CryptoLocker is a ransomware. The business model of the ransomware is to extort money from internet users. CryptoLocker enhances the trend developed by the infamous “Police Virus” malware that asks internet users to pay money for unlocking their devices. CryptoLocker hijacks important documents and files and informs the users to pay the ransom within a stated duration.
Jason Adler, the Customer Success Manager of Semalt Digital Services, elaborates on the CryptoLocker security and provides some compelling ideas to avoid it.
CryptoLocker applies social engineering strategies to trick internet users to download and run it. The email user gets a message that has a password-protected ZIP file. The email purports to be from an organization that is in the logistics business.
The Trojan runs when the email user opens the ZIP file using the indicated password. It is challenging to detect the CryptoLocker because it takes advantage of the default status of Windows that does not indicate the file name extension. When the victim runs the malware, the Trojan performs various activities:
a) The Trojan saves itself in a folder located in the user’s profile, for example, the LocalAppData.
b) The Trojan introduces a key to the registry. This action ensures that it runs during the computer booting process.
c) It runs based on two processes. The first is the main process. The second is the prevention of the termination of the main process.
The Trojan produces the random symmetric key and applies it to every file that is encrypted. The content of the file is encrypted using the AES algorithm and the symmetric key. The random key is thereafter encrypted using the asymmetric key encryption algorithm (RSA). The keys should also be more than 1024 bits. There are cases where 2048 bit keys were used in the encryption process. The Trojan ensures that the provider of the private RSA key gets the random key that is utilized in the encryption of the file. It is not possible to retrieve the overwritten files using the forensic approach.
Once run, the Trojan gets the public key (PK) from the C&C server. In locating the active C&C server, the Trojan uses the domain generation algorithm (DGA) to produce the random domain names. DGA is also referred to as the “Mersenne twister.” The algorithm applies the current date as the seed that can produce more than 1,000 domains daily. The generated domains are of various sizes.
The Trojan downloads the PK and saves it within the HKCUSoftwareCryptoLockerPublic Key. The Trojan begins encrypting files in the hard disk and the network files that are opened by the user. CryptoLocker does not affect all the files. It only targets the non-executable files that have the extensions that are illustrated in the code of the malware. These files extensions include *.odt, *.xls, *.pptm, *.rft, *.pem, and *.jpg. Also, the CryptoLocker logs in every file that has been encrypted to the HKEY_CURRENT_USERSoftwareCryptoLockerFiles.
After the encryption process, the virus shows a message requesting for ransom payment within the stated time duration. The payment should be made before the private key is destroyed.
a) Email users should be suspicious of messages from unknown persons or organizations.
b) The internet users should disable the hidden file extensions to improve the identification of the malware or virus attack.
c) Important files should be stored in a backup system.
d) If files become infected, the user should not pay the ransom. The malware developers should never be rewarded.