Overview of CryptoLocker
CryptoLocker has been widely discussed by the media recently due to the apparent number of successful infections and the manner in which it operates, but how does it work?
CryptoLocker is classified as ransomware, which is broadly defined as ‘a type of malware that stops you from using your PC until you pay a certain amount of money (the ransom)'.
As the definition implies, most ransomware implementations involve locking the user out of the computer until the ransom is met. These infections can usually be removed by anti-virus programs, or in extreme circumstances, circumvented by slaving the drive and recovering any files manually.
CryptoLocker is different in that it doesn’t touch the system files or prevent direct use of the computer. Instead, once launched, it searches the local file system, connected shares and removable media for files with common document extensions such as .doc or .jpg. (Kaspersky) It then holds the targeted files (rather than the computer) to ransom by using asymmetric encryption to encrypt the files with an RSA 2048 bit public key. A file encrypted to this level cannot be decrypted without the private key. However by this stage the private key has been uploaded to a server and removed from the local machine.
CryptoLocker is distributed through email attachments. Most are attached to fake emails purporting to contain unpaid invoices or voicemail recordings. All anti-virus vendors should now detect CryptoLocker and are capable of removing the infection but they cannot reverse the encryption.
Much of the media coverage about CryptoLocker details the end result and concentrates on the ransom payment but there is little information about the initial infection behaviour. I wanted to see a little more info about the behaviour of the infection beyond the paywall image that is seen everywhere. I decided to investigate the application by infecting a machine under a controlled environment so that the behaviour could be seen first-hand.
A fresh install of Windows 7 64bit was performed in a virtual machine running on an OS X host. The CryptoLocker application was then launched and, alongside manual observations, the behaviour was monitored with Wireshark and ProcessMonitor to log the network traffic and process activity.
Upon launching the application, a process with a random name is launched and the dropper is deleted (a small defence attempt to make it harder for Anti-Virus companies to capture samples).
The application then makes repeated attempts to ‘call home’ and upload the generated private key. As reported by Secure List, a number of the known servers used by CryptoLocker have been sinkholed and this can be seen in the initial Wireshark results (Figure 1).
After a few minutes, an accessible site is found and a successful connection made (Figure 2)
Up to this point the running process has shown little activity but now the connection has completed and the private key has been uploaded, the application begins to scan the machine for suitable target files. Figure 3 shows one of the stock images (Penguins.jpg) being found as the application scans the folder structure.
Checking the location shown in the log above shows from the thumbnails that Penguins.jpg has now been encrypted (Figure 4) and attempting to open the file meets with an error stating that the file is corrupt.
The Process Monitor log also shows the executable performing regular queries on the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run. An entry for the application is found here and the frequent queries are checking that the entry has not been removed, ensuring a successful launch on the next logon. Deleting this key confirms this behaviour as it is immediately replaced.
Another registry location, HKCU\Software\CryptoLocker, contains the public key used to perform the encryption. Figure 5 shows that HKCU\Software\CryptoLocker\Files contains a list of files that have been encrypted (such as Penguins.jpg).
At this stage, the application had been running for approximately 90 minutes and only encrypted two files despite other default images being present and a number of test files placed on the system.
Any malware can be dangerous and many aim to cause maximum disruption simply by deleting files. CryptoLocker is essentially no different but it gives users a potential way out that allows the user to rectify the problem for the right price.
Obviously all companies and individuals should have a strict backup policy but from experience many company IT policies are found wanting. Even companies with better than average backup policies may still be at risk. If a real time backup system monitoring file changes is used backups can soon be rendered useless but this can apply to any malware.
The test environment has shown encryption of files is not a particularly quick process and if a machine has been infected some files may still be recoverable and the registry key shown in Figure 5 can be used to determine what is already lost.
Additionally, despite attempts by third parties to block access to specific domains, the test has discovered this only offers a minor delay and ultimately the threat is still current.
Given the apparent success of CryptoLocker, subsequent copycat attempts are likely to follow.
- Prevention is important when dealing with CryptoLocker and so an up-to-date anti-virus application is essential. Particular thought must be given to this if a BYOD policy is employed on the network.
- Education is also just as important; bogus emails are nothing new yet users are still being caught out. Malware like CryptoLocker can be used as a reminder to follow basic security measures.
- Ensure that offline backups are kept and stored safely.
- Review IT policies/procedures and ensure that they are being followed.