Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Cryptolocker: A Thriving Menace

Created: 22 Oct 2013 10:36:43 GMT • Updated: 23 Jan 2014 18:03:39 GMT • Translations available: 日本語
Kevin Savage's picture
+6 6 Votes
Login to vote

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Cryptolocker has been growing in the wild. Trojan.Cryptolocker encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.

Fig1_4.png

Figure 1. Trojan.Cryptolocker payment screen

Most of the Trojan.Cryptolocker infections observed by Symantec have been in North America.

Fig2_2.png

Figure 2. Trojan.Cryptolocker infection map

The initial attack vector involves an email containing a malicious Trojan.Zbot attachment that downloads and then installs Trojan.Cryptolocker on the compromised computer. The Ransomcrypt Trojan employs a domain generation algorithm (DGA) to find an active command-and-control (C&C) server.

Fig3_2.png

Figure 3. DNS requests

Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Cryptolocker, which blocks the Trojan’s access to the generated domains.

Malware authors use DGAs to free their malware from reliance on just a handful of static servers. Instead, malware like Trojan.Cryptolocker use dynamically generate domain names based on some criteria (usually including the current date). This makes it more difficult to block traffic based solely on domain name filtering.

An interesting feature of this Trojan’s DGA is the employment of a Mersenne twister to generate random numbers for the generated domain names. Trojan.Cryptolocker uses the GetTickCount and QueryPerformanceCounter Windows functions to generate seed values for the Mersenne initialization routine.

Fig4_0.png

Figure 4. Trojan.Cryptolocker Mersenne twister initialization

Modular arithmetic is used on the Mersenne twister output value to keep it in a 0–1000 range. This value is then mixed with the current date to produce up to 1,000 generated domain names per day.

Mersenne twisters are unusual to see in malware samples but we have seen them used before, specifically in Trojan.Zbot.

Fig5_0.png

Figure 5. Trojan.Zbot Mersenne twister initialization

When we compare Trojan.Zbot and Trojan.Cryptolocker we see code similarities that lead us to believe there may be a connection between the two Trojans. The Zbot source code is freely available on the Internet for modification.

Users should never pay any ransom to have their files decrypted. The latest Symantec technologies and Norton consumer and Symantec enterprise solutions protect against these kinds of attacks. Backup and restore files if necessary.

 

Note:
Virus definitions dated November 13, 2013 or earlier detect this threat as Trojan.Ransomcrypt.F.
Intrusion prevention signature (IPS) alerts dated November 14, 2013 or earlier were listed as System Infected: Trojan.Ransomcrypt.F.