CryptoLocker - The Latest in a Long Line of Ransomware

By gTIC ·

Since early September 2013, a new version of ransomware has been spreading around the globe using email attachments, embedded internet links and/or botnets to propagate. The effect of this malware is particularly nasty as the infected user may in fact be unable to recover their files without paying the ransom fee due to the encryption component.

Email attachments are the primary means of exposure for this type of malware, so the “happy c licker” is the main concern for organization’s security departments, and the organization should be aware of this threat and its potential to spread via the insider threat.

Ransomware has been a significant threat for users dating back to the late 1980’s (PC Cyborg) with varying degrees of complexity. While most versions of ransomware have targeted the various Microsoft operating systems, a few have been developed to infect Macintosh systems as well (FBI Ransomware). This type of malware (aka: malicious software) is commonly designed to extort money from infected users by holding their personal files “hostage” until the user pays a ransom fee via some defined process.

By delivering this ransomware via email attachment, CryptoLocker is nothing new. Taking advantage of the individual’s curiosity, the application is typically installed when the user opens a .zip email attachment on a system that is not protected with an antivirus solution or the solution is not updated regularly with current definitions.

The malware then installs itself to the infected user’s Documents and Settings folder using a randomly generated name. It adds itself to the “autorun” list of programs in the registry. Once this is accomplished, the malware attempts to connect to a number of domains (that appear to be randomly generated) until it creates a successful connection.

Upon a successful connection, the malware will upload unique information to the server which returns the public portion of a uniquely generated public-private key pair to the infected system. (This public-private key pair has been commonly documented to be an RSA 2048-bit key). After receiving the public key, the malware performs a search of common Microsoft file extensions.


Figure 1 - File extensions at risk

The search process is known to not only scan the local file system but also any attached and/or network storage locations that the system has authorization to at the time of infection. Files found during this search process are then encrypted using the received public key.

At this point, the infected user commonly receives the initial indication that they have been compromised via a CryptoLocker popup screen:


Figure 2 - Image courtesy of thehackernews.com

At this point, the files have been encrypted. Research from multiple organizations has not provided a way to decrypt without the private-key.

As mentioned above, the primary means of infection is via a phishing email in which the user clicks on an email attachment. A secondary means of infection has also been found - a compromise via a bot. This infection occurs on devices that have previously been infected and are part of a botnet.

OpenDNS’s Think Umbrella researcher Ping Yan (@pingpingya) has generated a global map that displays the known CryptoLocker C2 servers that OpenDNS has information on:


Figure 3 - Image courtesy of @pingpingya (Oct. 29, 2013)

Information from OpenDNS’s Think Umbrella group identifies that IP 184.164.136.134 is commonly hard-coded within the ransomware file. Information from malwr.com on this IP identifies six (6) distinct files associated to the IP.


Figure 4 - Image courtesy of malwr.com

This IP is not found to be on any blacklists, per ipvoid.com.

As of this writing, most antivirus solutions have signatures in place to detect and remove CryptoLocker infections. Additionally, many antivirus vendors, such as Symantec and TrendMicro, provide additional information that may be utilized by organization’s security departments to identify infections and prevent users from being infected.

Additionally, FishNet Security recommends the following:

  • Educate your users about Cryptolocker - awareness is the best defense.
  • Check antivirus to ensure the software is up-to-date and has not been misconfigured.
  • Run a virus scan on all machines looking for botnets.
  • Review your backup strategy to ensure you have backups of critical files.