CryptoLocker associating with the Trojan.Cryptolocker Trojan horse that encrypts files on the compromised computer and then prompts the user to purchase a password in order to decrypt them.
CryptoLocker uses social engineering techniques to trick the user into running it. More specifically, the victim receives an email with a password-protected ZIP file purporting to be from a logistics company.
The CryptoLocker Trojan runs when the user opens the attached ZIP file using password included in the message or attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.
As soon as the Computer User runs infected file, the Trojan goes into memory resident on the computer and does the following actions:
Saves itself to a folder in the user’s profile
Adds a key to the registry to make sure it runs every time the computer starts up.
Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.
The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.
When the CryptoLocker Trojan finishes encrypting every file that meets the aforementioned conditions, it displays the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.
How to avoid CryptoLocker
- Being particularly wary of emails from senders you don’t know, especially those with attached files.
- We’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.
- If you become infected and don’t have a backup copy of your files, our recommendation is not to pay the ransom. That’s NEVER a good solution, as it turns the malware into a highly profitable business model and will contribute to the flourishing of this type of attack.
Information Source: Panda Security