The Children of CryptoLocker, Part 1. Critroni, CryptoWall, DirCrypt

The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used regular WinRAR for encryption and Sysinternals SDelete for deleting encrypted files, and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that established the bad trend among virus writers to use the latest achievements in cryptography as quite stable encryption algorithms. Today, we will investigate several encryption-based trojans which emerged after the notorious spread of CryptoLocker on the internet (or at the same time).

WARNING

If you want to follow our example and research a sample of an encryption-based locker, please be careful. Even if you use a virtual machine, it is possible to accidentally encrypt the files in the shared folders of the main system.
A demand for at least five thousand dollars for decryption of Trojan.ArchiveLock

A demand for at least five thousand dollars for decryption of Trojan.ArchiveLock

Some statistics

From the point of view of creators, encryption-based trojans are real cash. To organize the mailout of infected spam emails and a service for accepting payments from those who cherish their family photographs which have suddenly became encrypted is much simpler and cheaper than to elaborately construct and develop a botnet (which then has to be placed somewhere) or collect data from infected machines, considering the fact that this data also needs to be somehow monetized.

This is why this type of cyber-ransom continues to flourish and bring lots of money to the organizers of this criminal business. For instance, according to Kaspersky Lab, 2014 saw more than seven million attacks using encryption-based trojans of different families.

The number of attacks using encryption-based trojans in 2014 according to Kaspersky Lab

The number of attacks using encryption-based trojans in 2014 according to Kaspersky Lab

Distribution of attacks using encryption-based trojans in the first quarter of 2015 by country (information by TrendLabs)

Distribution of attacks using encryption-based trojans in the first quarter of 2015 by country (information by TrendLabs)

Most of this stuff gets inside their potential victims' computers disguised as useful and highly necessary attachments in spam letters (if you remember, that's how CryptoLocker spread). However, the followers of CryptoLocker decided not to limit themselves to just this channel for distributing their creations, so they added another one — drive-by downloads (for example, encryption-based trojans Alpha Crypt and CryptoWall are often spread using famous Angler EK or Nuclear EK exploit sets).

Angler EK and Nuclear EK, suspected of distributing CryptoWall encryption-based trojan and TeslaCrypt at malware-traffic-analysis.net

Angler EK and Nuclear EK, suspected of distributing CryptoWall encryption-based trojan and TeslaCrypt at malware-traffic-analysis.net

Critroni (CTB Locker)

This encryption-based locker appeared about a year ago. CTB is an abbreviation which stands for Curve-Tor-Bitcoin. The main difference of this locker from many others is that it uses an algorithm based on elliptic curves for file encryption.

An ad selling Critroni (CTB-Locker) on one of the forums

An ad selling Critroni (CTB-Locker) on one of the forums

In the register's autorun branches it has quite a decent name. For instance, two samples that we investigated impersonated a Microsoft on-screen keyboard. The virus file is packed using Pencrypt 3.1. to hide its contents from prying eyes and to complicate analysis.

Critroni (CTB-Locker) in the register's autorun branches

Critroni (CTB-Locker) in the register's autorun branches

File encryption

Critroni doesn't encrypt many types of files, mostly MS Office documents, text documents and database files:

Please subscribe to read full article

1 year

for only $300

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project


Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.