CryptoLocker is an application that you would not like to find on your pc. It is classified as a ransomware that is known to encrypt each and every essential file on your computer. This ransomware uses a Bitcoin payment system - ransoms get paid using it, making it rather difficult to prosecute the hackers behind it.
How CryptoLocker is Installed on the Computer
CryptoLocker uses social engineering techniques, to ensure that it is the user who executes it. Specifically, the victim receives an email, pretending to come from a logistics company, which has a ZIP with an access code attached.
When the user opens the zip by entering the access key that comes in the email, he thinks that there is a PDF file inside and when he opens the fake PDF, he executes the Trojan. CryptoLocker takes advantage of the Windows policy of hiding the extensions by default, in such a way that the user is tricked "thanks" to this Windows feature.
- When the user (the victim) executes the Trojan, it installs itself as a resident on the computer:
- Performs an imitation of itself on a path of the user profile (AppData, LocalAppData)
- Create an entry in the autoruns to ensure execution on restart.
- Run 2 processes. One is the primary and the other to protect the original process in front of closures.
Encryption of Files on Disk
The Trojan produces a symmetric key for each file to be encrypted and encrypts the contents of the file with AES using this key. It then encrypts the key with an asymmetric public-private key (RSA) algorithm with keys greater than 1024 bits in length and adds it to the encrypted file. This procedure guarantees that only the owner of the RSA private key will be able to obtain the key with which the file has been encrypted. In addition to this, as an overwrite operation is performed, the restoration of the file through any technique is prevented.
The first thing the Trojan does once it runs on the victim's computer is to get the public key (PK) from a C&C server. In order to connect to its server, the Trojan incorporates an algorithm known as Mersenne twister to produce domain names (DGA). This algorithm uses the date of the day as a seed and can produce up to a thousand different domains day after day, of a fixed length.
When the Trojan has successfully downloaded the PK, it saves it in the HKCUSoftwareCryptoLockerPublic Key registry and begins encrypting the files on each and every hard drive on the computer and on network paths where the user has permissions.
How Can I Avoid CryptoLocker?
The infection procedure it uses is transmission by e-mail through the use of social engineering. With what our tips are:
- Exercise extreme caution against e-mails from unexpected senders, especially those that include attachments.
- Disabling the Windows policy that hides known extensions will also help to recognize an attack of this kind.
- Having a backup system for our critical files, which ensures that not only in the case of infection we can mitigate the damage caused by malware, but we also cover hardware problems beforehand.
- If we do not have a backup and we have become infected, we do not advise paying the ransom. This should NEVER be the solution to recover our files since it transforms this malware into a profitable business model, which will drive the development and expansion of this kind of attack.
- UPDATE A Power Shell script has been created
- Install and update antivirus; do a regular scan
If you have been unlucky enough to be infected by the CryptoLocker Trojan, we can provide you with a solution to recover the encrypted files.
Cryptolocker is Ransomware
Ransomware is a threat that goes beyond simple damage to a computer, it attacks us where it hurts us most, encrypting files that are vital to us and requesting a "ransom" usually in bitcoins.
Bad News Cerber 3, the new version of ransomware that is impossible to decrypt, although at present we have begun to develop tools to be able to decrypt this terrible algorithm, it is still one of the most difficult to recover.
The 10 Most Dangerous Ransomware
Conficker: Worm that allows remote operations and malware download.
Sality: Virus that allows remote operations and downloads of malicious programs.
Locky: It mainly spreads via spam emails with a covert downloader.
Cutwail: Botnet used to send spam messages and take part in DDOS attacks
Zeus: Trojan used to steal banking information.
Chanitor: Install malicious payloads on infected machines.
Tinba: Banking Trojan.
Cryptowall: Ransomware that uses AES encryption and carries out C&C communication through TOR.
Blackhole: Exploit Kit that uses browser security flaws and plugins.
Nivdort: Bot used to steal passwords and modify settings.
No comments:
Post a Comment