|Encryption Type||RSA 2048, AES|
|Short Description||Cryptolocker is one of the well known ransomware that targets organizations via phishing emails. Cryptolocker is a business user oriented ransomware that doesn’t encrypt image, video, audio files.|
|Symptoms||Some files become inaccessible and when prompted to open It demands ransom.|
|Distribution Method||Usually the Trojan approaches the victim via email attachments, when the user attempts to open the .exe attachment which is disguised as .pdf with the password included in the message, the Trojan starts its execution inside the systems and spreads its infection to every file in the system.|
Written in C ++.
Soon as the Trojan executes, it sits on the memory of the computer and does the following,
- In the User profile the Trojan saves it selves in a folder (AppData, LocalAppData)
- To make sure the Trojan runs every time when the computer starts up, it adds a key to the registry
Two processes takes place where one is the main process and the other is to protect the process from any intrution or termination.
Once all the files are infected the Trojan instructs the users to pay $300 USD to get the decryption private key.
Also if the victim does not make any payment at the given time limit, the private key is destroyed and all the files that are encrypted gets destroyed.
The following are the extensions that are targeted,
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx