If they talk to you about CryptoLocker, you may not know what they are referring to. That sure does sound like to you is an email from the Post Office that contains viruses.
Well, CryptoLocker is what you download if you click on the link in this email. Now we tell you what it is and how it is installed on the computer.
 |
What is CryptoLocker
CryptoLocker is a recent family of ransoms whose business model (yes, malware is a business) is based on user extortion. Another famous malware that is also based on extortion is the Police Virus, with which you had to pay to recover your computer. But unlike this, CryptoLocker is based on the hijacking of the user's documents and asking for a ransom for them (with a time limit to be able to recover them).
How Cryptolocker is Installed on the Computer
CryptoLocker uses social engineering techniques to get the user to run it. Specifically, the victim receives an email, pretending to come from a logistics company, which has a ZIP attached with a password.
When the user opens the zip by entering the password that comes in the email, he believes that there is a PDF file inside and when he opens the fake PDF he executes the Trojan. CryptoLocker takes advantage of the Windows policy of hiding the extensions by default, in such a way that the user is tricked "thanks" to this Windows feature.
As soon as the user (the victim) executes the Trojan, it installs itself as a resident on the computer:
- Makes a copy of itself in a user profile path (AppData, LocalAppData)
- Create an entry in the autoruns to ensure execution on restart.
- It runs two processes from itself file. One is the main one and the other is to protect the original process against closures.
Encryption of Files on Disk
The Trojan generates a random symmetric key for each file it is going to encrypt and encrypts the content of the file with AES using this key. It then encrypts the random key with an asymmetric public-private key (RSA) algorithm with keys exceeding 1024 bits in length (we have seen samples that use 2048-bit keys) and adds it to the encrypted file. This procedure guarantees that only the holder of the RSA private key will be able to obtain the random key with which the file has been encrypted. Furthermore, as an overwrite operation is carried out, the recovery of the file is prevented by forensic techniques.
The first thing the Trojan does once it runs on the victim's computer is to obtain the public key (PK) from a C&C server. In order to connect to its server, the Trojan incorporates an algorithm known as Mersenne twister to generate random domain names (DGA). This algorithm uses the date of the day as a seed and can generate up to 1000 different domains each day, of a fixed length.
Once the Trojan has managed to download the PK, it stores it in the following registry path HKCUSoftwareCryptoLockerPublic Key and begins encrypting the files on all hard drives on the computer and on network paths where the user has permissions.
CryptoLocker does not encrypt all the files it finds but specializes in encrypting non-executable files that comply with the list of extensions included in the sample.
How to Avoid Cryptolocker
The infection method it uses is transmission by email through the use of social engineering. So our advice tips are:
- Take extra precautions against emails from unexpected senders, especially for those that include attached files.
- Disabling the Windows policy that hides known extensions will also help to recognize such an attack.
- Having a backup system for our critical files, which guarantees that not only in case of infection we can mitigate the damage caused by malware, but that we also cover hardware problems beforehand.
- If we do not have a backup and we have become infected, we do not recommend paying the ransom. This should NEVER be the solution to recover our files, as it turns this malware into a profitable business model, which will drive the growth and expansion of this type of attack.
- Installing an advanced security suite such as Total Security will keep your data from the online vulnerability.
Comments
Post a Comment