|Name||CryptoLocker 2.0 Ransomware|
|Encryption Type||RSA 1028, 3DES|
|Short Description||Cryptolocker is one of the well known ransomware that targets organizations via phishing emails. Additionally encrypts image, video, audio files to that of Cryptolocker v1.0.|
Usually the Trojan approaches the victim via email attachments, when the user attempts to open the .exe attachment which is disguised as .pdf with the password included in the message, the Trojan starts its execution inside the systems and spreads its infection to every file in the system.
Could be detected by the names – MSIL/Filecoder.D, MSIL/Filecoder.E
|Distribution Method||Via email attachments|
Written in C#.
Soon as the Trojan executes, it sits on the memory of the computer and does the following,
- In the User profile the Trojan saves it selves in a folder (AppData, LocalAppData)
- To make sure the Trojan runs every time when the computer starts up, it adds a key to the registry
Two processes takes place where one is the main process and the other is to protect the process from any intrution or termination.
Once all the files are infected the Trojan instructs the users to pay ransom in Bitcoins to get the decryption private key.
Also if the victim does not make any payment within the time limit the private key is destroyed and all the files that are encrypted gets destroyed. The version 2.0 displays a deadline instead of a countdown timer as in cryptolocker,
The following are the extensions that are targeted,
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx