Understanding CryptoLocker

- [Voiceover] Cryptolocker has appeared in many evolutions.…Let's take a look…at how one of the more recent versions works.…This version uses asymmetric encryption…and bitcoin payment.…The Cryptolocker ransomware…is typically distributed through a botnet.…When it first infiltrates the target,…it copies itself onto disk…with a randomly generated executable name.…It then includes a startup command in the registry,…so that it can restart after a reboot.…When Cryptolocker starts up…it attempts to communicate…with its command and control server.…

It does this using its domain generation algorithm,…as is usual with contemporary malware.…It sends a message containing the version,…the date, time of build, and the target name.…If successful, it receives from the server a public key,…and a corresponding bitcoin address.…A key is added to the registry with these values,…and a wallpaper file created,…containing instructions on how to pay the ransom.…Cryptolocker then selects the files…that it wants to encrypt.…These include jpegs, docs, spreadsheets, powerpoint files,…