Hi all,
This may seem like a strange request/question but, I am wanting to take a look at the new ransomware infection cryptolocker - I am planning on installing it on a V/M and just seeing what it does and how it works - I know the encryption is something I won't be able to undo - I'm just curious to what it does (going to install it on a V/M and an isolated network)
Does anyone happen to have a direct link to this, or now how I can get my PC 'infected'?
Hi,
I've had a quick look at a PC a friend gave me which was infected about 3 weeks ago and I've established this ransomware is very effective and encrypts the individual files very quickly. If you look at a machine that has been infected you will be able to see all the partitions as normal but the typical user files will all be encrypted individually.
I also noted it didn't use the same encryption type on each file. Some files I could indentify the encryption type and others I couldn't. I did have a quick go at cracking the ones I could identify and the iteration is also effective, with attack speeds well below what I can achieve on other encryption types.
There are quite a few threads (somewhere out there) explaining what the ransomware does and how someone is likely to get infected with it. I didn't feel interested enough to examine it greater detail myself but I would be interested in a peer's findings.
Steve
Hi,
An active deployment hxxp//194.28.174.119/0388(dot)exe
I didn't check the infection, so consider that the C&Cs for key provisioning and timing are probably down or DNS blocked.
However, if you're interested in reverse engineering this, it shouldn't be that difficult to setup your own C&C. In this case, I can provide you with some older samples, too.
Here's a long forum topic on cryptolocker if you want to check it out
http// www. bleepingcomputer. com /forums/t/506924/cryptolocker-hijack-program/
This seems to be the real deal - compared to other ransomware which is either an file-obfuscation or an idle threat. This one is spread by social engineering emails - UPS package or some mileage-reimbursement "form". It encrypts files using public private key. Apparently the private key is stored on a server someplace. If you don't pay the ransom in time, the private key is destroyed and you are Sierra Oscar Lima.
Some people have paid the ransom and have had their files decrypted (wow! never thot the bad guys would be true to their word); others have paid and it looks like the C&C server was taken down so they never got the private key sent down to the infected machine and so they are now out the $ and still don't have decrypted files.
Unfortunately, the encryption process itself doesn't raise any redflags to the AV programs, its only after the warning screen is shown and the countdown timer starts that your AV chimes in - by that time its too late.
Interesting read… Interesting to see what copycats are born from this. Would love to see the Int'l law enforcement community go after these guys…
Backup early… Backup often )
-=Art=-
If I get infected I would then be called Sierra Oscar Lima? I don't like that grouping for my name.
Can I just continue to be Bill Gates?