The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used regular WinRAR for encryption and Sysinternals SDelete for deleting encrypted files, and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that established the bad trend among virus writers to use the latest achievements in cryptography as quite stable encryption algorithms. Today, we will investigate several encryption-based trojans which emerged after the notorious spread of CryptoLocker on the internet (or at the same time).
WARNINGIf you want to follow our example and research a sample of an encryption-based locker, please be careful. Even if you use a virtual machine, it is possible to accidentally encrypt the files in the shared folders of the main system.
From the point of view of creators, encryption-based trojans are real cash. To organize the mailout of infected spam emails and a service for accepting payments from those who cherish their family photographs which have suddenly became encrypted is much simpler and cheaper than to elaborately construct and develop a botnet (which then has to be placed somewhere) or collect data from infected machines, considering the fact that this data also needs to be somehow monetized.
This is why this type of cyber-ransom continues to flourish and bring lots of money to the organizers of this criminal business. For instance, according to Kaspersky Lab, 2014 saw more than seven million attacks using encryption-based trojans of different families.
Most of this stuff gets inside their potential victims' computers disguised as useful and highly necessary attachments in spam letters (if you remember, that's how CryptoLocker spread). However, the followers of CryptoLocker decided not to limit themselves to just this channel for distributing their creations, so they added another one — drive-by downloads (for example, encryption-based trojans Alpha Crypt and CryptoWall are often spread using famous Angler EK or Nuclear EK exploit sets).
Critroni (CTB Locker)
This encryption-based locker appeared about a year ago. CTB is an abbreviation which stands for Curve-Tor-Bitcoin. The main difference of this locker from many others is that it uses an algorithm based on elliptic curves for file encryption.
In the register's autorun branches it has quite a decent name. For instance, two samples that we investigated impersonated a Microsoft on-screen keyboard. The virus file is packed using Pencrypt 3.1. to hide its contents from prying eyes and to complicate analysis.
Critroni doesn't encrypt many types of files, mostly MS Office documents, text documents and database files: