The Hacker News Logo
Subscribe to Newsletter

Cryptolocker Ransomware makes different Bitcoin wallet for each victim

When you’re online, you expose your vulnerability to malicious virus that have been growing in virulence and ferocity over the last few years. 

Among home PC users, you may think that you protected from malicious software by Installing an effective, trusted antivirus solution, but most if the Antivirus solutions still it merely finds and removes any known threats.

But what if someday you turn on your system and you will find a pop up window with a warning that says "Your system is Locked and Important drives are encrypted and there is no way out unless you will not Pay fine".
This is what Ransomware malware does to your system. Ransomware is the most serious emerging threat in the virtual world of computing devices. Ransomware is a kind of malware which is designed to Block access to the computing system or can lock your system until an amount of money is paid through Internet banking.

Ransomware is usually installed when you open a malicious attachment in an email message or when you click on a malicious link in an email message, instant message, a social networking site or other websites.

A new piece of ransomware is giving Internet users one more reason to think twice before they click a link in an email. You may have read about the Cryptolocker malware in our previous stories on The Hacker News, a new ransomware Trojan that encrypts your files and demands money to return them.

Cryptolocker has been infecting PCs around the world and effectively holding the files within for ransom. Cryptolocker first made an appearance last month. Malware Researcher 'Octavian Minea' from Bitdefender explains the detailed inner workings of the Cryptolocker Ransomware, lets have a look:

The Cryptolocker ransomware gets installed with the help of Zbot variant (Zbot, is a malware toolkit that allows a cybercriminal to build his own Trojan Horse. Zeus, which is sold on the black market, allows non-programmers to purchase the technology they need to carry out cybercrimes.) and after installation it immediately adds itself to the Startup folder with a random name. Then it tries to establish connection with its command and control server on remote location using the Internet and send a 192 byte encrypted packet:
"version=1&id=1&name={COMPUTER_NAME}&group={GROUP_NAME}&lid={LOCATION_ID}"
Where {GROUP_NAME} seems to be related to the time of compilation of the malware and an example for {LOCATION_ID} is 'en-US'.

On successful connection, the server generates a pair of 2048-bit RSA public and private key and the malware receives only the public key and a newly generated Bitcoin address. For each victim, only the Cryptolocker authors have access to the decryption private keys.

The received information from the server gets stored in the system registry at:
HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\
Which contain the values PublicKey, Version Info with Bitcoin address and the command and control server address in an encrypted form.

Cryptolocker uses a solid encryption scheme as well, which so far appears unbreakable. It begins encrypting documents on any local or network storage drive, which are in any of these formats:
*.odt*.ods*.odp*.odm*.odc*.odb*.doc*.docx*.docm*.wps*.xls*.xlsx*.xlsm*.xlsb*.xlk*.ppt*.pptx*.pptm*.mdb*.accdb*.pst*.dwg*.dxf*.dxg*.wpd*.rtf*.wb2*.pdf*.mdf*.dbf*.psd*.pdd*.eps*.ai*.indd*.cdr????????.jpg????????.jpeimg_*.jpg*.dng*.3fr*.arw*.srf*.sr2*.bay*.crw*.cr2*.dcr*.kdc*.erf*.mef*.mrw*.nef*.nrw*.orf*.raf*.raw*.rwl*.rw2*.r3d*.ptx*.pef*.srw*.x3f*.der*.cer*.crt*.pem*.pfx*.p12*.p7b*.p7c
An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file.

While the public key is stored on the computer, the private key is stored on the command-and-control server; CryptoLocker demands a payment with either a MoneyPak card or Bitcoin to recover the key and begin decrypting files, and threatens to delete the private key if a payment is not received within 3 days.

"Payment of the ransom can generally be performed in Bitcoins, although some Cryptolocker variants also accept payment methods Ukash, CashU or, only in the US of A, in Money Pack prepaid cards which can only be bought with cash. All these payment methods are practically anonymous." he said.

Due to the extremely large key size it uses, analysts and those affected by the worm have considered CryptoLocker to be extremely difficult to repair.
Users who have their files locked up by the ransomware are currently paying $300 to $700 to the criminals who run the virus to gain control of their computer. Once the victim pays the ransom, the transaction ID must be entered and purportedly verifications ensue. If a private key is sent by the server, it is added to the registry and the decryption process begins.
So far, there have been no reports of the hackers reinfecting a machine once the ransom has been paid. However, the attackers give you roughly three days to pay them, otherwise your data is gone forever, especially if they do not perform regular and off-site backups.

Today’s cybercriminals are using more sophisticated attacks, such as ransomware and spear phishing, which yield them more money per attack than ever before. A sample study of 1000 users by Symantec found India to be the ransomware capital of Asia Pacific with 11% victims of virtual extortion.

There are several free ways to help protect your computer against ransomware and other malware:
  • Make sure to keep all of the software on your computer up to date. 
  • Make sure that automatic updating is turned on to get all the latest security updates.
  • Never open any attachment unless you know who it's from and why they are sending it.
  • Use secure connections for sensitive transactions.
  • Use strong alphanumeric and symbol passwords.
  • Use virtual keyboard for internet banking.
  • Common sense is another good weapon in the fight against viruses.
Photo of Swati Hacker News - Working at 'The Hacker News'. Social Media Lover and Gadgets Girl. Speaker, Cyber Security Expert and Technical Writer.()

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.