- Get link
- X
- Other Apps
CryptoLocker is ransomware. The business model of ransomware is to extort money from internet users. CryptoLocker is amplifying a trend developed by the infamous "Police Virus" software that asks Internet users to pay money to unlock their devices. CryptoLocker hijacks important documents and files and notifies users to pay the ransom within the specified time.
Jason Adler, Semalt Digital Services user success manager, elaborates on the security of CryptoLocker and provides some striking ideas on how to avoid it.
Malware Installation
CryptoLocker applies social engineering strategies to trick Internet users into downloading and running them. The email user receives a message containing a password-protected ZIP file. The e-mail address is reportedly from an organization that deals with logistics.
The Trojan runs when an email user opens a ZIP file using the specified password. Detecting CryptoLocker is challenging because it takes advantage of the default Windows status, which does not indicate a file name extension. When the victim runs malware, the Trojan performs various activities:
a) The Trojan is stored in a folder located in the user's profile, for example, LocalAppData.
b) The Trojan enters the key in the registry. This action ensures that it starts during the computer boot process.
c) It is based on two processes. The first is the main process. The second is to prevent the interruption of the main proceedings.
File Encryption
The Trojan produces a random symmetric key and applies it to each encrypted file. The contents of the file are encrypted using the AES algorithm and the asymmetric key. The random key is then encrypted using the asymmetric key encryption algorithm (RSA). The keys should also be more than 1024 bits. There are cases when 2048 bit keys were used in the encryption process. The Trojan ensures that the private RSA key provider obtains the random key used to encrypt the file. Covered files cannot be retrieved using forensic access.
When launched, the Trojan receives a public key (PK) from the C&C server. When locating an active C&C server, the Trojan uses a domain generation algorithm (DGA) to produce random domain names. DGA is also called "Mersenne Twister". The algorithm applies the current date as a seed that can produce more than 1,000 domains per day. Generated domains are of different sizes.
The Trojan downloads the PC and saves it in HKCUSoftwareCriptoLockerPublic Key. The Trojan starts encrypting files on the hard disk and network files that the user opens. CryptoLocker does not affect all files. Targets only non-executable files with extensions displayed in the malware code. These file extensions include * .odt, * .kls, * .pptm, * .rft, * .pem, and * .jpg. Also, CryptoLocker is written to each file that is encrypted in HKEI_CURRENT_USERSoftwareCriptoLockerFiles.
After the encryption process, the virus displays a message asking for a ransom payment within the specified time frame. Payment must be made before the private key is destroyed.
Avoiding CryptoLocker
a) Email users should be suspicious of messages from unknown people or organizations.
b) Internet users should disable hidden file extensions to improve the identification of malware or virus attacks.
c) Important files should be saved in the backup system.
d) If the files become infected, the user should not pay a ransom. Malicious software developers should never be rewarded.
Note: Before being attacked by CriptoLocker you should fix this by install antivirus like Protegent360's antivirus.
Comments
Post a Comment