The Ins and Outs Of CryptoLocker Malware

To understand what CryptoLocker malware is, first we need to understand a little bit about ransomware. Ransomware is malicious software designed specifically with the intent to extort money from users by holding hostage their valuable or confidential digital data.

CryptoLocker is one such ransomware which hijacks and encrypts entire user databases and asks them to pay a ransom to decrypt their data, that too within a limited time frame, otherwise, the encryption becomes permanent. In this article, we intend to delve a little deeper into what makes CryptoLocker malware tick and also a few tips to avoid them.

Installation Tactics

CryptoLockers usually implement sly social engineering tactics to dupe users to execute the malware. Usually, users would receive an e-mail along with a password protected ZIP file, typically imitating e-mails from logistics companies.

The malware gets executed when the user types in the password for the ZIP file which is conveniently included in the e-mail itself. CryptoLockers also take advantage of the default Windows behavior of hiding common file extensions, which cleverly helps hide the malignant .EXE file extension.

As soon as the user executes the CryptoLocker malware, the core component of it becomes memory resident, which means it permanently stays in the computer’s memory. After that, it undertakes these following steps to do what it was intended to do.

• It saves itself to a folder in the user’s profile, usually in the AppData or LocalAppData folder.
• Inserts a specialized key to the Windows registry to be able to start with every system startup.
• Create two identical processes of itself, one is a decoy while another is the real deal.

Encryption Tactics

CryptoLocker malware encrypts each file it takes hostage using random symmetric key using AES algorithm. It further encrypts the random key by implementing asymmetrical public-private key encryption algorithm (RSA), creating keys with more than 1024 bits. There have also been reports of CryptoLocker having 2048 bit keys.

These encrypted keys are then added to the encrypted file. This ensures that the encrypted files cannot be retrieved with modern and forensic data recovery methods. The only person who can decrypt and access the encrypted files with the random encryption key is the owner of the private RSA key.

The first thing a CryptoLocker malware does when it’s executed, is obtain the public key from its Command & Control servers (C&C). Once connected to its C&C server, the malware then spawns a domain generation algorithm (DGA) using a ‘Mersenne Twister’ utility to generate random domain names. It usually uses the current system date as the seed and generates upwards of 1000 different domains every day.

CryptoLocker malware usually hides the downloaded public key under the Windows registry key: HKCUSoftwareCryptoLockerPublic Key. After that, the malware sets about with its intended file encryption processes. It scans the user’s entire hard disk and the hard disks of all other systems on the same network as the infected system and only encrypts non-executable files with the extensions mentioned in the malware’s code.

CryptoLockers also stores a log of all encrypted file under the Windows registry key: HKEY_CURRENT_USERSoftwareCryptoLockerFiles. After the encryption task is completed, the malware then displays a message to the user, asking for a ransom against their valuable or confidential data. The CryptoLocker ransomware also incorporates a time limit for the ransom payment, otherwise, the private key is destroyed and the data lost forever.

Steps to Avoid CryptLocker

As we mentioned earlier, CryptoLocker malware exploits clever social engineering tactics and thus to avoid falling victim to such malware, here are a few tips to make our readers aware of the social engineering tactics used by CryptoLocker creators.

• Always be wary of e-mails sent from unknown senders or sources, especially ones with attachments.
• Disabling the default hide common extension type option might help to identify such malicious files.
• Always, and we repeat, always create a remote backup of your valuable and confidential data, preferably on the cloud.
• If on the off chance your system gets infected with the CryptoLocker malware, the best course of action is to not pay the demanded ransom. This will stop the malware creators and the malware itself from becoming profitable. After all, nothing good can come from negotiating with terrorists (even cyber ones).

What are your thoughts about this? Have you ever experienced a CryptoLocker malware attack? What tactics did you implement to fix it? We’d love to hear about your experiences in the comments.