Hacked! CryptoLocker Ransom-Ware

Laptop ImageIt sounds like the plot of a movie…

But it is very real possibility. Imagine:

  • Your entire Company’s files have been hijacked and encrypted with 2048-bit encryption.
  • You receive a notification that you have 72 hours to pay a ransom.
  • Upon payment, the hackers will decrypt your files. Probably.
  • If time runs out, the encryption key is deleted and your files are gone forever.

If that scenario isn’t enough to scare you, here are more details on the newest, nastiest kind of malware to hit the neighborhood. It is called “Ransom-Ware” and it does exactly what it says: holds a ransom over your company’s information until payment is submitted. The most common type of ransom-ware on the street is CryptoLocker.

JCMR Technology has experienced and researched this virus first-hand and has details to report.

Attack Vector & Infection

The attack vectors for this virus seem to be email attachments. The emails appear to be legitimate to the end user (see Figure 1). There appear to be two different variants of the virus—one of which charges $100 and $300. Infection will occur regardless of the User Account Control (UAC) or if the user is an Administrator or not. The virus stores a 2048 bit RSA public key in the registry. Upon payment the private key is provided to decrypt files (see Figure 2). When a computer is infected, it will display a specific background giving information on the Ransom-Ware (see Figure 3). When the program executes, it creates two executables with pseudorandom names in %userprofile%.

Currently, most virus scanners will not catch the virus, this includes up to date versions of Avast! and GFI Vipre. Many antiviruses are catching the virus too late in the infection. There are reports that virus scanners are removing the registry data for the public key after infection to rectify the infection. This action is effectively making the restore process impossible. Releasing files from quarantine will work on most programs to reverse this process, if you decided to pay the ransom. Registry data is stored at HKCU/Software/CryptoLocker.

CryptoLocker is a silent infection until the files are mostly encrypted. Then you are presented with the notification that the infection has taken place and your files encrypted.


Effects of the Ransom-Ware, special notes

A long story short, it targets business related files and documents. This includes mapped network shares and drives. This can be devastating to a business. A full list of file extensions are below.

The timer associated with the program is legitimate, the countdown is real. At the end of the timer, the private key is destroyed, the program uninstalls itself, and all that remains are useless, encrypted and otherwise corrupted files.

Because of manual payment verification and the nature of a viral spread, many Companies have experienced as long as 16 days before a payment is processed and the decryption begins.

The types of files that are affected are *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif.


Removal of the virus is easy. There is no brute forcing the key or getting back your files without paying, unless you restore from backups. You can liken the virus to a house-fire— the fire can be extinguished but everything is still destroyed. If a Company is running low on time, reports have shown that changing the time on the BIOS can give a little more time. I personally would not trust this.

The genius part about this virus is, it actually works and is well written. Paying the “Ransom” can get your files back. $300 is not much for your Business to continue running. The hackers withdraw the funds from MoneyPack manually. After this has been completed, they send a notification to the infected machine to decrypt the files. The virus uses a large amount of space in the registry to store information for the encrypted files. With that in mind, it is important to not move the files from their original location. The decryption software will not be able to locate the files. It can take a long time to decrypt files, due to the algorithm and strength. Reports indicate that it takes roughly 5 gigabytes per hour.



This article, experience, malware, etc. has been wild; but, the staples of security remain the same. Preventing this type of damage to your Business and continuity remain the same and we are not looking at anything revolutionary here.

  1. BACK. UP. YOUR. FILES. –Cold backups and protected backups, Not on a network share.
  2. Least Privilege — Do not empower your users. They will fail. No admin rights, etc.
  3. Software Restriction Policies via GPO – You have always wanted to do it, now you have a reason!
  4. Virus Scanning / Endpoint Protection – Or as I put it, “better than nothing”.
  5. Firewall / IDS / IPS – Egress rules, anomaly detection, black listing—you cannot go wrong here.
  6. User Training – Users are the weakest link. Train them. Do not ever click unless you are sure.

JCMR Technology works to enable their Customers and provides solution. Whether backup solutions, security services, user training or policy implementation—JCMR Technology can protect and keep your Business functioning properly. JCMR Technology takes the time to blog to spread knowledge and empower the IT Community.


Figure 1: Email containing the CryptoLocker Virus

Ransomeware Image 1


Figure 2: Decryption of Files

Ransomware Image 2



Figure 3: Background when computer is infected

Ransomeware Image 3




Zack Mayo is an Engineer at JCMR Technology. He specializes in Security, Systems Administration & Wearing Ties.