Skip to content

Export page to PDF
Ransomware Raises the Stakes With CryptoLocker
Frequently Asked Questions

CryptoLocker is the latest ransomware version that surfaced in 2013. It blocks access to the infected system and encrypts certain files.



In this particular instance, we discovered that a CryptoLocker variant was used as a final payload in a malicious spam campaign that involves the downloader TROJ_UPATRE and ZeuS/ZBOT variant. Affected users not only end up with important files encrypted, their online banking credentials are stolen as well.



Since its discovery, the numbers of victims infected with CryptoLocker has increased. Based on Trend Micro Smart Protection Network feedback we gathered for a 30-day period, almost two-thirds (64%) of infections were seen in the US. UK and Canada also had their share of victims, with 11% and 6% of all global infections, respectively.



How does Cryptolocker arrive into users' systems?



The threat starts as a spammed message with a malicious attachment (detected as TROJ_UPATRE.VNA). Should users execute the attachment, TROJ_UPATRE.VNA then downloads and executes cjkienn.exe. The said file is a ZBOT variant detected as TSPY_ZBOT.VNA.



Along with its malicious routines that include stealing online banking credentials, TSPY_ZBOT.VNA also downloads a CryptoLocker variant onto the infected system. This variant, which serves as the final payload, is detected as TROJ_CRILOCK.NS.



What happens once CryptoLocker is executed?



Once executed, CryptoLocker connects to randomly generated domains to download the public key to be used in encryption. The extensions of the domains include:



  • biz/home
  • co.uk/home
  • com/home
  • info/home
  • net/home
  • org/home
  • ru/home


CryptoLocker then searches for files with certain file extensions to encrypt. The file extensions include important productivity documents and files such as .doc, .docx, .xls, .pdf among others. This encryption will be discussed in the succeeding question.



CryptoLocker changes the system's wallpaper with a notice that informs user that their important files are encrypted.



To decrypt these files and make them accessible again to users, they are persuaded to purchase the private key for either US$300 or 300 Euro.



How does the encryption work?



Cryptolocker is notable due to how it encrypts the user's files – namely, it uses AES-265 and RSA encryption method in order to ensure that the affected user has no choice but to purchase the private key. The encryption process based on our analysis looks like the following:



The RSA public key can only be decrypted with its corresponding private key. Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the ransomed files is not feasible as of this writing.



How does this threat affect users?



Users affected by this threat will find their documents inaccessible due to Cryptolocker's encryption. This may result in data loss as well as severely hampering the user's business productivity, if their system contains work-critical documents.



The fact that the Cryptolocker variant here is a payload delivered by a ZBOT variant means that the routines of that malware will also affect the user. The said ZBOT variant may lead to financial loss, as the stolen online banking credential may be used to initiate unauthorized transactions.



Are Trend Micro users protected from this threat?



Trend Micro Smart Protection Network detects and deletes the known related malware if found in the system. Web reputation service detects the known malicious domains in this attack and blocks access to them. If CryptoLocker fails to access these sites, it cannot download the public key which is needed in encrypting files. Email reputation service blocks the known related spammed messages. In particular, the True File Type Filtering feature of ERS can alert users if the attachment is malicious.�



In addition, Trend Micro products' behavior-based detection monitors the system for CryptoLocker infection. For more information on how to properly configure this feature, please coordinate with your Trend Micro contact person or customer service.



What can users do to prevent these threats from affecting their computers?



Scrutinize email messages carefully. Be wary of every email you receive, specially those from unverified sources. Users can do this by doing their research or communicating directly to the purported sender to confirm if they sent the messages.



Refrain from clicking links embedded in email. It is best to avoid clicking links in email. However if you need to, make sure that your browser uses web reputation to check the link. As an added precaution, you can use free services like Trend Micro Site Safety Center to verify the reputation of the site.



Backup documents. Users should also do well to back up their documents. The 3-2-1 rule applies here – three backup copies of your data, on two different media, and one of those copies in a separate location. Cloud storage services (like SafeSync) can help here.



Regularly update software. Though no known CryptoLocker and ransomware were found to exploit any software vulnerabilities, it is best to update your software with the latest security patch. This provides added layer of protection against online threats in general.



Install security solution. Using reliable antimalware solution can detect such threats even before it begins. Security solutions like Trend Micro can even block malware-carrying spam even before they can reach your inbox.



For organizations, it is important to review policies related to email attachments and impose a strict attachment blocking policies. It is recommended to discourage employees to send executables via email messages.



Another security measure that organizations can impose is to configure certain machines with limited privileges, in particular those that has specific functions, to decrease chances of users executing malicious applications.



Should I pay the ransom?



Because the needed private key to unlock the encrypted file is only available through the cybercriminal, this may tempt users to purchase it and pay the $300/ 300 Euro fee. However doing so may encourage these bad guys to continue and even expand their operations.

Author: Ryan Angelo Certeza

Connect with us on