Settings folder using a randomly generated name. It adds itself to the “autorun” list of programs in the registry. Once this is accomplished, the malware attempts to connect to a number of domains (that appear to be randomly generated) until it creates a successful connection.

Upon a successful connection, the malware will upload unique information to the server which returns the public portion of a uniquely generated public-private key pair to the infected system. (This public-private key pair has been commonly documented to be an RSA 2048-bit key). After receiving the public key, the malware performs a search of common Microsoft file extensions.

CryptoLocker 2
Figure 1 - File extensions at risk

The search process is known to not only scan the local file system but also any attached and/or network storage locations that the system has authorization to at the time of infection. Files found during this search process are then encrypted using the received public key.

At this point, the infected user commonly receives the initial indication that they have been compromised via a CryptoLocker popup screen:

CryptoLocker 2
Figure 2 - Image courtesy of thehackernews.com

At this point, the files have been encrypted. Research from multiple organizations has not provided a way to decrypt without the private-key.

As mentioned above, the primary means of infection is via a phishing email in which the user clicks on an email attachment. A secondary means of infection has also been found - a compromise via a bot. This infection occurs on devices that have previously been infected and are part of a botnet.

OpenDNS’s Think Umbrella researcher Ping Yan (@pingpingya) has generated a global map that displays the known CryptoLocker C2 servers that OpenDNS has information on:

CryptoLocker 3
Figure 3 - Image courtesy of @pingpingya (Oct. 29, 2013)

Information from OpenDNS’s Think Umbrella group identifies that IP 184.164.136.134 is commonly hard-coded within the ransomware file. Information from malwr.com on this IP identifies six (6) distinct files associated to the IP.

CryptoLocker 4
Figure 4 - Image courtesy of malwr.com

This IP is not found to be on any blacklists, per ipvoid.com.

As of this writing, most antivirus solutions have signatures in place to detect and remove CryptoLocker infections. Additionally, many antivirus vendors, such as Symantec and TrendMicro, provide additional information that may be utilized by organization’s security departments to identify infections and prevent users from being infected.

Additionally, FishNet Security recommends the following:

  • Educate your users about Cryptolocker - awareness is the best defense.
  • Check antivirus to ensure the software is up-to-date and has not been misconfigured.
  • Run a virus scan on all machines looking for botnets.
  • Review your backup strategy to ensure you have backups of critical files.

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

December 19, 2013

CryptoLocker Prevention and Remediation Techniques

If you’re running Windows XP through Windows 8, chances are you've heard of CryptoLocker by now. If not, for some background, check out our previous 6...

See Details

June 09, 2014

Threat Intelligence is Evolving

People and organizations are beginning to understand that intelligence must be developed within an organization and that the solution is more than a c...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

June 14, 2017

Incident Management Plan Development

We have the experience and knowledge required to help your organization develop a strong incident management plan.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.