It is extremely difficult to recover encrypted files once they are encrypted with RSA algorithm, until we have the private key.
Bitcoin, reportedly, is being increasingly used by malware authors. The amount could be paid in 15 different currencies. The CryptoLocker Ransomware Looks like this:ĬryptoLocker provides three ways of making payment, viz. The list of infected documents is kept under HKEY_CURRENT_USERSoftwareCryptoLockerFiles to avoid multiple encryptions. – The malware starts looking for files extension mentioned in the following list.įrom the list, as we can see, the malware targets all users who possibly would have some important information stored on their machine and would want to restore it back. The public key is sent to the malware running on the user’s machine using secure communication, which is stored under HKCU registry key as shown in the following image: The private key is kept on the server for the next 72 hours. The server generates a pair of public and private key for the machine of the targeted user. It communicates with random servers whose names are generated using Domain Name Generation (DGA) algorithm. – The ransomware uses RSA algorithm with 2048 bit key. – When CryptoLocker gets executed, it copies itself at the root of %APPDATA% folder with names as. This ransomware is spread using social engineering tricks via social media and email attachments. Once it gets executed, it encrypts files in the victim’s computer, and demands a certain ransom for decryption. Last week some of our customers had reported the occurrence of this malware. Today, we will discuss a new entry in the list of file encrypting ransomware it is known as “CryptoLocker”. The virus locks the computer screen and stops the user from using the infected machine until they agree to pay a certain amount of money to the cybercriminal. These organizational reboots are an opportunity for ransomware program leaders to set new ground rules for their members - such as which types of victims aren’t allowed (e.g., hospitals, governments, critical infrastructure), or how much of a ransom payment an affiliate should expect for bringing the group access to a new victim network.Previously we had reported about the “FBI virus”. A key goal of such subterfuge is to throw investigators off the scent or to temporarily direct their attention elsewhere.Ĭybercriminal syndicates also perform similar disappearing acts whenever it suits them. Among the oldest tricks in the book is to fake one’s demise or retirement and invent a new identity. Reinvention is a basic survival skill in the cybercrime business. Indeed, some of the most destructive and costly ransomware groups are now in their third incarnation over as many years. We hang on to these occasional victories because history tells us that most ransomware moneymaking collectives don’t go away so much as reinvent themselves under a new name, with new rules, targets and weaponry. It’s nice when ransomware gangs have their bitcoin stolen, malware servers shut down, or are otherwise forced to disband.