While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.
Recently, a new threat detected by Symantec as Trojan.Cryptolocker has been growing in the wild. Trojan.Cryptolocker encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.
Figure 1. Trojan.Cryptolocker payment screen
Most of the Trojan.Cryptolocker infections observed by Symantec have been in North America.
Figure 2. Trojan.Cryptolocker infection map
The initial attack vector involves an email containing a malicious Trojan.Zbot attachment that downloads and then installs Trojan.Cryptolocker on the compromised computer. The Ransomcrypt Trojan employs a domain generation algorithm (DGA) to find an active command-and-control (C&C) server.
Figure 3. DNS requests
Symantec customers are protected by the intrusion prevention signature (IPS) System Infected: Trojan.Cryptolocker, which blocks the Trojan’s access to the generated domains.
Malware authors use DGAs to free their malware from reliance on just a handful of static servers. Instead, malware like Trojan.Cryptolocker use dynamically generate domain names based on some criteria (usually including the current date). This makes it more difficult to block traffic based solely on domain name filtering.
An interesting feature of this Trojan’s DGA is the employment of a Mersenne twister to generate random numbers for the generated domain names. Trojan.Cryptolocker uses the GetTickCount and QueryPerformanceCounter Windows functions to generate seed values for the Mersenne initialization routine.
Figure 4. Trojan.Cryptolocker Mersenne twister initialization
Modular arithmetic is used on the Mersenne twister output value to keep it in a 0–1000 range. This value is then mixed with the current date to produce up to 1,000 generated domain names per day.
Mersenne twisters are unusual to see in malware samples but we have seen them used before, specifically in Trojan.Zbot.
Figure 5. Trojan.Zbot Mersenne twister initialization
When we compare Trojan.Zbot and Trojan.Cryptolocker we see code similarities that lead us to believe there may be a connection between the two Trojans. The Zbot source code is freely available on the Internet for modification.
Users should never pay any ransom to have their files decrypted. The latest Symantec technologies and Norton consumer and Symantec enterprise solutions protect against these kinds of attacks. Backup and restore files if necessary.
Virus definitions dated November 13, 2013 or earlier detect this threat as Trojan.Ransomcrypt.F.
Intrusion prevention signature (IPS) alerts dated November 14, 2013 or earlier were listed as System Infected: Trojan.Ransomcrypt.F.