This malware is similar in nature to the ransomware attacks seen over the last few years where a victim’s hard drive is held hostage in order to extort payment from the victim. The main difference between earlier forms of ransomware and CryptoLocker is the use of strong, unbreakable encryption and anonymous payment systems.
CryptoLocker scans an infected system for a wide range of common file types, such as documents, images, spreadsheets, videos, audio, etc. For each file it locates, it encrypts using a master symmetric key it randomly generates for the specific victim’s system. It uses AES 256-bit encryption, which is considered uncrackable by current technology.
The malware also triggers the generation of a custom asymmetric key pair set for the victim by the master central server, and then only the public key of the pair is sent to the victim’s system. This public key is then used to envelope (i.e., encrypt) the AES 256-bit symmetric encryption key, and it sends this enveloped key back to the master central server for storage. The local copy of the symmetric key is then wiped from memory. The master central server retains possession of the victim’s assigned private key. However, it will only retain the private key and enveloped data for only a limited time, typically 72 hours.
Once the locking down operation is completed, a message is displayed on the victim’s system indicating that the files have been encrypted. If the victim wants the files restored, the victim will need to pay a $300 ransom via Bitcoin or other untraceable currency exchange, such as GreenDot MoneyPak. If the victim fails to pay the fine within the allotted time, the master central server will delete the encryption keys. This will leave the victim with no hope of file recovery.
This is a very effective and well-executed form of malicious attack. Most infections of CryptoLocker have been traced back to phishing emails or malicious attachments. Until antimalware scanners are able to prevent the initiation of this evil software, we all need to be even more vigilant about avoiding opening email attachments, and we must be even more suspicious of email messages.