What Is CryptoLocker And How To Avoid It – The Guideline From Semalt

1. 23.05.2018 What Is CryptoLocker And How To Avoid It – The Guideline From Semalt CryptoLocker is a ransomware. The business model of the ransomware is to extort money from internet users. CryptoLocker enhances the trend developed by the infamous "Police Virus" malware that asks internet users to pay money for unlocking their devices. CryptoLocker hijacks important documents and ?les and informs the users to pay the ransom within a stated duration. Jason Adler, the Customer Success Manager of Semalt Digital Services, elaborates on the CryptoLocker security and provides some compelling ideas to avoid it. Malware Installation CryptoLocker applies social engineering strategies to trick internet users to download and run it. The email user gets a message that has a password-protected ZIP ?le. The email purports to be from an organization that is in the logistics business. The Trojan runs when the email user opens the ZIP ?le using the indicated password. It is challenging to detect the https://rankexperience.com/articles/article1242.html 1/2

2. 23.05.2018 CryptoLocker because it takes advantage of the default status of Windows that does not indicate the ?le name extension. When the victim runs the malware, the Trojan performs various activities: a) The Trojan saves itself in a folder located in the user's pro?le, for example, the LocalAppData. b) The Trojan introduces a key to the registry. This action ensures that it runs during the computer booting process. c) It runs based on two processes. The ?rst is the main process. The second is the prevention of the termination of the main process. File Encryption The Trojan produces the random symmetric key and applies it to every ?le that is encrypted. The content of the ?le is encrypted using the AES algorithm and the symmetric key. The random key is thereafter encrypted using the asymmetric key encryption algorithm (RSA). The keys should also be more than 1024 bits. There are cases where 2048 bit keys were used in the encryption process. The Trojan ensures that the provider of the private RSA key gets the random key that is utilized in the encryption of the ?le. It is not possible to retrieve the overwritten ?les using the forensic approach. Once run, the Trojan gets the public key (PK) from the C&C server. In locating the active C&C server, the Trojan uses the domain generation algorithm (DGA) to produce the random domain names. DGA is also referred to as the "Mersenne twister." The algorithm applies the current date as the seed that can produce more than 1,000 domains daily. The generated domains are of various sizes. The HKCUSoftwareCryptoLockerPublic Key. The Trojan begins encrypting ?les in the hard disk and the network ?les that are opened by the user. Trojan downloads the PK and saves it within the CryptoLocker does not affect all the ?les. It only targets the non-executable ?les that have the extensions that are illustrated in the code of the malware. These ?les extensions include *.odt, *.xls, *.pptm, *.rft, *.pem, and *.jpg. Also, the CryptoLocker logs in every ?le that has been encrypted to the HKEY_CURRENT_USERSoftwareCryptoLockerFiles. After the encryption process, the virus shows a message requesting for ransom payment within the stated time duration. The payment should be made before the private key is destroyed. Avoiding CryptoLocker a) Email users should be suspicious of messages from unknown persons or organizations. b) The internet users should disable the hidden ?le extensions to improve the identi?cation of the malware or virus attack. c) Important ?les should be stored in a backup system. d) If ?les become infected, the user should not pay the ransom. The malware developers should never be rewarded. https://rankexperience.com/articles/article1242.html 2/2