The document discusses the Cryptolocker ransomware. It provides an overview of Cryptolocker, including its history and evolution since 2013. It describes how Cryptolocker encrypts files, communicates with command and control servers, and demands ransom payments in Bitcoin. The document analyzes Cryptolocker's techniques and attributes it to a cybercriminal group based in Russia. It also covers the emergence of related ransomware such as Cryptodefense and Simplelocker on Android.

1. Dissecting the
Cryptolocker Ransomware
Cyphort Labs Malware’s Most Wanted Series
June 2014

2. Your speakers today
Nick Bilogorskiy
Director of Security Research
Jean Krahulec
Event Marketing Director

3. Agenda
o What is Cryptolocker
o Major incidents involving Cryptolocker
o Dissecting the malware
o Wrap-up and Q&A
CyphortLabsT-shirt

4. We work with the
security ecosystem
•••••
Contribute to and learn
from malware KB
•••••
Best of 3rd Party threat
data
We enhance malware
detection accuracy
•••••
False positives/negatives
•••••
Deep-dive research
Threat Monitoring &
Research team
•••••
24X7 monitoring for
malware events
•••••
Assist customers with
their Forensics and
Incident Response
About Cyphort Labs

5. Poll #1
Who does Cryptolocker target?
o Governments
o Individuals
o Corporations

6. What is Cryptolocker?
o Began September 2013
o Encrypts victim’s files, asks for $300
ransom
o Impossible to recover files without a key
o Ransom increases after deadline
o Goal is monetary via Bitcoin
o 250,000+ victims worldwide
(According to Secureworks)

7. If you see this screen - You are infected
Image source: FBI

8. Who pays the ransom?
Police department paid $750 to decrypt images and word documents

9. PGPCoder Trojan – 1024 RSA key, collects money
via EGOLD
Bitcoin was invented by Satoshi Nakamoto
Reveton Trojan, aka Police Trojan. collects money
via Moneypak
BitCoin becomes popular, price increases
Cryptolocker
Ransomware History
2005
2009
2012
2013
2013

10. Cryptolocker History
September
2013
October
2013
November
2013
December
2013
February
2014
May
2014
June
2014
Cryptodefense,
BitCrypt
Android -
Simplelocker
Cryptolocker
author
identified and
added to
most wanted
list
Cryptolocker 2.0
CryptoLocker
Decryption Service
introduced
Cryptolocker
1.0 appeared

11. Attribution
According to the FBI, losses are “more than $100 million.”
Image source: FBI

12. Attribution
Evgeniy Mikhailovich Bogachev, 30, of
Anapa, Russia. nickname “Slavik”
,indicted for conspiracy, computer
hacking, wire fraud, bank fraud, and
money laundering .
Bogachev is identified as a leader of a
cyber gang of criminals based in
Russia and Ukraine that is
responsible both GameOver Zeus and
Cryptolocker.

13. Cryptolocker Victims and Damages
o Dell SecureWorks estimates that CryptoLocker has
infected 250,000 victims. The average payout is
$300 each
o 1 million dollars a day.
o $27 million in ransom in first 2 months (FBI)

14. Cryptolocker Victims and Damages
Image source: FBI

15. Poll #2
What percentage of victims
pay the ransom?
o 0.1%
o 1%
o 25%
o 41%

16. 41% of people pay ransom
Data from a Jan 2014 survey by University of Kent
http://www.cybersec.kent.ac.uk/Survey2.pdf

17. Cryptolocker overview
z
Bitcoin Ransom Sent
C&C
Server
Private Key Sent
Locked Files
Unlocked Files

18. Cryptolocker analysis
- Drops copy of itself in %APPDATA%{random}.exe
- It creates the following autorun key.
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun "CryptoLocker":<random>.exe
- It creates two processes of itself. The other acts as a watchdog.
Later versions of CryptoLocker create an additional registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce "*CryptoLocker":<random>.exe

19. Cryptolocker C&C
Domain Generation Algorithm
It uses any of the following TLD for every generated domain:
.com , .net , .biz, .ru , .org , .co.uk , .info
1 2
3
4
Encrypt Files with the public key flow
5
6

20. Cryptolocker C&C
CnC - Sinkholed – what does it mean?

21. CryptoLocker Victims
Filename and Extensions Encrypted by
CryptoLocker

22. Cryptolocker analysis
It searches in all local and remote drives for files to encrypt.
All files that are encrypted are also saved in the following
registry for record:
HKEY_CURRENT_USERSoftwareCryptoLockerFiles
The only way to decrypt is to buy the private key
from the attackers.

23. Cryptolocker Ransom
Payment options:
moneypak, ukash,
cashu, bitcoin
Price: $300 USD or 2 BTC

24. Cryptolocker 2.0
Original Cryptolocker Cryptolocker 2.0
Compiler C++ .NET
Encryption RSA-2048 RSA-4096
C&C servers Employs DGA No DGA
Payment Scheme moneypak, ucash,
cashu, bitcoin
bitcoin only
Around December 2013, a new ransomware emerged
claiming to be Cryptolocker 2.0.
Drops copy of itself in %system%. As msunet.exe

25. Cryptodefense aka Cryptowall
o Cryptodefense is a newer variant of Cryptolocker.
o appeared in Feb 2014
o no GUI
o pops up a webpage, drops text file
o Uses TOR for anonymous payments

26. Cryptodefense aka Cryptowall

27. Android SimpleLocker
May 2014 – Simplelocker appears in Ukraine
- Asks for $22 USD using Monexy
- Uses TOR for C&C
Checks SD card for:
jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi,
mkv, 3gp, mp4
Unlike Cryptolocker,
Encryption key is
hardcoded on the
malware. Encrypted
files are appended
with “.enc”.

28. Conclusions
1. Cryptolocker evolved into a major threat
allowing criminals to easily monetize malware
infections via Bitcoin
2. Due to current geopolitical situation, Russian
attackers will likely continue the barrage
against US businesses and individuals while
enjoying safe haven in their home country.
3. Cryptolocker needs public key to encrypt files
so blocking known C&C servers may help
prevent data encryption
4. Backup your files! Since decrypting the
cryptolocker encrypted files is not impossible
frequent backups become even more critical.
And keep your backup offline.

29. Q and A
o Information sharing
and advanced
threats resources
o Blogs on latest
threats and findings
o Tools for identifying
malware

30. Thank You!