Post by Deleted on Aug 6, 2014 13:21:26 GMT -5
I'm sure many of you are familiar with this ransomware a.k.a. CryptoLocker. The virus does the following to encrypt the files on a user's system:
1.CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
2.CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
3.At that point, an AES-256 key is created for each file on the system.
4.CryptoLocker then encrypts all of the supported files using the generated key from step 3.
5.The generated key is then encrypted with the downloaded RSA public key from step 2.
6.And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.
We know it uses the following script to run encryption at the client level:
Encryption_Code:
C = C + 1
A = Decrypted
Loop:
B = *A
C = 3214 * A
B = B XOR CryptoKey
*A = B
C = 1
C = A + B
A = A + 1
GOTO Loop IF NOT A = Encryption_Code
C = C^2
GOTO Decrypted
CryptoKey:
some_random_number
Two cooperative entities involved with client Endpoint Security (FireEye and Fox IT) have devised a way to perform decryption.
You can read the details about CryptoLocker in the following article:
www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
You can access the recommended URL (if you have an infected system with CryptoLocker and have encrypted files):
www.decryptcryptolocker.com/
CryptoLocker has infected thousands of systems and it took 8 months for someone to crack the algorithm.
Good luck!
1.CryptoLocker arrives on a victim’s machine through a variety of techniques such as spear-phishing emails or watering hole attacks.
2.CryptoLocker then connects to randomly generated domain (via DGAs) to download a specific RSA public key.
3.At that point, an AES-256 key is created for each file on the system.
4.CryptoLocker then encrypts all of the supported files using the generated key from step 3.
5.The generated key is then encrypted with the downloaded RSA public key from step 2.
6.And finally, the AES-key is written to the beginning of the encrypted files, thus requiring the private key to decrypt.
We know it uses the following script to run encryption at the client level:
Encryption_Code:
C = C + 1
A = Decrypted
Loop:
B = *A
C = 3214 * A
B = B XOR CryptoKey
*A = B
C = 1
C = A + B
A = A + 1
GOTO Loop IF NOT A = Encryption_Code
C = C^2
GOTO Decrypted
CryptoKey:
some_random_number
Two cooperative entities involved with client Endpoint Security (FireEye and Fox IT) have devised a way to perform decryption.
You can read the details about CryptoLocker in the following article:
www.fireeye.com/blog/corporate/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
You can access the recommended URL (if you have an infected system with CryptoLocker and have encrypted files):
www.decryptcryptolocker.com/
CryptoLocker has infected thousands of systems and it took 8 months for someone to crack the algorithm.
Good luck!
