In total, we’ve had 2764 unique victim IP’s contacting the sinkholed domains. To connect to the C2 servers, Cryptolocker uses a domain generation algorithm that produces 1000 candidate unique domain names every day.ĭimiter Andonov from ThreatTrack Security reverse- engineered the algorithm and Kaspersky Lab sinkholed three domains to measure the number of worldwide victims. To make sure the victim gets the message, they set a pretty scary wallpaper on the infected machine: A multitude of payment options are available, including Bitcoin: The attackers give you roughly three days to pay them, otherwise your data is gone forever. For each new victim, another unique key is created and only the Cryptolocker authors have access to the decryption keys. For each victim, it connects to its command-and-control (C2) to download an RSA public key that is used to encrypt the data.
Later, the GPCode authors upgraded the RSA key to 1024 bits, putting it perhaps only in the realm of NSA’s cracking power.Ĭryptolocker uses a solid encryption scheme as well, which so far appears uncrackable. Back in 2008, we cracked the 660 bit RSA key used by GPCode and provided the victims with a method to decrypt and recover their data. In the past, we have witnessed similar malware like the famous GPCode that used RSA keys for encryption. You may have read about the Cryptolocker malware, a new ransomware Trojan that encrypts your files and demands money to return them.
0 kommentar(er)
