Cryptolocker Analysis Jan Stoltman for the Computer Forensics Course Zagreb 2018 Table of Contents 1

SVEUČILIŠTE U ZAGREBU FAKULTET ELEKTROTEHNIKE I RAČUNARSTVA

CryptoLocker analysis Jan Stoltman for the Computer Forensics course Zagreb 2018 Table of Contents 1. Introduction...... 3 2. Ransomware...... 4 3. CryptoLocker...... 5 3.1 How it all started (The Trojan part)...... 5 3.2 Encryption...... 5 3.2 Ransom...... 6 3.3 Mitigation...... 7 3.4 Aftereffects...... 7 3.5 Clones...... 7 Sources...... 8 Images:...... 8 1. Introduction Marvels of modern technology are unquestionable. Never before was there an era with such a rapid development of day-to-day lives of citizens. Thanks to expansions and ever growing popularity of the Internet and computers many of us cannot imagine the inconveniences, which our predecessors were facing all the time. Now we do not have to worry about such trivial (for us at least) things like accurate weather forecasts, keeping in touch with old friends from countries far away or storing massive amount of data. Everyone has photos, songs and movies which one would like to keep safe and stored forever, here the miracle of computers and the Internet comes to our help. What 20 years ago would take half of one’s flat, now is stored in convenient way on our hard and solid state drives. However, this way is not always as secure as it might seem, even thought the files don’t get damaged by the flow of time, there is another danger present. As with all great inventions of humankind, some of us will always try to use these inventions against other, just so they could get rich and powerful. One of the examples of such a abuse of one’s knowledge and skill is the CryptoLocker ransomware. In the following presentation I will showcase and explain this particular case of dangerous software. 2. Ransomware First things first, what is ransomware? According to Wikipedia:

“Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.”

So in simple words its a program which takes our crucial and important for us data hostage, and forces us to pay the author of this ransomware some amount of money for the return of data. Sometimes it might be just a few dollars, but unfortunately sometimes it’s a lot more, even going up to thousands of dollars, in case where the captured data was critically important of belonged to some big corporation. While most of the ransomwares are simple enough for the skilled specialist to reverse the negative effects without any special effort, some of the more advanced onces use a technique of cryptoviral extortion, and that makes it virtually impossible to decrypt and/or break through. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. That’s why it’s so important never to trust suspiciously looking files, even if theses files were sent to us from known e-mail address. However, in one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction, using the EternalBlue exploit in older Windows system versions. In most cases the payment for release of the files is carried out by the use of some cryptocurrency, be it Bitcoin, Litecoin or Ukash. Due to the untraceable nature of these cryptocurrencies, the offender may feel safe knowing that no-one can track them back by exploiting this approach. Starting from 2012, the number of carried out ransomware attacks has grown significantly. According to McAfee vendor, released data showing that it had collected more than double the number of samples of ransomware that quarter than it had in the same quarter of the previous year. CryptoLocker was once of the most successful ransomware attacks ever, and that’s what I will talk about in the rest of my presentation.

Someone might ask what happens to backups in case of such an attack? The answer is simple, nothing happens to backups and they are the best way of securing ourselves. But let’s be honest, almost noone cares about backuping their PCs in day-to-day lives. 3. CryptoLocker

3.1 How it all started (The Trojan part) CryptoLocker used social engineering techniques to trick the user into running it. More specifically, the victim received an e-mail with a password-protected ZIP file purporting to be from some logistics company. The Trojan part of ransomware was executed when the user opened the attached ZIP file, the password was included in the message body of the e-mail, and attempted to open the PDF file included in ZIP. CryptoLocker took advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file. As soon as the victim executed it, the Trojan would go memory resident on the computer and take the following actions: • Save itself to a folder in the user’s profile (AppData, LocalAppData).

• Add a key to the registry to make sure it runs every time the computer starts up.

• Spawn two processes of itself: One is the main process, whereas the other aims to protect the main process against termination. So far the behavior of this program wasn't in any way new. Many malwares in the past used some similar method and way of action. What made CryptoLocker so innovative and successful was the latter part of Trojan’s operation.

3.2 Encryption After getting into the infected system Trojan would generate a random symmetric key for each file it “wanted” to encrypt, and encrypts these chosen file’s contents with the AES algorithm with the use of previously mentioned generated key. Next it would encrypt the random key it generated previously, with RSA algorithm and keys of over 1024 bits (Some secured samples used even 2048 bits). In this way the author of this ransomware made sure that only the owner of the private RSA key could decode and obtain the random key used to encrypt the file. The original files were overwritten multiple times, in order to make them unrecoverable by the use of standard forensic methods. Once run, the first thing the Trojan did, before it started to encrypt files, was to obtain the public key (PK) from its C&C server. Afterwards, it saves it inside of the following Windows registry key: HKCUSoftwareCryptoLockerPublic. CryptoLocker avoided encrypting executable files, it encrypted only the files wich extensions were included in the malware’s code.

Illustration 1: Accepted extensions

3.2 Ransom Once the CryptoLocker finished encrypting every file that meets the above conditions, it displayed the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed, and thus the files itself become unrecoverable.

Illustration 2: CryptoLocker ransom window 3.3 Mitigation CryptoLocker was particulary hard to detect, eventhough the security software is designed to detect such threats, it didn’t detect CryptoLocker at all, or only after encryption is underway or complete, making it virtually useless in securing one’s files, particularly if a new version unknown to the protective software was distributed. Many specialists suggested that paying the ransom was the only way of file recovering, due to the CryptoLocker’s encryption standards. According to wikipedia: “Sophos security analyst Paul Ducklin speculated that CryptoLocker's online decryption service involved a dictionary attack against its own encryption using its database of keys, explaining the requirement to wait up to 24 hours to receive a result.”

3.4 Aftereffects CryptoLocker was first time posted on 5 September 2013 and taken finally taken down in late-May of 2014. It was isolated in late-May 2014 via Operation Tovar, which took down the Gameover ZeuS botnet that had been used to distribute the Trojan. During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to reverse-engineer the way of recovering the keys and files without paying the ransom.

Tracing of four bitcoin addresses used by authors of CryptoLocker revealed that almost 41,928 BTC has been sent to them, which was roughly 3 million dollars at the time and what would be worth almost 450 million dollars today. This result was unmatched until the CryptoWall ransomware incident. In the surveys afterwards, almost 41% of victims of this ransomware admitted to had decided to pay the ransom in order to recover their files. This proportion was much bigger than what the social specialists have expected.

3.5 Clones The success of CryptoLocker spawned a number of unrelated and similarly named ransomware trojans working in essentially the same way,including some that refer to themselves as "CryptoLocker"—but are, according to security researchers, unrelated to the original CryptoLocker. In September 2014, further clones such as CryptoWall, which would break the record of money received and “earned” for it’s creators, and TorrentLocker, began spreading in Australia; the ransomware uses infected e-mails, purportedly sent by government departments as a payload. To evade detection by automatic e-mail scanners that can follow links, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded. Symantec determined that these new variants, which it identified as "CryptoLocker.F", were not tied to the original. Sources • https://en.wikipedia.org/wiki/

• https://www.pandasecurity.com/mediacenter/malware/cryptolocker/

• https://www.2-spyware.com/

• https://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99

• http://malware.wikia.com/wiki/CryptoLocker

• https://malwaretips.com/blogs/remove-cryptolocker-virus/

Images: • https://www.2-spyware.com/remove-cryptolocker.html