Anti-Malware Research

Cryptolocker Ransomware Makes a Bitcoin Wallet per Victim

Bitdefender antimalware researcher Octavian Minea explains the detailed inner workings of the Cryptolocker ransomware:

The Cryptolocker ransomware gets installed by a Zbot variant and upon being run it immediately adds itself to Startup under a random name and tries to talk to a command and control server – sending a 192 byte encrypted packet of the form

"version=1&id=1&name={COMPUTER_NAME}&group={GROUP_NAME}&lid={LOCATION_ID}"

where {GROUP_NAME} seems to be related to the time of compilation of the malware and an example for {LOCATION_ID} is “en-US”

If successful, it receives from the server a (presumably freshly-generated) public key and a corresponding Bitcoin address. These are added to the registry in registry keys of the form

HKEY_CURRENT_USER\Software\Cryptolocker_NUMBER\

which contain the values PublicKey, VersionInfo, Wallpaper – PublicKey stores the public key, VersionInfo stores the Bitcoin address and the command and control server address in an encrypted form, while Wallpaper stores the path to an actual wallpaper, containing instructions for the victim:

Blcxwqjpofdltzj

 

This done, Cryptolocker begins encrypting documents which are in any of these formats: [Download not found]. An AES key is generated for each file to be encrypted, the file is then AES-encrypted and the AES key is itself encrypted using the public key. The encrypted AES key is then appended to the encrypted file.

The paths to the documents are stored in

HKEY_CURRENT_USER\Software\Cryptolocker\Files\

with DWORD values with this type of name

C:?DIR?SUBDIR?SUBDIR?readme.doc

Meanwhile, a variety of messages and instructions are being displayed:

Payment of the ransom can generally be performed in Bitcoins, although some Cryptolocker variants also accept payment methods Ukash, CashU or, only in the US of A, in MoneyPack prepaid cards which can only be bought with cash. All these payment methods are practically anonymous.

Once the victim pays the ransom, the transaction ID must be entered and purportedly verifications ensue. If a private key is sent by the server, it is added to the registry and the decryption process begins. If any encrypted files are inaccessible, they are moved to the end of the decryption queue after an Error dialog is prompted, telling the victim

<<Failed to decrypt a previously encrypted file {FILE_PATH} Perhaps the file may be damaged or used by another process>>

with <<Retry>> and <<Cancel>> buttons provided. The victims are instructed that

“If part of the files had not been decrypted – move them to the desktop and click Retry button”.

When decryption ends, the Cryptolocker files are deleted, but the registry entries are kept. Bitdefender software detects and blocks Cryptolocker from installing, so Bitdefender customers are protected.

For hardy souls who still don’t believe in total security, a Cryptolocker-blocking tool is available here.

About the author

Razvan STOICA

Razvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.

48 Comments

Click here to post a comment
  • if the malware start to crypt data ONLY AFTER that wallpaper is show to user, this can be consider a little “bug”, if user shut down computer when see that wallpaper and boot pc from a av-rescue cd, theoretical he can remove malware with a minim of data looses
    crypto take time, if he close pc fast this malware will not have enough time to crypt lots of files

  • I think CryptoLocker’s messages are only displayed *after encryption of all files is complete*, and the word ‘Meanwhile’ in the text above is misleading.

  • Hey my company just nearly avoided roughly 4000 computers being touched by this bug through our email server we haven’t found an infection but when we do is there a real solution other then bruteforce? im a private paying customer right now and they are considerably worried about this the IT guys are getting on my nerves

  • isn’t possible to create a network fingerprint? something like:
    anydomain.any
    GET /baubau.php?{0-9a-f}192
    to block getting his public key

  • Figured out how to decrypt files 🙂 good luck everyone make sure to backup everything or you will have one hell of a time figuring this shit out

  • Hi,

    Thank you for creating the anti-cryptolocker tool for people to use. I have noticed that there doesn’t seem to be any way to remove this tool though after testing it.

  • Hello Bitdefender I would like to know how this tool works? i enable immunization and then reboot OK but i want to know something about the settings ? I have to run when windows starts On? or if i just enable immunization my pc is protected? maybe the option run when windows starts is for updates

  • Also, you need to enable from Settings to run at start-up in order to protect and daily update the blocking of Crytolocker. The Immunization uses one more heuristic and behavior layer of protection, being optional.

  • After installation of this tool on an XP machine a file labeled as BDDropper.exe gets installed here: C:\Documents and Settings\user\Local Settings\Temp\BDDocUnifiedLauncher\x86\BDDropper.exe IS THIS OKAY?

  • I have Bitdefender Internet Security installed. Is this enough to protect me from Cryptolocker? If it isn’t, how does one protect themselves?

  • ok I enable immunization and reboot that´s all? or the tool have to run at startup always ? i just did the immunization and the tool says i am fine

  • something interesting:
    this malware identify files after extension not file type fingerprints, so:
    if you change file.doc to file.word and associate “.word” extension with MOfficeWord, you can open/view/save that file, but malware will not find/crypt it :))

  • Hello Bitdender ,Cryptolocker-blocking tool updates are automatic? or i have to do manually every time? because i have version 1.0.3.9 and now there is new version 1.0.4.1

  • Hello Bitfender . What does use self-protect driver mean? i have version 1.0.51 . And why the last update time is not showing the time ?

  • Hi,
    How about giving a few explanations about the function of each of the 4 switches in the “general settings’, so we decide what we wish to put “on” or leave “off” ?
    My version is : 1,0,5,1.
    I also have Bitdefender Total Security installed on my computer.
    Thanks

  • Rick,

    I have seen reports from people paying off the hackers/hijackers/whatever you want to call them. They do decrypt the data at a rate of 4-8 hours per Gigabyte of data. Pretty darn slow if you ask me. They still wiped their systems after that to ensure it didn’t come back. You might as well pay to have a good backup strategy in place because you’ll pay a lot more in time and effort to decrypt it and ensuring it doesn’t come back.

    And for those that missed it. You don’t need this tool if you already have an updated and active version of BitDefender installed. That is according to this article.

  • LR-

    You are absolutely correct a decent off-site back-up will do the trick. You have to make sure that it allows for “Versioning” so that if your encrypted files get backed up…you can go back to an earlier version. I use a great service that allows to go back to the prior 30 versions. It has saved my bacon several times.

  • I have a Bitdefender Internet security !
    Am I protected? or should be setup RemovalTool Bitdefender AntiCryptoLocker ?

  • Does Bitdefender antivirus Plus block kriptolock? That is what PC. matic Is calling It. Or is that the same name for Crytolocker.

  • My wife’s PC is protected by bit defender but Cryptolocker has scrambled her entire document library. Fortunately, most is backed up to dropbox and they have managed to restore previous versions. However there are also a large number synced to Sharepoint libraries and these seem to be completely trashed.
    BE AWARE THAT BITDEFENDER HAS NOT PROTECTED THESE FILES – If you use share point ensure versioning is turned on.

  • I’d like to do this install on a few machines I manage via silent install. I’ve written a VBScript that will do that successfully, but in the settings, The Run when Windows starts, Minimize to tray on startup, Minimize to tray on close button, are turned off. I would like to add whatever registry settings are necessary to the VBScript to turn them on by default so there is no user interaction necessary. Is this possible? My VB script follows:
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    If objFSO.FileExists(“C:\Program Files\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
    Wscript.Quit
    if objFSO.FileExists(“C:\Program Files (x86)\BDAntiCryptoLocker\BDAntiCryptoLocker.exe”) Then
    Wscript.Quit
    Else
    Set WSHShell = WScript.CreateObject(“WScript.Shell”)
    strApp = ” /q”
    WSHShell.Exec(strApp)
    End if

  • cryptobot runs at startup on my win7 box. How did it get past bitdefender? What can I do now to remove it?

  • I was infected by Crypto locker 3.0 last night. It encrypted most but not all my documents. I rebooted to safe mode and ran bitdefender CD. No threats detected. This morning I updated and ran malware bytes again. THis time some threats were detected and quaranteened. No more threats detected. My PC has multiple drives for media and all have been scanned. Is there anything else I can do to be sure this virus is removed?

  • I too had Total Security on my computer. I had a secondary user profile on Windows. While a friend of mine was using the Laptop he somehow picked up this malware. It chewed through 22gb of data in a week and it encrypted a large percentage of my files. I have most of the drive backed up but this pisses me off. What can be done? I refuse to pay a ransom. My next message will be to the FBI.

  • Another type of bitcoin-related malware is ransomware . One program called CryptoLocker , typically spread through legitimate-looking email attachments, encrypts the hard drive of an infected computer, then displays a countdown timer and demands a ransom, usually two bitcoins, to decrypt it.