Cryptolocker Ransomware Makes a Bitcoin Wallet per Victim

Bitdefender antimalware researcher Octavian Minea explains the detailed inner workings of the Cryptolocker ransomware:

The Cryptolocker ransomware gets installed by a Zbot variant and upon being run it immediately adds itself to Startup under a random name and tries to talk to a command and control server – sending a 192 byte encrypted packet of the form

"version=1&id=1&name={COMPUTER_NAME}&group={GROUP_NAME}&lid={LOCATION_ID}"

where {GROUP_NAME} seems to be related to the time of compilation of the malware and an example for {LOCATION_ID} is “en-US”

If successful, it receives from the server a (presumably freshly-generated) public key and a corresponding Bitcoin address. These are added to the registry in registry keys of the form

HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\

which contain the values PublicKey, VersionInfo, Wallpaper – PublicKey stores the public key, VersionInfo stores the Bitcoin address and the command and control server address in an encrypted form, while Wallpaper stores the path to an actual wallpaper, containing instructions for the victim:

Blcxwqjpofdltzj

 

This done, Cryptolocker begins encrypting documents which are in any of these formats: File types encrypted by Cryptolocker (1445). An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file.

The paths to the documents are stored in

HKEY_CURRENT_USER\Software\Cryptolocker\Files\

with DWORD values with this type of name

C:?DIR?SUBDIR?SUBDIR?readme.doc

Meanwhile, a variety of messages and instructions are being displayed:

Payment of the ransom can generally be performed in Bitcoins, although some Cryptolocker variants also accept payment methods Ukash, CashU or, only in the US of A, in MoneyPack prepaid cards which can only be bought with cash. All these payment methods are practically anonymous.

Once the victim pays the ransom, the transaction ID must be entered and purportedly verifications ensue. If a private key is sent by the server, it is added to the registry and the decryption process begins. If any encrypted files are inaccessible, they are moved to the end of the decryption queue after an Error dialog is prompted, telling the victim

<<Failed to decrypt a previously encrypted file {FILE_PATH} Perhaps the file may be damaged or used by another process>>

with <<Retry>> and <<Cancel>> buttons provided. The victims are instructed that

“If part of the files had not been decrypted – move them to the desktop and click Retry button”.

When decryption ends, the Cryptolocker files are deleted, but the registry entries are kept. Bitdefender software detects and blocks Cryptolocker from installing, so Bitdefender customers are protected.

For hardy souls who still don’t believe in total security, a Cryptolocker-blocking tool is available here.

43 Responses to Cryptolocker Ransomware Makes a Bitcoin Wallet per Victim


  1. Marmota says:

    if the malware start to crypt data ONLY AFTER that wallpaper is show to user, this can be consider a little “bug”, if user shut down computer when see that wallpaper and boot pc from a av-rescue cd, theoretical he can remove malware with a minim of data looses
    crypto take time, if he close pc fast this malware will not have enough time to crypt lots of files

  2. Dominic says:

    I think CryptoLocker’s messages are only displayed *after encryption of all files is complete*, and the word ‘Meanwhile’ in the text above is misleading.

  3. Robert coe says:

    Hey my company just nearly avoided roughly 4000 computers being touched by this bug through our email server we haven’t found an infection but when we do is there a real solution other then bruteforce? im a private paying customer right now and they are considerably worried about this the IT guys are getting on my nerves

  4. smr says:

    Bruteforce doesn’t work in this case. It pays to have backups of everything.

  5. Shadow says:

    Why not block that registry key via Policies. They will probably change it but it’s a start.

  6. Marmota says:

    isn’t possible to create a network fingerprint? something like:
    anydomain.any
    GET /baubau.php?{0-9a-f}192
    to block getting his public key

  7. insane795 says:

    Figured out how to decrypt files :) good luck everyone make sure to backup everything or you will have one hell of a time figuring this shit out

  8. Stephen says:

    Does BitDefender identify and block Cryptolocker? So far, I have seen nada re this.

  9. Richard says:

    Hi,

    Thank you for creating the anti-cryptolocker tool for people to use. I have noticed that there doesn’t seem to be any way to remove this tool though after testing it.

  10. Mathias says:

    Hello Bitdefender I would like to know how this tool works? i enable immunization and then reboot OK but i want to know something about the settings ? I have to run when windows starts On? or if i just enable immunization my pc is protected? maybe the option run when windows starts is for updates

  11. omm says:

    Hi,
    The tool is standalone, so to remove it, simply disable the protection and close it.

  12. omm says:

    Also, you need to enable from Settings to run at start-up in order to protect and daily update the blocking of Crytolocker. The Immunization uses one more heuristic and behavior layer of protection, being optional.

  13. gridflash says:

    Anybody know how the BDAntiCryptoLocker compares to CryptoPrevent from Bleeping Computer?

  14. Jake says:

    After installation of this tool on an XP machine a file labeled as BDDropper.exe gets installed here: C:\Documents and Settings\user\Local Settings\Temp\BDDocUnifiedLauncher\x86\BDDropper.exe IS THIS OKAY?

  15. Jake says:

    Also, are there any silent install switches for this tool with specified INI settings?

  16. Daniel says:

    I have Bitdefender Internet Security installed. Is this enough to protect me from Cryptolocker? If it isn’t, how does one protect themselves?

  17. Luis says:

    ok I enable immunization and reboot that´s all? or the tool have to run at startup always ? i just did the immunization and the tool says i am fine

  18. Marmota says:

    something interesting:
    this malware identify files after extension not file type fingerprints, so:
    if you change file.doc to file.word and associate “.word” extension with MOfficeWord, you can open/view/save that file, but malware will not find/crypt it :))

  19. RichardPS says:

    Do I still need the Cryptolocker-blocking tool if I am running bitdefender anti virus plus?

  20. Francois says:

    Hello Bitdender ,Cryptolocker-blocking tool updates are automatic? or i have to do manually every time? because i have version 1.0.3.9 and now there is new version 1.0.4.1

  21. Irv Spalten says:

    Anyway to stop it from asking for UAC OK when it is auto-started on boot?

  22. Rick says:

    Does paying off the highjackers work??

  23. Gerald says:

    Hello Bitfender . What does use self-protect driver mean? i have version 1.0.51 . And why the last update time is not showing the time ?

  24. Jeff says:

    Hi,
    How about giving a few explanations about the function of each of the 4 switches in the “general settings’, so we decide what we wish to put “on” or leave “off” ?
    My version is : 1,0,5,1.
    I also have Bitdefender Total Security installed on my computer.
    Thanks

  25. lr says:

    Rick,

    I have seen reports from people paying off the hackers/hijackers/whatever you want to call them. They do decrypt the data at a rate of 4-8 hours per Gigabyte of data. Pretty darn slow if you ask me. They still wiped their systems after that to ensure it didn’t come back. You might as well pay to have a good backup strategy in place because you’ll pay a lot more in time and effort to decrypt it and ensuring it doesn’t come back.

    And for those that missed it. You don’t need this tool if you already have an updated and active version of BitDefender installed. That is according to this article.

  26. metropcworks says:

    LR-

    You are absolutely correct a decent off-site back-up will do the trick. You have to make sure that it allows for “Versioning” so that if your encrypted files get backed up…you can go back to an earlier version. I use a great service that allows to go back to the prior 30 versions. It has saved my bacon several times.

  27. Pissed says:

    This ransomware just got past bitdefender for one of my clients last nite, thanks!

  28. Mahdi says:

    I have a Bitdefender Internet security !
    Am I protected? or should be setup RemovalTool Bitdefender AntiCryptoLocker ?

  29. Bruce Niessner says:

    Does Bitdefender antivirus Plus block kriptolock? That is what PC. matic Is calling It. Or is that the same name for Crytolocker.

  30. David Vachell says:

    My wife’s PC is protected by bit defender but Cryptolocker has scrambled her entire document library. Fortunately, most is backed up to dropbox and they have managed to restore previous versions. However there are also a large number synced to Sharepoint libraries and these seem to be completely trashed.
    BE AWARE THAT BITDEFENDER HAS NOT PROTECTED THESE FILES – If you use share point ensure versioning is turned on.

  31. Mark says:

    I’d like to do this install on a few machines I manage via silent install. I’ve written a VBScript that will do that successfully, but in the settings, The Run when Windows starts, Minimize to tray on startup, Minimize to tray on close button, are turned off. I would like to add whatever registry settings are necessary to the VBScript to turn them on by default so there is no user interaction necessary. Is this possible? My VB script follows:
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    If objFSO.FileExists(“C:\Program Files\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
    Wscript.Quit
    if objFSO.FileExists(“C:\Program Files (x86)\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
    Wscript.Quit
    Else
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)
    strApp = ” /q”
    WSHShell.Exec(strApp)
    End if

Leave a Reply

Your email address will not be published. Required fields are marked *