2015 is the year of Cryptolocker, and how cyber criminals have perfected their attacks

At the end of 2013, the first signs of new threats appeared, which will soon become one of the most profitable types of attacks carried out by cyber-criminals. Cryptolocker is the most popular ransomware family that eventually became used as a name for all threats of this type.

This threat always works according to the same scenario: it encrypts documents and requires a ransom in order to recover encrypted documents.
')
This year we have already written about how Cryptolocker works. Briefly about how files are encrypted after install malware.

The trojan generates a random symmetric key for each file it intends to encrypt, and then encrypts the contents of the file using the AES algorithm using this key. The program then encrypts a random key using an encryption algorithm using an asymmetric public-private key (RSA) and keys longer than 1024 bits (we saw patterns that used keys of 2048 bits), and adds it to the encrypted file. Thus, the trojan ensures that only the owner of the RSA private key can obtain the random key that was used to encrypt the file. In addition, computer files are overwritten and therefore cannot be accessed using special methods.

Fig. Once launched, the trojan gets the public key (PK) from its C & C server. To find the active C & C server, the Trojan includes a domain generation algorithm (DGA) or “Mersenne twister” for generating random domain names. This algorithm takes the current date as a basis and is able to generate up to 1000 different fixed-size domains daily. (Note. The quality of the picture does not allow to fully reproduce the code) .



After the Trojan has downloaded the PK, it saves it in the Windows registry key: HKCUSoftwareCryptoLockerPublic Key.

The Trojan then encrypts files on the hard disk of the computer, as well as on each network drive of the infected user, to which it gains access.

Fig. CryptoLocker does not encrypt every file found, but only encrypts non-executable files with extensions contained in the malicious code:


Additionally, CryptoLocker logs each encrypted file to the registry key: HKEY_CURRENT_USERSoftwareCryptoLockerFiles

Fig. When a trojan finishes encrypting each file that satisfies the above conditions, it shows this message asking the user to pay a ransom, limiting the time for sending the payment to the period until the private key is destroyed by the malware author.


Fig. The malicious program does not ask the user for the same amount of money, but contains its own currency conversion table:


As a rule, cyber criminals locate a victim by its IP address in order to display a message with instructions on how to make a ransom in the victim’s native language. Often payments must be made via Bitcoin, and all contacts with extortionists are made through Tor, which helps hackers to remain out of reach for law enforcement.

These attacks became increasingly popular during 2014, but first they were directed at individuals, and later attacks began at businesses, which turned out to be more profitable: the stolen information was of great importance for companies, and the ransom (usually within 300 euro) is quite capable of any enterprise.

In 2015, we saw how cyber criminals perfected their attacks in order to try to overcome any security tools that might be in their way:

• They no longer make mistakes when encrypting files. These errors allowed the developers of security solutions to create tools for recovering documents without redemption.
• New families of threats have appeared - an increasing number of cyber-criminals groups are using Cryptolocker, which has become the most popular type of threat at the moment.
• They all use Bitcoin as a means of payment, as a result of which they can hardly be tracked.
• They focused on two ways to spread:
o Through exploits;
o By email as an archived attachment
• Cyber ​​criminals create new forms of attack, and we have already seen how they started using PowerShell scripts, which come with Windows 10 by default
• As for mobile devices, although we have seen some attacks (for example, which change the access code to the device), but for the time being, they are still an exception to the rule.

How to protect yourself from Cryptolocker

As for self-protection, it is necessary to remember that Cryptolocker has certain differences from traditional malware: it is not a constant threat (after encrypting documents there is no need to leave this threat in the system, and some samples even delete themselves), while their authors are not too worried that the threat will be detected by the antivirus. For cyber criminals, only the fact that it is possible to launch this attack until the moment of detection matters, and after that it is no longer important.

Currently, traditional forms of detection are often useless, because Before each attack, it is verified that these technologies cannot detect this sample, otherwise minor changes can be made to avoid detection. Behavioral analysis is not able to detect what such threats do in most cases, because they usually install themselves into working systems to encrypt files from the inside, which makes the process look like a normal computer mode.

But a system like Adaptive Defense 360 , which tracks all the processes running on a computer, can be an effective way to stop attacks from encrypters in a timely manner before they encrypt your documents.

We offer to evaluate the capabilities of Adaptive Defense 360 ​​using a demo console (without the need to install the product).

The demo console is designed to demonstrate Panda Adaptive Defense 360, which already has certain information on user settings, profiles, etc., which allows you to evaluate the console in a mode as close as possible to real work.

Access to the demo console with full rights
Login: DRUSSIAN_FEDERATION_C13@panda.com
Password: DRUSSIAN # 123

Note: Reset changes in the settings of products that are made when viewing the demo console, occurs daily.