The CryptoLocker ransomware attack was a
cyberattack
A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...
using the ''CryptoLocker''
ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
that occurred from 5 September 2013 to late May 2014. The attack utilized a
trojan
Trojan or Trojans may refer to:
* Of or from the ancient city of Troy
* Trojan language, the language of the historical Trojans
Arts and entertainment Music
* ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
that targeted
computer
A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
s running
Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
,
and was believed to have first been posted to the
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
on 5 September 2013.
It propagated via infected email attachments, and via an existing
Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pr ...
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
. When activated, the malware
encrypted
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
certain types of files stored on local and mounted network drives using RSA
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment (through either
bitcoin
Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...
or a pre-paid cash voucher) was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.
Although CryptoLocker itself was easily removed, the affected files remained encrypted in a way which researchers considered unfeasible to break. Many said that the
ransom
Ransom is the practice of holding a prisoner or item to extort money or property to secure their release, or the sum of money involved in such a practice.
When ransom means "payment", the word comes via Old French ''rançon'' from Latin ''red ...
should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been
backed up
Constipation is a bowel dysfunction that makes bowel movements infrequent or hard to pass. The Human feces, stool is often hard and dry. Other symptoms may include abdominal pain, bloating, and feeling as if one has not completely passed the bo ...
. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
CryptoLocker was isolated in late May 2014 via
Operation Tovar
Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distributi ...
, which took down the
Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pr ...
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
that had been used to distribute the malware. During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan. Other instances of encryption-based ransomware that have followed have used the "CryptoLocker" name (or variations), but are otherwise unrelated.
Operation
CryptoLocker typically propagated as an
attachment to a seemingly innocuous
e-mail
Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...
message, which appears to have been sent by a legitimate company.
A
ZIP file
ZIP is an archive file format that supports lossless data compression. A ZIP file may contain one or more files or directories that may have been compressed. The ZIP file format permits a number of compression algorithms, though DEFLATE is th ...
attached to an email message contains an executable file with the filename and the icon disguised as a
PDF
Portable Document Format (PDF), standardized as ISO 32000, is a file format developed by Adobe in 1992 to present documents, including text formatting and images, in a manner independent of application software, hardware, and operating systems. ...
file, taking advantage of Windows' default behaviour of hiding the
extension
Extension, extend or extended may refer to:
Mathematics
Logic or set theory
* Axiom of extensionality
* Extensible cardinal
* Extension (model theory)
* Extension (predicate logic), the set of tuples of values that satisfy the predicate
* E ...
from file names to disguise the real .EXE extension. CryptoLocker was also propagated using the
Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pr ...
trojan and botnet.
When first run, the
payload
Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
installs itself in the
user profile
A user profile is a collection of settings and information associated with a user. It contains critical information that is used to identify an individual, such as their name, age, portrait photograph and individual characteristics such as ...
folder, and adds a key to the
registry Registry may refer to:
Computing
* Container registry, an operating-system-level virtualization registry
* Domain name registry, a database of top-level internet domain names
* Local Internet registry
* Metadata registry, information system for re ...
that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server generates a
2048-bit RSA key pair, and sends the
public key
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
back to the infected computer.
The server may be a local
proxy
Proxy may refer to:
* Proxy or agent (law), a substitute authorized to act for another entity or a document which authorizes the agent so to act
* Proxy (climate), a measured variable used to infer the value of a variable of interest in climate ...
and go through others, frequently relocated in different countries to make tracing them more difficult.
The payload then encrypts files across local hard drives and
mapped network drives with the public key, and logs each file encrypted to a registry key. The process only encrypts data files with certain
extensions
Extension, extend or extended may refer to:
Mathematics
Logic or set theory
* Axiom of extensionality
* Extensible cardinal
* Extension (model theory)
* Extension (predicate logic), the set of tuples of values that satisfy the predicate
* E ...
, including
Microsoft Office
Microsoft Office, or simply Office, is the former name of a family of client software, server software, and services developed by Microsoft. It was first announced by Bill Gates on August 1, 1988, at COMDEX in Las Vegas. Initially a marketin ...
,
OpenDocument
The Open Document Format for Office Applications (ODF), also known as OpenDocument, is an open file format for word processing documents, spreadsheets, presentations and graphics and using ZIP-compressed XML files. It was developed wi ...
, and other documents, pictures, and
AutoCAD
AutoCAD is a commercial computer-aided design (CAD) and drafting software application. Developed and marketed by Autodesk, AutoCAD was first released in December 1982 as a desktop app running on microcomputers with internal graphics controllers. ...
files.
The payload displays a message informing the user that files have been encrypted, and demands a payment of 400
USD
The United States dollar (symbol: $; code: USD; also abbreviated US$ or U.S. Dollar, to distinguish it from other dollar-denominated currencies; referred to as the dollar, U.S. dollar, American dollar, or colloquially buck) is the official ...
or
Euro
The euro ( symbol: €; code: EUR) is the official currency of 19 out of the member states of the European Union (EU). This group of states is known as the eurozone or, officially, the euro area, and includes about 340 million citizens . ...
through an anonymous pre-paid cash voucher (i.e.
MoneyPak
The Green Dot Corporation is an American financial technology and bank holding company headquartered in Austin. It is the world's largest prepaid debit card company by market capitalization. Green Dot is also a payments platform company and is ...
or
Ukash
Ukash was a UK-based electronic money system that allowed users to exchange their cash for a secure code to make online payment, payments online. It was acquired by Skrill Group in April 2014 and merged into Austrian competitor paysafecard, acq ...
), or an equivalent amount in
bitcoin
Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public distr ...
(BTC) within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted down to 0.3 BTC by the operators to reflect the fluctuating value of bitcoin),
or else the private key on the server would be destroyed, and "nobody and never will be able to restore files."
Payment of the ransom allows the user to download the decryption program, which is pre-loaded with the user's private key.
Some infected victims claim that they paid the attackers but their files were not decrypted.
In November 2013, the operators of CryptoLocker launched an online service that claimed to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline had expired; the process involved uploading an encrypted file to the site as a sample and waiting for the service to find a match; the site claimed that a match would be found within 24 hours. Once found, the user could pay for the key online; if the 72-hour deadline passed, the cost increased to 10 bitcoin.
Ten Bitcoin in 2022 has a value in the order of USD$215,830.00, or just under a quarter million U.S. dollars.
Takedown and recovery of files
On 2 June 2014, the
United States Department of Justice
The United States Department of Justice (DOJ), also known as the Justice Department, is a federal executive department of the United States government tasked with the enforcement of federal law and administration of justice in the United State ...
officially announced that over the previous weekend,
Operation Tovar
Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distributi ...
—a consortium constituting a group of law enforcement agencies (including the
FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
and
Interpol
The International Criminal Police Organization (ICPO; french: link=no, Organisation internationale de police criminelle), commonly known as Interpol ( , ), is an international organization that facilitates worldwide police cooperation and cri ...
), security software vendors, and several universities, had disrupted the
Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pr ...
botnet
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
which had been used to distribute CryptoLocker and other malware. The Department of Justice also publicly issued an
indictment
An indictment ( ) is a formal accusation that a legal person, person has committed a crime. In jurisdictions that use the concept of felony, felonies, the most serious criminal offence is a felony; jurisdictions that do not use the felonies concep ...
against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.
As part of the operation, the Dutch security firm Fox-IT was able to procure the database of private keys used by CryptoLocker; in August 2014, Fox-IT and fellow firm FireEye introduced an online service which allows infected users to retrieve their private key by uploading a sample file, and then receive a decryption tool.
Mitigation
While security software is designed to detect such threats, it might not detect CryptoLocker at all, or only after encryption is underway or complete, particularly if a new version unknown to the protective software is distributed. If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would limit its damage to data.
Experts suggested precautionary measures, such as using software or other security policies to block the CryptoLocker payload from launching.
Due to the nature of CryptoLocker's operation, some experts reluctantly suggested that paying the ransom was the only way to recover files from CryptoLocker in the absence of current backups (
offline
In computer technology and telecommunications, online indicates a state of connectivity and offline indicates a disconnected state. In modern terminology, this usually refers to an Internet connection, but (especially when expressed "on line" or ...
backups made before the infection that are inaccessible from infected computers cannot be attacked by CryptoLocker).
Due to the length of the key employed by CryptoLocker, experts considered it practically impossible to use a
brute-force attack
In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...
to obtain the key needed to decrypt files without paying ransom; the similar 2008 trojan Gpcode.AK used a 1024-bit key that was believed to be large enough to be computationally infeasible to break without a concerted
distributed Distribution may refer to:
Mathematics
*Distribution (mathematics), generalized functions used to formulate solutions of partial differential equations
*Probability distribution, the probability of a particular value or value range of a varia ...
effort, or the discovery of a flaw that could be used to break the encryption.
Sophos security analyst Paul Ducklin speculated that CryptoLocker's online decryption service involved a
dictionary attack
In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...
against its own encryption using its database of keys, explaining the requirement to wait up to 24 hours to receive a result.
Money paid
In December 2013,
ZDNet
ZDNET is a business technology news website owned and operated by Red Ventures.
The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication.
Hist ...
traced four bitcoin addresses posted by users who had been infected by CryptoLocker, in an attempt to gauge the operators' takings. The four addresses showed movement of 41,928 BTC between 15 October and 18 December, about US$27 million at that time.
The value of the 41,928 BTC as of 2022 would be worth US$904,399,538.40, or nearly one billion U.S. dollars.
In a survey by researchers at the
University of Kent
, motto_lang =
, mottoeng = Literal translation: 'Whom to serve is to reign'(Book of Common Prayer translation: 'whose service is perfect freedom')Graham Martin, ''From Vision to Reality: the Making of the University of Kent at Canterbury'' ...
, 41% of those who claimed to be victims said that they had decided to pay the ransom, a proportion much larger than expected; Symantec had estimated that 3% of victims had paid and Dell SecureWorks had estimated that 0.4% of victims had paid. Following the shutdown of the botnet that had been used to distribute CryptoLocker, it was calculated that about 1.3% of those infected had paid the ransom; many had been able to recover files which had been backed up, and others are believed to have lost huge amounts of data. Nonetheless, the operators were believed to have extorted a total of around $3 million.
Clones
The success of CryptoLocker spawned a number of
unrelated and similarly named ransomware trojans working in essentially the same way,
including some that refer to themselves as "CryptoLocker"—but are, according to security researchers, unrelated to the original CryptoLocker.
In September 2014, further clones such as CryptoWall and
TorrentLocker (whose payload identifies itself as "CryptoLocker", but is named for its use of a
registry key Registry may refer to:
Computing
* Container registry, an operating-system-level virtualization registry
* Domain name registry, a database of top-level internet domain names
* Local Internet registry
* Metadata registry, information system for re ...
named "
Bit Torrent Application"),
began spreading in Australia; the ransomware uses infected e-mails, purportedly sent by government departments (e.g.
Australia Post
Australia Post, formally the Australian Postal Corporation, is the government business enterprise that provides postal services in Australia. The head office of Australia Post is located in Bourke Street, Melbourne, which also serves as a post o ...
to indicate a failed parcel delivery) as a payload. To evade detection by automatic e-mail scanners that can follow links, this variant was designed to require users to visit a web page and enter a
CAPTCHA
A CAPTCHA ( , a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used in computing to determine whether the user is human.
The term was coined in 2003 ...
code before the payload is actually downloaded.
Symantec determined that these new variants, which it identified as "CryptoLocker.F", were not tied to the original.
See also
*
Locky
*
PGPCoder
PGPCoder or GPCode is a trojan horse (computing), trojan that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed ransomware (malware), ransomware or cryptovirology.
Trojan ...
*
WannaCry
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bi ...
*
Petya
References
{{Use dmy dates, date=November 2013
Blackmail
Cyberattacks
Cybercrime
September 2013 events
Cryptographic attacks
2013 in computing
Ransomware
Hacking in the 2010s
Windows trojans