This malware spreads via email by using social engineering techniques. When the Trojan finishes encrypting every file that meets the aforementioned conditions, it displays the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.Ĭuriously enough, the malware doesn’t ask users for the same amount of money, but incorporates its own currency conversion table.
HKEY_CURRENT_USERSoftwareCryptoLockerFiles Then, it starts encrypting files on the computer’s hard disk and every network drive the infected user has access to.ĬryptoLocker doesn’t encrypt every file it finds, but only non-executable files with the extensions included in the malware’s code:Īdditionally, CryptoLocker logs each file encrypted to the following registry key: This algorithm uses the current date as seed and can generate up to 1,000 different fixed-size domains every day.Īfter the Trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCUSoftwareCryptoLockerPublic Key. To find an active C&C server, The Trojan incorporates a domain generation algorithm (DGA) known as ‘Mersenne twister’ to generate random domain names. Once run, the first thing the Trojan does is obtain the public key (PK) from its C&C server. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key.
EXE extension of the malicious file.Īs soon as the victim runs it, the Trojan goes memory resident on the computer and takes the following actions: CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real.
The Trojan gets run when the user opens the attached ZIP file, by entering the password included in the message, and attempts to open the PDF it contains.
More specifically, the victim receives an email with a password-protected ZIP file purporting to be from a logistics company. However, unlike the Police Virus, CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a time limit to send the payment).ĬryptoLocker uses social engineering techniques to trick the user into running it. This continues the trend started by another infamous piece of malware which also extorts its victims, the so-called ‘ Police Virus’, which asks users to pay a ‘fine’ to unlock their computers. If the file is not detected by your virus scanner, it is advisable to investigate the reason for this, for example to detect possible malfunctions.CryptoLocker is a family of ransomware whose business model (yes, malware is a business to some!) is based on extorting money from users. However, it says nothing about the detection or other protection capabilities of the software. Since the Eicar test virus is the only standardized way to monitor antivirus programs “live” at work without endangering yourself, it is likely that all programs will recognize the file. If your network security does not already prevent the download of the file, the local antivirus program should start working when trying to save or execute the file. The aim of test viruses is to test the functions of an anti-malware program or to see how the program behaves when a virus is detected.ĭownload the desired test file to your PC. It is a DOS program created by the European Institute for Computer Antivirus Research, which only displays the message “EICAR-STANDARD-ANTIVIRUS-TEST-FILE” on the screen and then terminates itself. The EICAR test virus is not a real virus.