Cryptolocker : What is it, how it works and how to protect yourself

What is Cryptolocker?

CryptoLocker introduces a new family of ransomware whose business model (yes, malware could be a business to some!) is predicated on extorting cash from users. This continues the trend started by another disreputable piece of malware that conjointly extorts its victims, the supposed ‘Police Virus’, that asks users to pay a ‘fine’ to unlock their computers. However, in contrast to the Police Virus, CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a cut-off date to send the payment).
Malware installation

CryptoLocker uses social engineering techniques to trick the user into running it. additional specifically, the victim receives associate email with a password-protected nothing file purporting to be from a supplying company.

The Trojan gets run once the user opens the hooked up nothing file, by getting into the positive identification enclosed within the message, and makes an attempt to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of activity the extension from file names to disguise the important .EXE extension of the malicious file.

As before long because the victim runs it, the Trojan goes memory resident on the pc and takes the subsequent actions:

Saves itself to a folder within the user’s profile (AppData, LocalAppData).
Adds a key to the register to create certain it runs each time the pc starts up.
Spawns 2 methodes of itself: One is that the main process, whereas the opposite aims to shield the most method against termination.
File secret writing

The Trojan generates a random radially symmetrical key for every file it encrypts, and encrypts the file’s content with the AES formula, exploitation that key. Then, it encrypts the random key exploitation associate uneven public-private key secret writing formula (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes certain that solely the owner of the personal RSA key will acquire the random key wont to inscribe the file. Also, because the laptop files area unit overwritten, it’s not possible to retrieve them exploitation rhetorical ways.

Once run, the primary factor the Trojan will is acquire the general public key (PK) from its C&C server. to seek out a lively C&C server, The Trojan incorporates a website generation formula (DGA) referred to as ‘Mersenne twister’ to get random domain names. This formula uses the present date as seed and might generate up to one,000 completely different fixed-size domains daily.

crypto code

After the Trojan has downloaded the PK, it saves it within the subsequent Windows register key: HKCUSoftwareCryptoLockerPublic Key. Then, it starts encrypting files on the computer’s disk and each network drive the infected user has access to.

CryptoLocker doesn’t inscribe each file it finds, however solely non-executable files with the extensions enclosed within the malware’s code:


crypto list

Additionally, CryptoLocker logs every file encrypted to the subsequent register key:


When the Trojan finishes encrypting each file that meets the aforesaid conditions, it displays the subsequent message asking the user to create a ransom payment, with a cut-off date to send the payment before the personal key unbroken by the malware author is destroyed.

crypto main

Curiously enough, the malware doesn’t raise users for a similar quantity of cash, however incorporates its own currency conversion table.

crypto table

How to avoid CryptoLocker

We at the PC TECH Guys can put a piece of software on your computer that can prevent any type of an attack by this virus by disabling the Windows Group Policy and encryption services.  This will not let windows encrypt files or give it the capability which is really how the virus works.

This malware spreads via email by exploitation social engineering techniques. Therefore, our recommendation are:

Being significantly cautious of emails from senders you don’t apprehend, particularly those with hooked up files.
Disabling hidden file extensions in Windows will facilitate acknowledge this sort of attack.
We’d prefer to prompt you of the importance of getting a backup system in situ for your crucial files. this may facilitate mitigate the injury caused not solely by malware infections, however hardware issues or the other incidents yet.
If you become infected and don’t have a backup copy of your files, our recommendation isn’t to pay the ransom. That’s ne’er an honest answer, because it turns the malware into a extremely profitable business model and can contribute to the flourishing of this sort of attack.


Related Posts

Comments are closed.

Wordpress SEO Plugin by SEOPressor