CryptoLocker (Trojan:Win32/Crilock.A)

Forum for analysis and discussion about malware.
Post Reply
Posts: 36
Joined: Tue Aug 03, 2010 11:27 am

Sat Nov 02, 2013 2:02 pm

Price for decryption just went up to about 2100 dollars for people who've "lost" the key by means of AV software etc. removing it upon detection. ... n-service/
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm

Sat Nov 02, 2013 6:09 pm

C&C at hxxp:// now showing this message form:

Code: Select all

This service allow you to purchase private key and decrypter for files encrypted by CryptoLocker.

If you already purchased private key using CryptoLocker, then you can download private key and decrypter for FREE.
Select any encrypted file and click "Upload" button.
The first 1024 bytes of the file will be uploaded to the server for search the associated private key. The search can take up to 24 hours. 

OR if you already know your order number, you may enter it into the form below. 

This service accessible through the Tor network:
You do not have the required permissions to view the files attached to this post.
Posts: 70
Joined: Sun Mar 14, 2010 8:53 am

Tue Nov 05, 2013 4:07 pm

We've just released a BETA version of HitmanPro.Alert 2.5 which contains CryptoGuard. Our universal solution against crypto ransomware that works at the file system level. More information, including a demonstration video, can be found here:
Erik Loman [HitmanPro]
SurfRight B.V. -
User avatar
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society

Tue Nov 05, 2013 9:46 pm

Hi Erik, on the demo video i see that the ransomware is still running and not suspended on background, did he encrypt stuff during this time ?
Posts: 148
Joined: Thu May 06, 2010 10:19 pm
Location: New Zealand

Thu Nov 07, 2013 9:50 pm

A User Report for HMP Alert 2.5 beta

"Now when I try and open Norton 360 the GUI flashes onto the screen then disappears. Once it's gone I can't bring it back. Uninstalled hmp beta and restarted, now Norton is working again."
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm

Fri Nov 08, 2013 5:46 pm

Anyone have a new sample?
Posts: 48
Joined: Sun Mar 14, 2010 1:47 pm

Fri Nov 08, 2013 6:38 pm

You do not have the required permissions to view the files attached to this post.
Posts: 4
Joined: Sun Apr 25, 2010 10:34 pm

Mon Nov 11, 2013 10:27 pm

Are these droppers VM-aware? They seem to do nothing when I run them in a VM or in Sandboxie. And I have a specific VM without additions, changed hardware names/ids, etc.
Posts: 2
Joined: Fri Nov 08, 2013 7:06 pm

Mon Nov 11, 2013 11:26 pm

Has anyone seen this attached to zero-access rootkit ? Maybe have a sample of both, I am testing to see what can be done to prevent Cryptolocker from running.

Fellow tech and myself have had 2 users infected with Cryptolocker but also had zeroaccess attached which from some research seems to be point of entry in our case and Kaseya AV & Kaseya Malwarebytes Pro do not detect it at all KAV gets encrypted and rendered useless. KAM does not detect either, but the free download version picks up the rootkit and virus. Just wondering if anyone else has ran into this at all or not.
Posts: 1
Joined: Fri Nov 01, 2013 8:32 pm

Mon Nov 11, 2013 11:28 pm

According to the malware authors, only the first 1024 bytes of a file is uploaded to the C&C server in order to search for the matching private key in cases where you lost the public key, which could take up to 24 hours. So it sounds like the C&C uses some brute force method for searching for the key. So what would that do? Try every single private key that it has generated to decrypt the first 1024 bytes until it finds the right one? But how does it know which is the right key after the decryption process? If AES key is truly random, you wouldn't be able to tell just by looking at it what you've decrypted is an actual AES key. In order to tell, you could potentially add some kind of constant bit of data that will show up in the decrypted data once the right private key is used to decrypt it. Or, in a more complex case, you'd have to go a step further and use the supposed AES key you've decrypted to decrypt the actual file header (which I presume might be stored in the first 1024 bytes) and then check if the header looks like a document that might have been originally encrypted on the infected machine.
I'm curious if anyone knows if there is anything else besides the AES key that the CryptoLocker encrypts using the RSA public key that eventually gets stored together with the file?
Post Reply