Monday, April 7, 2014

[infosecinstitute] CryptoLocker

Released in September 2013, CryptoLocker is a ransomware program that targets all versions of Windows, including Windows XP, Windows Vista, Windows 7, and Windows 8. This trojan encrypts almost all files using a combination of RSA & AES encryption. When the encryption is over, it will display a CryptoLocker payment program that prompts you to send a ransom of $300 or 300 Euro or the equivalent in any other currency in order to decrypt the files. Then a ransom can be paid in either Bitcoin or Moneypak mode to the malware authors. A time limit of 72 hours is given to pay the ransom; otherwise the decryption key will be deleted from one of the secret servers. Once the payment is verified, the program will decrypt the files that it encrypted by using the RSA private key.

CryptoLocker Infection Screen
By now, CryptoLocker has infected over 250K computers and resulted in millions of dollars lost worldwide. Its most disturbing characteristic is its ability to make a fool of standard virus protection software. Even with high security standards and good antivirus software, it will be difficult to prevent intrusion by the wicked hands of CryptoLocker.
Technical Details
CryptoLocker uses asymmetric encryption, which uses two different keys for the encryption and decryption process. When infected in a system, CryptoLocker will save as a file with a random name to the root of the %AppData% or %LocalData% path. Then an auto start entry is created in the registry and CryptoLocker is started automatically whenever the system is started.
When the malware is installed, it makes a POST request to an embedded IP address or to a specific domain like biz/home,, com/home, info/home, net/home, org/home or ru/home. This C&C serves is changed dynamically and if the malware cannot make a connection to the C&C server, then it looks for a live C&C server using the Domain Generation Algorithm (DGA). This DGA algorithm can generate 1K domains on a daily basis and seeks the available connection. Some examples of domain names that the DGA will generate are,,, and When the malware detects a C&C connection, it sends an RSA-encrypted payload that contains data about the malware version, System ID, group ID and the system language. The C&C issues a public key for the infected host and are stored with other information in values under the registry key HKEY_CURRENT_USERSoftwareCryptoLocker_0388. The public key then seeks a wide range of file extensions on the victim’s machine and further starts the encryption process. The private key that is used to decryption of the infected files is not saved on the computer, but on a C&C server.
The extensions that CryptoLocker affects are:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
After the encryption of the files, it will show a CryptoLocker screen that demands a ransom of $300 or 300 Euro to decrypt the files. The ransom can be paid using Bitcoin or Moneypak vouchers with a time limit of 72 hours or the private encryption key will be destroyed from the C&C server. If an incorrect payment code is entered, then the decryption time given for the files is decreased.
CryptoLocker wallpaper that notifies that the system is infected
File Paths and Registry Keys used by CryptoLocker
File Paths used by CryptoLocker
The file paths used by CryptoLocker are in either of the following formats: %AppData%<random.exe> and %AppData%{<8 chars>-<4 chars>-<4 chars>-<4 chars>-<12 chars>}.exe
Examples of the filename include are ‘Rlatviomorjzlefba.exe’ and ‘{34285B07-372F-121D-311F-030FAAD0CEF3}.exe’.
Windows XP
C: Documents and Settings <User> Application Data <random name>.exe
C: Documents and Settings <User> Local Application Data <random name>.exe
Windows Vista/7
C: Users <User> AppData Local <random name>.exe
C: Users <User> AppData Local <random name>.exe
Registry Keys used in CryptoLocker
KEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “CryptoLocker”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce “*CryptoLocker”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “CryptoLocker_<version_number>”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce “*CryptoLocker_<version_number”
Here is the current version of CryptoLocker 0388. The * in the RunOnce entry tells Windows to start CryptoLocker even in Safe Mode. It also creates a registry key to store its configuration information and the files that were encrypted. Earlier the registry key HKEY_CURRENT_USERSoftwareCryptoLocker was used.
The registry key that is currently being used to store the configuration information isHKEY_CURRENT_USERSoftwareCryptoLocker_0388. This key has three registry values that include PublicKey, VersionInfo and WallPaper. The PublicKey value contains the public key that is used to encrypt the files. VersionInfo contains information that includes current version of malware, IP address of C&C server and timestamp of installation. The Wallpaper value contains information regarding the wallpaper that is shown as background on the infected computer’s desktop.
Under the registry key, there will be a list of all files that have been encrypted by CryptoLocker. When the ransom is paid, the decryption is carried out by generating a new REG_DWORD value for each file that is encrypted. The REG_DWORD value is named using the full path name to the encrypted files by replacing all the forward slash character () with the question mark (?). An example of encrypted files in REG_WORD would be like C:?Users?Public?Videos?Sample Videos?Wildlife.wmv.
Method of Infection
CryptoLocker appears to have been spreading through fake emails that mimic the look of legitimate businesses like customer support related issues from FedEx, UPS, DHS, etc. Also the malware spreads through the previous infection from some of the several botnets that are frequently leveraged in underground market.
There are multiple scenarios in the infection phase of CryptoLocker. One type of infection scenario is by directly attaching the CryptoLocker as an attachment and this scenario is carried out as a zip attachment, and opening it infects the system by executing the same. The zip file contains an executable in PDF format with a PDF icon and named with some <filename>.exe. However, this .exe extension cannot be seen, because by default settings Microsoft doesn’t display the extensions.
Initially CryptoLocker was distributed as self-propagating, and is now bundled with Zbot infection. Zbot infection can be detected by checking the registry value HKCUSoftwareMicrosoft<random>. One of the infection scenarios is that in the spam mail, the attachment embedded is not of CryptoLocker. Instead, the Upatre trojan is added as the attachment and this trojan is used to download the Zbot trojan, one of the infamous malware used to steal banking credentials. Now the system is infected with the Zbot and the user is in threat of losing the banking credentials. Then the Zbot in turn downloads the CryptoLocker ransomware and then the files in the system are encrypted. Now the user is in the state of paying a ransom for the decryption of the files.
Now, variants of CryptoLocker are being distributed in peer to peer websites that distribute the pirated software of Adobe Photoshop and Microsoft Office. Thus malware authors are focusing on distributing the malware through peer to peer websites.
Zbot/CryptoLocker spam email message
CryptoLocker spam email message
The following are the list of email subjects that are used to distribute CryptoLocker.
  • USPS – Your package is available for pickup (Parcel 173145820507)
  • FW: Invoice <random number>
  • ADP payroll: Account Charge Alert
  • Important – attached form
  • FW: Last Month Remit
  • McAfee Always On Protection Reactivation
  • Scanned Image from a Xerox WorkCentre
  • Annual Form – Authorization to Use Privately Owned Vehicle on State Business
  • Fwd:
  • My resume
  • New Voicemail Message
  • Important – New Outlook Settings
  • Scan Data
  • New contract agreement.
  • Important Notice – Incoming Money Transfer
  • Notice of underreported income
  • Payment Overdue – Please respond
  • FW: Check copy
  • Payroll Invoice
  • Symantec Endpoint Protection: Important System Update – requires immediate action
By following some precautionary measures, we can avoid infection by CryptoLocker. There are some inbuilt functionalities available in Windows OS that can be used to prevent the execution of CryptoLocker executables.
CryptoLocker can be prevented by blocking the execution of particular executables in specific locations. Software Restriction Policies Windows Group or Local Policy Editor can be configured for the blocking of execution.
Local Security Policy
Local Security Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and user settings in an Active Directory environment.
We can configure using the Local Security Policy:
  • Click Start, and then click Run.
  • Type secpol.msc, and then click OK.
  • Then Click on the Software Restriction Polices->Additional Rules
  • Right click the “Additional Rules” and click the “New Path Rule”
Then a window will pop up were we can enter the path and the Security Level. We can set the “Unrestricted” rule as the default rule which allows all programs to run.
Local Security Policy Interface
Preventing execution of executables in LocalAppData and AppData
We can use the below listed path rules and security level in the window shown above. Thus the CryptoLocker will be disabled from being executed in the AppData or other Local Setting folder. By setting rules in the Local Security Policy, if an execution is later carried out in which that particular rule is referred, then an event viewer alert is fired and the blocked executable detail is logged and is shown.
Event Viewer Alert referring the blocking of an executable
The below listed Path rules can be used to effectively block the execution of CryptoLocker or other executables.
  • Blocking CryptoLocker exe in %AppData%
Path: %AppData%*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.
  • Block CryptoLocker exe in %LocalAppData%
Path if using Windows XP: %UserProfile%Local Settings*.exe
Path if using Windows Vista/7/8: %LocalAppData%*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.
  • Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%Local SettingsTempRar**.exe
Path if using Windows Vista/7/8: %LocalAppData%TempRar**.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
  • Block executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows XP: %UserProfile%Local SettingsTemp*.zip*.exe
Path if using Windows Vista/7/8: %LocalAppData%Temp*.zip*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
Safe Habits
The below listed preventive measures can be used to prevent CryptoLocker infection to an extent.
  • Ensure all employees are aware of the CryptoLocker threat and do not open suspicious e-mails or uninvited attachments.
  • If any suspected emails have attachments, then its authority should be confirmed.
  • In order to reduce the impact, apply a scheduled backup of important files.
  • Configure IPS and IDS with relevant Indicators of Compromise (IOC) and domains.
  • Configure firewall to block IP’s and domains associated with CryptoLocker.
  • Only grant admin access and other high privileged authority to only those who are authorized. Revoke the same from those who are not eligible.
  • Limit the access to the network and other shared drives to authenticated user groups or individuals.
  • Enable automatic updates of the operating system and apply all latest security updates and patches.
  • Use reputed and qualified Antivirus and update to latest virus definitions.
  • Apply security updates to other 3rd party applications.
  • Restrict the file and object access to authorized personnel only
  • Restrict access to sensitive files & ensure personnel only can access the data necessary to perform their jobs.
  • Ensure the timely updating of all software by enabling automatic updates.
Following safe browsing habits and providing training on information security and the latest cyber threats to the employees on a regular basis can reduce the business impact to a great extent.
Still, following the above mentioned preventive measures doesn’t ensure that the system will not affected by CryptoLocker. In case of infection, follow the below depicted mitigation steps.
General Measures
  • Inform the right security personnel or Incident Response Team about the infection.
  • Immediately disconnect your system from intranet and the Internet. Thus the spreading of virus can be prevented.
  • Immediately turn off any data synchronization software that automatically synchronizes your data changes with other servers. Otherwise, the previous version data will be replaced and cannot be replaced.
  • Remove the Registry keys and program files to stop the program from carrying on the encryption process.
  • Unlike other programs, CryptoLocker spawns two processes of itself. If only one of them is killed, the other process will launch the same. Use a program such as “Process Explorer” or “Process Monitor” and choose the first process and select “Kill Tree”. This will terminate both processes at the same time.
  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable or block access to those services until a patch is applied.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • To restore files you should be able to use “Shadow Volume Copies” that are inbuilt in Windows Vista, Windows 7, and Windows 8.
  • Enabling System Restore on a computer makes it possible to restore previous versions of the encrypted files once the virus has been removed.
  • Implement Software Restriction Policies (SRPs) to prevent programs like CryptoLocker from executing in common directories such as %AppData% or %LocalAppData%.
  • Use Group Policy Objects (GPOs) to create and restrict permissions on registry keys used by CryptoLocker, such as HKCUSOFTWARECryptoLocker (and variants). If the malware cannot open and write to these keys, it terminates before encrypting any files.
As of now, there is no way to recover the private key and carry out the decryption manually. Thus the only way to complete decryption of the files is by paying the ransom. When the ransom is paid, the decryption process will be initiated and a payment verification screen is displayed. Normally this decryption process takes about 3 to 4 hours. However, during this process some of the files cannot be decrypted, but this does not affect the rest of the process.
Variant of CryptoLocker or CryptoLocker 2.0
CryptoLocker 2.0 – the variant of CryptoLocker that operates on same manner has been widely spread on the Internet. This variant after infection looks for the file extension that it can encrypt and then it pops out the window that demands the ransom. This variant also uses the same RSA public key, but it is of RSA-1024. The earlier CryptoLocker uses the RSA-2048. However this variant doesn’t display the countdown timer for paying the ransom for the decryption key. Also this variant only accepts the ransom through the Bitcoins, but the earlier versions accept ransoms through Bitcoin, Moneypak, uKash or CashU.
This variant uses the programming language C#, while earlier version uses Visual C++. Also the file and registry keys are also different from that of earlier version. CryptoLocker 2.0 is also targeting normal users by encrypting file extensions like picture files, music files and other video files.
Here in CryptoLocker 2.0 it uses 3DES encryption algorithm to encrypt the files, but in CryptoLocker it uses AES algorithm for the encryption.
CryptoLocker 2.0
CryptoLocker 2.0

No comments:

Post a Comment