[Cryptography] Cryptolocker

Greg Broiles gbroiles at gmail.com
Thu Nov 21 21:08:20 EST 2013 

According to Steve Gibson at https://www.grc.com/sn/sn-427.txt, when
CryptoLocker contacts the central server(s), the servers generate a unique
(per victim) 2048-bit RSA keypair; the public key is sent from the server
to the infected machine. The infected machine generates a random 256 bit
AES key, which is then encrypted with the public key and sent to the
server, and used locally to encrypt the ransomed files. The key stored in
the infected machine's registry is the public half of the RSA key.


On Thu, Nov 21, 2013 at 5:12 PM, Jerry Leichter <leichter at lrw.com> wrote:

> There's some malware making the rounds that applies a technique that's
> been talked about for years:  It (allegedly) generates a public/private key
> pair, sends the private key off to the mother ship, then starts encrypting
> all accessible files.  When it's done enough, it starts demanding money for
> the key to decrypt everything.  One article about it:
>
>
> http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/
>
> Nasty piece of work, apparently - it locates and encrypts accessible
> network-mounted disks, so it often encrypts people's backups.
>
> Anyway ... I'll leave the virus analysis and hunting to others.  But
> there's also a crypto question here.  Has anyone seen an analysis of what
> this thing *really* does internally.  Obviously, it will *say* it's using
> all kinds of strong algorithms, but that doesn't mean it actually *is*.
>  (In particular, I'm curious about how they are doing the encryption.
>  Doing bulk encryption in RSA or even using elliptic curves is slow, though
> it might be fast enough for this purpose.  The obvious technique would be
> to generate a random AES key per file, encrypt *it* with the public key and
> store that away, then use AES for bulk encryption.  But I haven't seen any
> hints of a store of such keys anywhere; in fact, there are reports that the
> magic key is stored in one registry entry.
>
> Anyone following this story from the crypto side?
>                                                         -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>



-- 
Greg Broiles, JD, LLM Tax
gbroiles at gmail.com (Lists only. Not for confidential communications.)
Legacy Planning Law Group
California Estate Planning Blog: http://www.estateplanblog.com
Certified Specialist- Estate Planning, Trust & Probate Law, California
Board of Legal Specialization
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131121/caf96b85/attachment.html>

More information about the cryptography mailing list