The asterisk at the beginning of the key name ensures that the malware executes even if the system is restarted in "safe mode."Īdditional configuration data is stored in the following registry key: HKCU\SOFTWARE\CryptoLocker or HKCU\SOFTWARE\CryptoLocker_0388 Some versions of CryptoLocker create an additional registry entry: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker". CryptoLocker then deletes the original executable file.ĬryptoLocker then creates an "autorun" registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "CryptoLocker". When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots. Execution and persistenceĬryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives. In addition to being distributed by Cutwail, Gameover Zeus has also been distributed by the Blackhole and Magnitude exploit kits. (Source: Dell SecureWorks)Īs of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker. Spam email containing the Upatre downloader. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.įigure 1.
Crypto locker files archive#
Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. Figure 1 shows a phishing email delivered by Cutwail on October 7, 2013. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns. On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. Filenames of email-delivered malware samples. Table 1 lists several examples observed by CTU researchers. The archive contained a single executable with the same filename as the ZIP archive but with an EXE extension. Only the first character of the filename is capitalized. Attached to these emails was a ZIP archive with a random alphabetical filename containing 13 to 17 characters. The lure was often a "consumer complaint" against the email recipient or their organization. Details about this initial distribution phase are unclear, but it appears the samples were downloaded from a compromised website located in the United States, either by a version of CryptoLocker that has not been analyzed as of this publication, or by a custom downloader created by the same authors.Įarly versions of CryptoLocker were distributed through spam emails targeting business professionals (as opposed to home Internet users). The earliest CryptoLocker samples appear to have been released on the Internet on September 5, 2013. CryptoLocker changes this dynamic by aggressively encrypting files on the victim's system and returning control of the files to the victim only after the ransom is paid.
Crypto locker files software#
Victims of these traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion like pirating music or downloading illegal pornography. Ransomware prevents victims from using their computer normally (e.g., by locking the screen) and uses social engineering to convince victims that failing to follow the malware authors' instructions will lead to real-world consequences. Ransomware malware such as Reveton, Urausy, Tobfy, and Kovter has cost consumers considerable time and money over the past several years. In mid-September 2013, the SecureWorks® CTU™ security intelligence research team, a thought leader in IT Security services, observed a new ransomware malware family called CryptoLocker.