Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USERSoftwareCryptoLockerFiles registry key. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. The AES key is then encrypted using the unique RSA public key obtained earlier. This key will then be used to encrypt the content of the file using the AES algorithm. *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem,įor each file matching one of these patterns, the malware will generate a new 256 bit AES key. It does so by searching through all connected drives, including mapped network shares, for files matching one of the following patterns: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, The command and control server replies with the victim’s IP address, as well as a unique RSA public key, that will be used by the malware during the further encryption process.Īs soon as the infection specific RSA key has been obtained, the malware will look for files to encrypt. The malware has two possible ways to contact its master: First by contacting the hardcoded IP 184.164.136.134, which has since been taken down. Once the system is infected, CryptoLocker tries to establish a connection with its command and control server. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunĬryptoLocker = %appdata%.exe (note that the file name consists of random hexadecimal numbers).Once CryptoLocker has been downloaded and executed by the downloader, it ensures its automatic start during boot by using the following registry value:
This downloader then downloads and installs the actual CryptoLocker malware. Multiple victims received emails with alleged customer complaints containing an attachment that is in fact a malware downloader. Initial infection and establishing communicationīased on the data we have gathered so far, the infection is mainly spread via social engineering techniques. Like all file encrypting ransomware (also known as crypto malware) the goal of the attacker is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files. Decoded reply send by the server to a key request