Crypto locker source code


The earliest CryptoLocker samples seem to had been launched on the Internet on September five, 2013. Details approximately this initial distribution segment are doubtful, however it seems the choices samples had been downloaded from a compromised website placed in the United States, both with the aid of a version of CryptoLocker that has no longer been analyzed as of this book, or by means of a custom downloader created by the identical authors.

Early versions of CryptoLocker had been allotted through unsolicited mail emails focused on business experts (instead of home Internet users). The trap was frequently a “client criticism” against the email recipient or their agency. Attached to those emails was a ZIP archive with a random alphabetical filename containing 13 to 17 characters. Only the choices first man or woman of the choices filename is capitalized. The archive contained a unmarried executable with the choices same filename as the choices ZIP archive but with an EXE extension. Table 1 lists several examples located by way of CTU researchers.

Table 1. Filenames of e-mail-introduced malware samples.

On October 7, 2013, CTU researchers found CryptoLocker being allotted by using the peer-to-peer (P2P) Gameover Zeus malware in a normal pay-consistent with-set up arrangement. In this example, Gameover Zeus become disbursed by using the choices Cutwail unsolicited mail botnet the use of lures steady with preceding malware distribution campaigns. Figure 1 indicates a phishing e-mail introduced by way of Cutwail on October 7, 2013. Attached to the choices message is a ZIP archive containing a small (about 20KB) executable the usage of a record extension within the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs different malware households inclusive of CryptoLocker.

As of this publication, Gameover Zeus remains the number one approach of distributing CryptoLocker. In addition to being distributed through Cutwail, Gameover Zeus has additionally been distributed by the Blackhole and Magnitude make the most kits.

CryptoLocker hides its presence from victims till it has effectively contacted a command and control (C2) server and encrypted the choices documents positioned on related drives. Prior to those movements, the malware ensures that it remains jogging on inflamed structures and that it persists across reboots. When first finished, the choices malware creates a replica of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable report.

CryptoLocker then creates an “autorun” registry key:

Some versions of CryptoLocker create a further registry access:

The asterisk at the start of the key call guarantees that the choices malware executes even supposing the choices gadget is restarted in “secure mode.”

Additional configuration records is saved inside the following registry key:

The VersionInfo fee stored within this key includes configuration records encoded with the choices XOR key 0x819C33AE. The PublicKey fee carries the choices RSA public key received from the choices C2 server all through the choices initial network connection.

The executable documents in early CryptoLocker samples used a random filename formatted like a GUID:

However, the choices executable files in latest samples use the naming pattern proven in the 2nd column of Table 1.

Several early versions of CryptoLocker, concept to be a part of a beta trying out section, blanketed code to connect to This IP deal with is positioned in a PhoenixNAP datacenter in Arizona, but it turned into possibly beneath the administrative manipulate of Jolly Works Hosting. As of this publication, this IP address is now not active, and CryptoLocker samples launched on the grounds that mid-September no longer reference it.

The malware’s community communications use an internal domain technology set of rules (DGA) that produces 1,000 capacity C2 area addresses according to day. The domains comprise 12 to fifteen alphabetical characters and are inside one in every of seven viable pinnacle-degree domain names (TLDs): com, internet, org, information, biz, ru, and co.united kingdom. An errors within the algorithm prevents it from using ‘z’ in a generated area call. The hazard actors never registered a website below the choices ‘co.united kingdom’ TLD, and Nominet, the legit registrar for the choices ‘united kingdom’ ccTLD, started out to sinkhole all capacity addresses below this domain on October 18, 2013. As a end result, the danger actors cannot use ‘co.united kingdom’ domains.

The risk actors have also used static C2 servers embedded within the malware. On October 17, a sample become allotted that first connected to inworkforallthen . com earlier than cycling through the domains created by the DGA. Several days later, every other pattern was difficult-coded to connect to ovenbdjnihhdlb . internet prior to attempting different generated domains. Since that time, new samples often comprise static addresses taken from the pool of domains created by the choices DGA.

CryptoLocker cycles indefinitely till it connects to a C2 server through HTTP. After connecting to an attacker-controlled C2 server, CryptoLocker sends a phone-domestic message encrypted with an RSA public key embedded in the malware (see Figure 2). Only servers with the corresponding RSA non-public key can decrypt this message and efficaciously talk with an inflamed device.

Analysis of the choices IP addresses utilized by the choices chance actors reveals several styles of conduct. The first is that the risk actors use digital personal servers (VPS) placed at exceptional ISPs during the Russian Federation and in former Eastern bloc countries. The extended use of some of those hosts, such as ninety three.189.forty four.187, hundred seventy.166, and 95.211.eight.39, shows that they’re located at providers that are indifferent to criminal pastime on their networks or are complicit in its execution (which include so-referred to as “bulletproof” web hosting companies). The final servers look like used for numerous days before disappearing. The danger actors may be strategically the use of this sample to stay a transferring goal, or some ISPs will be terminating their carrier.

A entire list of network indicators is covered inside the Threat indicators section.

Instead of the use of a custom cryptographic implementation like many other malware households, CryptoLocker uses strong third-birthday party certified cryptography provided by way of Microsoft’s CryptoAPI. By the use of a legitimate implementation and following pleasant practices, the choices malware authors have created a robust program that is difficult to circumvent. The malware makes use of the choices “Microsoft Enhanced RSA and AES Cryptographic Provider” (MS_ENH_RSA_AES_PROV) to create keys and to encrypt data with the RSA (CALG_RSA_KEYX) and AES (CALG_AES_256) algorithms.

The encryption system starts after CryptoLocker has mounted its presence on the choices system and efficiently positioned, connected to, and communicated with an attacker-controlled C2 server. This verbal exchange affords the choices malware with the choices threat actors’ RSA public key, that’s used throughout the choices encryption manner.

The malware starts the choices encryption method by way of using the choices GetLogicalDrives() API call to enumerate the disks on the choices machine that have been assigned a pressure letter (e.g., C:). In early CryptoLocker samples, the GetDriveType() API name then determines if the drives are neighborhood fixed disks or community drives (DRIVE_FIXED and DRIVE_REMOTE, respectively). Only those two types of drives are decided on for document encryption in early samples. Samples due to the fact that overdue September additionally pick out detachable drives (DRIVE_REMOVABLE), that could include USB thumb drives and outside hard disks.

After selecting a list of disks to assault, the choices malware lists all files on those disks that in shape the 72 document styles shown in Table 2. Over time, the hazard actors adjusted which styles of files are selected for encryption; as an instance, PDF documents had been now not encrypted in very early samples but had been brought in mid-September. As a result, the choices list in Table 2 is challenge to change.

Table 2. File styles selected for encryption.

Each record is encrypted with a completely unique AES key, which in turn is encrypted with the choices RSA public key received from the C2 server. The encrypted key, a small quantity of metadata, and the encrypted record contents are then written lower back to disk, replacing the authentic report. Encrypted documents can only be recovered by means of acquiring the choices RSA private key held completely with the aid of the risk actors.

As a shape of bookkeeping, the malware shops the choices region of each encrypted file inside the Files subkey of the choices HKCUSOFTWARECryptoLocker (or CryptoLocker_0388) registry key (see Figure three).

After completing the choices document encryption technique, CryptoLocker periodically rescans the gadget for brand new drives and files to encrypt.

The malware does not display its presence to the choices victim until all focused files were encrypted. The sufferer is provided with a touch display containing instructions and an ominous countdown timer (see Figure four).

The ransom quantity varied in very early samples (see Table three), but settled at $300 USD or 2 BTC (Bitcoins) inside the few weeks after CryptoLocker’s introduction. Dramatic Bitcoin charge inflation inside the latter months of 2013 brought about the hazard actors to reduce the choices ransom to at least one BTC, 0.five BTC, and on the other hand to 0.three BTC, in which it stays as of this guide.

The danger actors have offered various charge methods to victims because the inception of CryptoLocker. The strategies are all nameless or pseudo-nameless, making it tough to song the foundation and very last vacation spot of bills.

The description of cashU shown in Figure 5 is taken at once from the choices Wikipedia access approximately the technique:

cashU is a pay as you go on-line and mobile payment method to be had within the Middle East and North Africa, a place with a large and younger populace with very confined get right of entry to to credit score cards. Because of this, cashU has become one of the maximum popular opportunity price choice for younger Arabic on-line game enthusiasts and e-trade buyers.

The description of Ukash shown in Figure 6 is basically taken from a Facebook post approximately the choices product:

Ukash is digital cash and e-commerce logo. Based on a prepaid system, Ukash lets in users to buy and then spend money on line.

Money can be purchased from one of the pronounced 420,000 participating retail places international, or by the use of the agency’s internet site. This digital cash can then be used to pay on-line, or loaded on to a pay as you go card or eWallet.

You can integrate more than one values of your Ukash right into a unmarried quantity and feature your new Ukash Code and price emailed to you in case you want. You will need to sign up at, login and then go to the choices Manage Ukash region to use the choices Combine tool.

A screenshot of the Paysafecard dialog changed into not straight away to be had for this guide, but the description states:

Paysafecard is an electronic charge technique for predominantly on line shopping and is primarily based on a pre-pay machine. Paying with paysafecard does no longer require sharing sensitive financial institution account or credit score card details. Using paysafecard is akin to paying with coins in a store and it’s far currently to be had in over 30 nations.

Paysafecard works by purchasing a PIN code revealed on a card, and coming into this code at webshops.

Paysafecard is to be had from many supermarkets, petrol stations, tobacconists and newsagents.

The description of Bitcoin proven in Figure 7 is copied nearly verbatim from several on line resources:

Bitcoin is a cryptocurrency in which the choices introduction and transfer of bitcoins is based totally on an open-supply cryptographic protocol that is unbiased of any significant authority. Bitcoins may be transferred thru a laptop or smartphone with out an intermediate monetary institution.

The description of MoneyPak proven in Figure 8 is copied without delay from the choices MoneyPak website:

MoneyPak is an smooth and handy way to send cash to wherein you want it. The MoneyPak works as a ‘coins pinnacle-up card’.

Where can I purchase a MoneyPak?

MoneyPak may be purchased at hundreds of stores nationwide, inclusive of principal stores together with Walmart, Walgreens, CVS/pharmacy, Rite Aid, Kmart and Kroger. Click here to find a shop near you.

How do I purchase a MoneyPak at the shop?

Pick up a MoneyPak from the choices Prepaid Product Section or Green Dot show and take it to the choices register. The cashier will accumulate your cash and load it onto the MoneyPak.

Although early variations of CryptoLocker included severa fee options, the chance actors now best receive MoneyPak and Bitcoin. The Bitcoin alternative changed into at first advertised as the choices “most cheap alternative” [sic] for ransom payment primarily based on the difference between the $300 USD ransom and the market price of Bitcoins. From August to December 2013, the Bitcoin market skilled important volatility and dramatically improved in fee, negating any financial benefits for sufferers to select this payment method.

The variety of price options and foreign money choices in early CryptoLocker variations suggests the choices risk actors in the beginning anticipated a worldwide infection pattern. For motives unknown to CTU researchers, the choices chance actors elected to awareness completely on English-speaking countries and eliminated the choices fee options much less famous in these nations.

Anecdotal reviews from sufferers who elected to pay the choices ransom suggest that the choices CryptoLocker threat actors honor payments with the aid of instructing infected computers to decrypt files and uninstall the choices malware. Victims who publish bills are provided with the fee activation display shown in Figure 9 till the choices chance actors validate the fee. During this price validation section, the malware connects to the choices C2 server every fifteen mins to determine if the choices price has been usual. According to reviews from victims, payments may be widely wide-spread within minutes or might also take numerous weeks to procedure.

In early November 2013, the threat actors delivered the choices “CryptoLocker Decryption Service” (see Figure 10). This carrier offers sufferers who didn’t pay the choices ransom before the timer expired a way to retrieve the encrypted files from their inflamed device.

The provider uploads the first kilobyte of an encrypted file, which includes the header prepended by means of the malware. The chance actors use that information to query their database for the choices RSA personal key that matches the choices RSA public key used at some point of file encryption. If the private secret is located, the choices danger actors present the sufferer with the choices web page shown in Figure 11. The sufferer is given the choice of sending charge to a randomly generated Bitcoin wallet. Early versions of this provider charged 10 BTC, but the price become quick decreased to 2 BTC. After receiving the fee, the choices chance actors redirect victims to a web page that consists of instructions on how to decrypt files.

Using the choices day by day weighted BTC charge, if the danger actors had offered the choices 1,216 general BTC amassed over the choices period proven in Figure 12 without delay upon receiving them, they could have earned almost $380,000. If they elected to keep these ransoms, they could be worth nearly $980,000 as of this booklet primarily based on the contemporary weighted price of $804/BTC.

These figures represent a conservative estimate of the number of ransoms accrued with the aid of the choices CryptoLocker gang. Based on conversations with U.S.-based totally victims, the ease of fee with MoneyPak and the choices severa technical limitations to acquiring Bitcoins brought about maximum payments being made through the choices former method. CTU researchers suspect that a substantial portion of Bitcoin payments are being made with the aid of people out of doors of the choices U.S., where MoneyPak isn’t to be had and Bitcoin is the choices most effective option. Based in this statistics and measurements of contamination rates, CTU researchers estimate at least zero.4%, and very in all likelihood often that, of CryptoLocker victims are electing to pay the ransom.

Based on its layout, deployment approach, and empirical observations of its distribution, CryptoLocker appears to target English-speakers, mainly those placed in the United States. Malware authors from Russia and Eastern Europe, where the CryptoLocker authors are idea to originate, commonly goal sufferers in North America and Western Europe. Law enforcement cooperation between those areas is complicated via numerous elements, which frequently effects in chance actors believing that they are able to operate with impunity.

CTU researchers determined early infections taking place disproportionately at monetary institutions, however anecdotal reviews suggest that early sufferers had been in verticals as numerous as hospitality and public utilities. As of this ebook, there’s no proof the actors are targeting unique industries. The hazard actors have also broadened their attacks to encompass home Internet users in addition to professionals.

CTU researchers started out actively monitoring the choices CryptoLocker botnet on September 18, 2013 and analyzed diverse statistics assets, which includes DNS requests, sinkhole statistics, and customer telemetry, to construct the choices approximate each day contamination charges proven in Figure 13. Spikes coinciding with Cutwail spam campaigns that resulted in increased CryptoLocker infections are surely indicated, inclusive of the choices period of high interest from October through mid-November. Likewise, periodic lulls in interest have occurred frequently, together with a span from late November through mid-December.

The CTU studies crew registered multiple domains from the pool utilized by CryptoLocker to assemble a sinkhole infrastructure and assess the choices malware’s global impact. Between October 22 and November 1, 2013, 31,866 specific IP addresses contacted CTU sinkhole servers. Figure 14 shows the geographic distribution of those IP addresses.

The United States was disproportionately represented among international locations with measurable contamination quotes. Table 4 lists countries with the pinnacle ten contamination quotes.

The CTU studies crew applied a comparable sinkhole infrastructure between December nine and December 16, which was during a length of restricted malware pastime. Additionally, current samples use hard-coded C2 domains, which limits the choices conclusions that can be drawn from statistics amassed from sinkhole domain names. During this observation duration, 6,459 particular IP addresses contacted the choices CTU sinkhole servers. Figure 15 indicates the geographic distribution of those IP addresses.

In the samples collected with the aid of the choices December sinkhole, the United Kingdom and Australia approached the choices absolute infection numbers of the choices U.S, notwithstanding having a lot smaller populations. CTU researchers are uncertain whether or not this change is an anomaly or represents a change within the hazard actors’ strategy.

Table 5 lists countries with the choices pinnacle ten infection costs.

Based on the presented evidence, CTU researchers estimate that 2 hundred,000 to 250,000 systems were infected globally inside the first a hundred days of the choices CryptoLocker hazard.

By incorporating the following components in a defense-in-intensity strategy, companies can be capable of mitigate the CryptoLocker hazard:

CryptoLocker is neither the choices first ransomware nor the choices first unfavourable malware to wreak havoc on inflamed systems. However, the malware authors seem to have made sound design decisions that complicate efforts to mitigate this hazard and have verified a succesful distribution gadget primarily based on the Cutwail and Gameover Zeus botnets. Evidence gathered with the aid of CTU researchers confirms the danger actors have previous enjoy in malware development and distribution, in particular of ransomware. Based on the choices duration and scale of attacks, additionally they appear to have the choices established and massive “actual international” infrastructure important to “cash out” ransoms and launder the proceeds.

To mitigate publicity to the CryptoLocker malware, CTU researchers endorse that customers use to be had controls to restrict get admission to the usage of the signs in Table 6. The domain names indexed inside the signs desk may comprise malicious content material, so don’t forget the choices risks earlier than establishing them in a browser. CTU researchers have attempted to remove IP addresses and domain names operated by way of protection vendors and private researchers, however some non-malicious infrastructure may be protected. Date gaps in domain call records constitute periods while the risk actors elected now not to check in malicious domains or whilst CTU researchers had inadequate facts to determine those domains.

Table 6. Indicators for the CryptoLocker malware.

Stay Informed