Everything You Wanted to Know About Cryptolocker…



November 4 , 2013 | Posted by Nachreiner | 40 Comments

Everything You Wanted to Know About Cryptolocker…

… And Weren’t Afraid to Ask

If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.

(Episode Runtime: 12:54)

Direct YouTube Link: http://www.youtube.com/watch?v=uifwqLHYGsk

Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.

Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.

If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server.  Some sample Crytpolocker domains might look like this:

  • jkamevbxhupg.co.uk
  • uvpevldfpfhoipn.info

Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.

Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.

Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.

Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.

Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.

So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares,  which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.

If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources:

— Corey Nachreiner, CISSP (@SecAdept)

Comments (40)

    1. There is now a piece of software out there that helps sort through you files and determines if any of them are unencrypted. if they are recoverable it automatically copys them to an external drive of your choice. I work at a computer shop and we use it on computers that have been hit with cryptolocker.


  1. Unfortunately we had an infection that was not stopped also. UTM is installed and configured, including RED. We traced the infection to the user, then used WSM logging to confirm exactly when it occurred, which workstation was infected, and saw it calling home to the C&C every 60 minutes.

    1. Matt and Lucci, what XTM specifically are you using.

      One key to our AV catching it is that you have the large AV signature set (It has 2.5mil signatures instead of around 250K). Only smaller appliances, like the 2-Series, and some 5’s have the small signature set (due to memory constraints).

      Also, random interesting fact… if you use XTMv (the virtual version), the signature set depends on the amount of RAM you reserve for you VM. If you reserve 1GB or less, you get the smaller set, but if you reserve 2GB or more, you get the large set.


      1. Lucci,

        That model definitely uses the Small signature set for GAV (memory restrictions). So it is possible for that small set to not have as many Cryptolocker related signatures. That said, the Small set is supposed to have all the major wild list sigs, which Cryptolocker is definitely one of, so we will work with our partner to see if we can get some of the large set’s cryptolocker related signatures into the small set too.

      2. No problem… Also one other pro-tip I may not have made clear in the post. Many cryptolocker emails include the file as a zip first. You need to open the zip to find the evil, double-extension .pdf.exe or whatever. If it arrives as a zip file, our GAV will only catch it if you “Enable decompression” in the GAV settings.

        This is something I always do, and may have been a default before… However, I just learned in a conversation that it is NOT the default any longer. So check your AV settings and make sure you are enabling decompression, so we can find threats in zips too.


      3. “That model definitely uses the Small signature set for GAV”
        I have that same model, but I may have opted for a better model if I had known that little bit of info. There is no mention of this in the comparison sheets – perhaps something for WG to update

      4. We have an XTM 525 – Can you please let me know if this uses the small or large signature set?

        I agree with Nik Y – If there is a difference in signature set size between devices it should be made note of. Kind of important you would think.

  2. 1. The most nasty thing about Cryptolocker – is that the key generation process goes online. In earier versions of different crypto-ransomware instances private key stores on the victim’s machines, generated from computer SID and encrypted by one of the standard Windows API’s functions… Now – malware goes online, generate pairs, and you can’t get the pair to decrypt… Looks like it’s a start a new botnet trend.
    2. My thanks to Corey for PoC about the protection against some versions of Cryptolocker with WatchGuard XTM.

  3. eXactBot Hosting Solutions » How To Combat CryptoLocker

  4. How To Fight CryptoLocker And Evade Its Ransomware Demands

  5. CryptoLocker – time to take notice! | Kiandra IT Blog

  6. I’ve been advising everyone to make sure ‘Control Panel – Folder Options – View – Hide extensions for known file types’ is not ticked. With this option removed, it will be easier to spot a fake (e.g. sample.pdf.exe) file.

  7. IT Security Guru | US CERT issues warning about CryptoLocker

  8. Visibility is necessary to determine which information to secure | Smart Security

  9. 5 things you can do to block Cryptolocker infections without spending another cent. | LogicalTech's enterprise technology thought leadership blog forum

  10. IT Security Guru Around 140 CryptoLocker C&C domains sinkholed | IT Security Guru

  11. Professional Virus, Malware Removal and System Tune Up » Bowes IT Solutions

  12. How Managed Security Can Help Stop Cryptolocker | MegaNet Communications

  13. Expert Virus, Malware Removal and System Tune Up » Bowes IT Solutions

  14. How To Block CryptoLocker, A Virus That Encrypts Your Files Then Demands A $300 Ransom | BaciNews

  15. Cryptolocker - Nasty Ransomware Wrecking Havoc Worldwide - Checkmarx

  16. How important visibility is to defending your data in 2014? | LogicalTech's enterprise technology thought leadership blog forum

  17. US CERT issues warning about CryptoLocker

    1. Unfortunately, no. Obviously, if you have a backup that helps. If you are using Windows’ automatic System Restore, you MAY be able to restore files from Shadow copies (though newer variants killed those)… The only known way is to pay the ransom, which I personally really don’t recommend.

  18. An impressive share! I’ve just forwarded this onto a friend who
    had been conducting a little research on this. And he actually ordered me
    breakfast because I found it for him… lol. So let me reword this….
    Thank YOU for the meal!! But yeah, thanx for spending time to
    discuss this topic here on your web page.

  19. So a 200 calorie deficit daily will result in a
    20 pound fat loss in a year. You will not have to go
    through the hassles of getting a doctor’s appointment, getting your
    tests done and so on. It aromatizes (changes) to estrogen, a molecule proven to increase fat storage
    and decreases muscle mass.

  20. Have you ever considered about adding a little bit more than just your articles?
    I mean, what you say is important and all.

    But think about if you added some great photos or videos to give
    your posts more, “pop”! Your content is excellent but with pics and videos,
    this site could certainly be one of the best in its field.
    Superb blog!

Add Comment

Your email address will not be published. Required fields are marked *