These past few weeks have been the reinvention of ransomware where there is a new variety out there designed to encrypt files on the infected device and keep them that way until a ransom is paid by the victim.
Called CryptoLocker, or Trojan:Win32/Crilock, the files targeted by this malware are not ones home users might consider important, said researchers at Emsisoft. The targeted files have extensions such as odt, doc, docx, xls, xlsx, ppt, pptx, mdb, accdb, rtf, mdf, dbf, psd, pdd, jpg, srf, sr2 ,bay ,crw, dcr, kdc, erf, mef, mrw, nef, nrw, raf, raw, rwl, rw2, ptx, pef, srw, x3f, der, cer, crt, pem, and p12 which end up more oriented toward business users.
The ransomware ends up distributed via emails that inform recipients of customer complaints. The attached file is a downloader designed to retrieve the actual malware.
Once it infects a device, CryptoLocker creates a registry entry to make sure it starts at every boot. Then, it establishes communications with its command and control (C&C) server. First, it attempts to contact a hardcoded IP address. If that fails, random C&C domains end up generated based on a domain generation algorithm.
After it finds a C&C server, the malware starts communicating with it via encrypted traffic using RSA encryption.
“Using RSA based encryption for the communication not only allows the attacker to obfuscate the actual conversation between the malware and its server, but also makes sure the malware is talking to the attacker’s server and not a blackhole controlled by malware researchers,” Emsisoft researchers said in a blog.
Finally, CryptoLocker looks for the aforementioned files and encrypts them using AES. Unfortunately, it’s impossible to decrypt the files without the AES key, which is on the C&C server and accessible only to the attacker.
However, users should remove the infection with an antivirus program and restore the encrypted files from a backup.