Cryptolocker Ransomware holds files hostage for cash

January 22, 2014

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan. Rather than locking the screen and denying access to the system as with traditional Ransomware the Trojan leaves system access intact but encrypts various documents and executables found on the system. It claims that the encryption keys for decrypting the files and restoring them to their original state are stored on a remote server and is only recoverable after making a payment of 300 USD. If payment is not made within 72 hours the remotely stored decryption keys are eradicated and the files are permanently lost.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%{DFF788D4-F884-FDC4-89CC-CAE3FCFBC5DA}.exe (copy of original) [Detected as GAV: Filecoder.BQ (Trojan)]

The Trojan adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun CryptoLocker ""%APPDATA%{DFF788D4-F884-FDC4-89CC-CAE3FCFBC5DA}.exe""

It creates a registry entry for each file that it encrypts with a reference ID. Below is a sample of such entries:

  • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?excel.xls dword:00116886
  • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?excel4.xls dword:001168a4
  • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?powerpnt.ppt dword:001168c2
  • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?quattro.wb2 dword:001168cc
  • HKEY_CURRENT_USERSoftwareCryptoLockerFiles C:?Documents and Settings?sshdsvc?Templates?winword.doc dword:00116912

The following is a sample of DNS queries that the Trojan makes using its Domain Generation Algorithm. Such a system increases the life expectancy of an infection by allowing the Trojan to connect to new C&C servers in the future after previous servers have been taken offline by authorities:

Upon successful connection to a C&C server the Trojan sends and receives the following data:

Below is the decrypted form of the outgoing data:

It receives the public IP of the victim machine and a public key used for encryption in response:

After a short period of time the Trojan brings up the following dialog informing the user that certain files on the system have been encrypted. The files are not recoverable unless the equivalent of 300 USD is paid using various payment methods such as Bitcoin and UKash:

It provides a page that shows the user a list of files that have been encrypted:

The sample Excel files we had on our test system were encrypted by the Trojan thus rendering it scrambled and unusable:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Filecoder.BQ (Trojan)
  • GAV: Filecoder.BQ_6 - 8 (Trojan)
  • GAV: Filecoder.BQ_12 (Trojan)
  • GAV: Filecoder.BQ_17 (Trojan)
  • GAV: Filecoder.BH_7 - 8 (Trojan)
  • GAV: Filecoder.BH_11 (Trojan)
  • GAV: Filecoder.W (Trojan)
  • GAV: Filecoder.NAC (Trojan)
  • GAV: Filecoder.NAC_4 (Trojan)
  • GAV: FileCoder.A_2 - 5 (Trojan)
  • GAV: FileCoder.A_11 - 12 (Trojan)
  • GAV: FileCoder.A_16 (Trojan)
  • GAV: FileCoder.A_24 (Trojan)
  • IPS: Cryptolocker Infection key fetch attempt 1
  • IPS: Cryptolocker Infection key fetch attempt 2