Understanding CryptoLocker

- [Voiceover] Cryptolocker has appeared in many evolutions. Let's take a look at how one of the more recent versions works. This version uses asymmetric encryption and bitcoin payment. The Cryptolocker ransomware is typically distributed through a botnet. When it first infiltrates the target, it copies itself onto disk with a randomly generated executable name. It then includes a startup command in the registry, so that it can restart after a reboot. When Cryptolocker starts up it attempts to communicate with its command and control server.

It does this using its domain generation algorithm, as is usual with contemporary malware. It sends a message containing the version, the date, time of build, and the target name. If successful, it receives from the server a public key, and a corresponding bitcoin address. A key is added to the registry with these values, and a wallpaper file created, containing instructions on how to pay the ransom. Cryptolocker then selects the files that it wants to encrypt. These include jpegs, docs, spreadsheets, powerpoint files, and a lot more.

A symmetric key is generated for each file to be encrypted, and the file is encrypted using AES. The key is encrypted using the public key that was sent from the command and control server, and the encrypted key is then appended to the encrypted file. The paths to the document are stored in the registry. The ransom message is then displayed. Cryptolocker has a countdown timer, which provides a window of opportunity for the victim to pay the ransom and get the private key.

Once this countdown finishes, the private key is destroyed, and the files can never be retrieved. Payment to the ransom is made using bitcoins. Other variants use alternative anonymous payment methods such as Ukash, CashU, or prepaid cash money cards. Once the victim pays the ransom, a transaction ID is provided. The victim can then enter this into the Cryptolocker program that is running. The private key is then sent to the victim, and the decryption process begins. Cryptolocker is distributed by spam email messages or from a malicious website, and the original malware infects just the computer on which it lands.

Where a number of systems in a target network have been infected, that's typically because it's been infiltrated through a botnet, which owns all of the target systems. However, a recent variant of Cryptolocker has the ability to spread between removable drives, using activation keys for tools such as Adobe Photoshop and Microsoft Office as its vector. This makes it much more dangerous once it gets a foothold in a network.