Emerging Threats: Cryptolocker

Cryptolocker is financially-motivated ransomware that encrypts a user’s computer files and demands payment in either an anonymous currency (Bitcoin), or Moneypak payment cards. Propagation & Exploit is typically via spam email purporting to come from shipping companies or regarding business processes, dropped by other malware, thumb drives, and Yahoo! Messenger. Upon infection, Cryptolocker contacts the command and control (C2) server for a public RSA-2048 encryption key, which is downloaded and used to encrypt typical enterprise files types, such as Microsoft Office, Adobe, Oracle files, on all connected drives and network shares. The private decryption key is stored on the C2 server, making it impossible for a victim to decrypt the files. After encryption, an alert is displayed on the victim’s computer notifying them of the encryption and requesting payment via Bitcoin or Moneypak within 72 hours. The alert claims the private key will be destroyed at that time.

The success of Cryptolocker has led to the development of multiple “copycat” malware packages, such as Locker and Cryptolocker 2.0. These “copycats” often pose as license key generators or music files, use weaker encryption standards and ask for various amounts of money. In February 2014, reports of a very similar piece of ransomware, Cryptodefense, appeared. It is similar to but not a variant of Cryptolocker, and accidently leaves the key for decryption on the victim’s computer. In late May, 2014, CryptoDefense was patched to correct this mistake.

Cryptolocker first appeared in September 2013 and targeted users in primarily English-speaking countries. In November 2013, following a congressional hearing on the regulation of Bitcoin, the price of one bitcoin quickly increased from approximately $350 to $800, resulting in a commensurate increase in the cost of the decryption key from $700 to $1600. A few days later, Cryptolocker adjusted its fee to 0.5 bitcoins or approximately $400 per infection. As of December 2013, Cryptolocker demands 0.3 bitcoins, indicating that the developers are actively updating the malware and seek to generate the largest profit by making the cost of decryption accessible to as many victims as possible.

In November 2013, researchers identified a website, hosted by the developers of Cryptolocker, offering a decryption service for 10 bitcoins. The service claimed a 24-hour processing window, which suggests that the developers do delete private keys after 72-hours, and that the new service was attempting to determine the private key through brute force techniques. Many antivirus programs have developed signatures for Cryptolocker and can remove the malware. If the malware has already begun encrypting files, removing Cryptolocker prevents the retrieval of the private key that allows files to be decrypted. Cryptolocker is programmed to identify removal attempts and replace the Windows desktop wallpaper with an alert asking the victim to download Cryptolocker again so that the user has the opportunity to pay the ransom and decrypt the files.

See the CIS blog posting on CryptoLocker, posted on October 31, 2013, for more information: http://blog.cisecurity.org. (Added July 2014)

IACP Conference