The document discusses the Cryptolocker ransomware. It provides an overview of Cryptolocker, including its history and evolution since 2013. It describes how Cryptolocker encrypts files, communicates with command and control servers, and demands ransom payments in Bitcoin. The document analyzes Cryptolocker's techniques and attributes it to a cybercriminal group based in Russia. It also covers the emergence of related ransomware such as Cryptodefense and Simplelocker on Android.
2. Your speakers today
Nick Bilogorskiy
Director of Security Research
Jean Krahulec
Event Marketing Director
3. Agenda
o What is Cryptolocker
o Major incidents involving Cryptolocker
o Dissecting the malware
o Wrap-up and Q&A
CyphortLabsT-shirt
4. We work with the
security ecosystem
•••••
Contribute to and learn
from malware KB
•••••
Best of 3rd Party threat
data
We enhance malware
detection accuracy
•••••
False positives/negatives
•••••
Deep-dive research
Threat Monitoring &
Research team
•••••
24X7 monitoring for
malware events
•••••
Assist customers with
their Forensics and
Incident Response
About Cyphort Labs
5. Poll #1
Who does Cryptolocker target?
o Governments
o Individuals
o Corporations
6. What is Cryptolocker?
o Began September 2013
o Encrypts victim’s files, asks for $300
ransom
o Impossible to recover files without a key
o Ransom increases after deadline
o Goal is monetary via Bitcoin
o 250,000+ victims worldwide
(According to Secureworks)
7. If you see this screen - You are infected
Image source: FBI
8. Who pays the ransom?
Police department paid $750 to decrypt images and word documents
9. PGPCoder Trojan – 1024 RSA key, collects money
via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Police Trojan. collects money
via Moneypak
BitCoin becomes popular, price increases
Cryptolocker
Ransomware History
2005
2009
2012
2013
2013
12. Attribution
Evgeniy Mikhailovich Bogachev, 30, of
Anapa, Russia. nickname “Slavik”
,indicted for conspiracy, computer
hacking, wire fraud, bank fraud, and
money laundering .
Bogachev is identified as a leader of a
cyber gang of criminals based in
Russia and Ukraine that is
responsible both GameOver Zeus and
Cryptolocker.
13. Cryptolocker Victims and Damages
o Dell SecureWorks estimates that CryptoLocker has
infected 250,000 victims. The average payout is
$300 each
o 1 million dollars a day.
o $27 million in ransom in first 2 months (FBI)
18. Cryptolocker analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe
19. Cryptolocker C&C
Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
Encrypt Files with the public key flow
5
6
22. Cryptolocker analysis
It searches in all local and remote drives for files to encrypt.
All files that are encrypted are also saved in the following
registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key
from the attackers.
24. Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash,
cashu, bitcoin
bitcoin only
Around December 2013, a new ransomware emerged
claiming to be Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe
25. Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.
o appeared in Feb 2014
o no GUI
o pops up a webpage, drops text file
o Uses TOR for anonymous payments
27. Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine
- Asks for $22 USD using Monexy
- Uses TOR for C&C
Checks SD card for:
jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi,
mkv, 3gp, mp4
Unlike Cryptolocker,
Encryption key is
hardcoded on the
malware. Encrypted
files are appended
with “.enc”.
28. Conclusions
1. Cryptolocker evolved into a major threat
allowing criminals to easily monetize malware
infections via Bitcoin
2. Due to current geopolitical situation, Russian
attackers will likely continue the barrage
against US businesses and individuals while
enjoying safe haven in their home country.
3. Cryptolocker needs public key to encrypt files
so blocking known C&C servers may help
prevent data encryption
4. Backup your files! Since decrypting the
cryptolocker encrypted files is not impossible
frequent backups become even more critical.
And keep your backup offline.
29. Q and A
o Information sharing
and advanced
threats resources
o Blogs on latest
threats and findings
o Tools for identifying
malware
FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine.
Michele Spagnuolo , Italian grad student looked at a few known CryptoLocker Bicoin payment addresses and observed in the course of one day in December - day: In total, we
identified 771 ransoms, for 1226 BTC. Which was USD 1,100,000 dollars on December 15, 2013.
So the gang could be estimated, making a million dollars a day.
Security researchers estimate that, as of April 2014, Cryptolocker had infected more than 234,000 computers, with approximately half of those in the United States. One estimate indicates that more than $27 million in ransom payments were made in just the first two months since Cryptolocker emerged.
Now we have our first Poll question:
What do you think is the most prevalent use of Zeus malware?
Interdisciplinary Research Centre in Cyber Security at the University of Kent in Canterbury did an survey in January 2014,
Where it found that the proportion of Cryptolocker victims that claim to have agreed to pay the ransom to recover their files (41%) seems to be much larger than expected (3% was conjectured by Symantec,
0.4% by Dell SecureWorks).
http://www.cybersec.kent.ac.uk/Survey2.pdf
It employs Domain Generation Algorithm for its C&C Servers and checks for active server by sending system data. Communication to the server is encrypted with an RSA public key found on the malware’s body. A valid C&C server will be the only one that can decrypt the data because it is expected to have the private key. All communication between the Cryptolocker malware and the C&C server is encrypted with this RSA public key.
After the C&C server establish a connection with the malware, it generates a key pair, public key and private key. The malware sends a request for the public key and the server responds.
If you have DropBox mapped to a drive letter on an infected computer, CryptoLocker will attempt to encrypt the files on the drive. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder