CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.
Post Reply
Every1is=
Posts: 36
Joined: Tue Aug 03, 2010 11:27 am

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Every1is= » Sat Nov 02, 2013 2:02 pm

Price for decryption just went up to about 2100 dollars for people who've "lost" the key by means of AV software etc. removing it upon detection.

http://www.bleepingcomputer.com/forums/ ... n-service/

patriq
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by patriq » Sat Nov 02, 2013 6:09 pm

C&C at hxxp://93.189.44.187/ now showing this message form:

Code: Select all

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.
Select any encrypted file and click "Upload" button.
The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours. 

IMMEDIATELY AFTER UPLOADING FILE TO THE SERVER, YOU RECEIVE YOUR ORDER NUMBER. YOU CAN USE THIS NUMBER TO CHECK STATUS OF ORDER.
OR if you already know your order number, you may enter it into the form below. 

This service accessible through the Tor network:
http://f2d2v7soksbskekh.onion/
You do not have the required permissions to view the files attached to this post.

erikloman
Posts: 70
Joined: Sun Mar 14, 2010 8:53 am

CryptoGuard

Post by erikloman » Tue Nov 05, 2013 4:07 pm

We've just released a BETA version of HitmanPro.Alert 2.5 which contains CryptoGuard. Our universal solution against crypto ransomware that works at the file system level. More information, including a demonstration video, can be found here: http://www.hitmanpro.com/alert/cryptoguard
Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Xylitol » Tue Nov 05, 2013 9:46 pm

Hi Erik, on the demo video i see that the ransomware is still running and not suspended on background, did he encrypt stuff during this time ?

Quads
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Quads » Thu Nov 07, 2013 9:50 pm

A User Report for HMP Alert 2.5 beta

"Now when I try and open Norton 360 the GUI flashes onto the screen then disappears. Once it's gone I can't bring it back. Uninstalled hmp beta and restarted, now Norton is working again."

patriq
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by patriq » Fri Nov 08, 2013 5:46 pm

Anyone have a new sample?

Grinler
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by Grinler » Fri Nov 08, 2013 6:38 pm

Latest.
You do not have the required permissions to view the files attached to this post.
BleepingComputer.com

AliveNoMore
Posts: 4
Joined: Sun Apr 25, 2010 10:34 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by AliveNoMore » Mon Nov 11, 2013 10:27 pm

Are these droppers VM-aware? They seem to do nothing when I run them in a VM or in Sandboxie. And I have a specific VM without additions, changed hardware names/ids, etc.

RP-Tech
Posts: 2
Joined: Fri Nov 08, 2013 7:06 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by RP-Tech » Mon Nov 11, 2013 11:26 pm

Has anyone seen this attached to zero-access rootkit ? Maybe have a sample of both, I am testing to see what can be done to prevent Cryptolocker from running.

Fellow tech and myself have had 2 users infected with Cryptolocker but also had zeroaccess attached which from some research seems to be point of entry in our case and Kaseya AV & Kaseya Malwarebytes Pro do not detect it at all KAV gets encrypted and rendered useless. KAM does not detect either, but the free download version picks up the rootkit and virus. Just wondering if anyone else has ran into this at all or not.

ilyuha79
Posts: 1
Joined: Fri Nov 01, 2013 8:32 pm

Re: CryptoLocker (Trojan:Win32/Crilock.A)

Post by ilyuha79 » Mon Nov 11, 2013 11:28 pm

According to the malware authors, only the first 1024 bytes of a file is uploaded to the C&C server in order to search for the matching private key in cases where you lost the public key, which could take up to 24 hours. So it sounds like the C&C uses some brute force method for searching for the key. So what would that do? Try every single private key that it has generated to decrypt the first 1024 bytes until it finds the right one? But how does it know which is the right key after the decryption process? If AES key is truly random, you wouldn't be able to tell just by looking at it what you've decrypted is an actual AES key. In order to tell, you could potentially add some kind of constant bit of data that will show up in the decrypted data once the right private key is used to decrypt it. Or, in a more complex case, you'd have to go a step further and use the supposed AES key you've decrypted to decrypt the actual file header (which I presume might be stored in the first 1024 bytes) and then check if the header looks like a document that might have been originally encrypted on the infected machine.
I'm curious if anyone knows if there is anything else besides the AES key that the CryptoLocker encrypts using the RSA public key that eventually gets stored together with the file?

Post Reply