[Cryptography] Cryptolocker

Kelly John Rose iam at kjro.se
Thu Nov 21 22:27:31 EST 2013


On 11/21/2013 10:18 PM, Paul Wouters wrote:
> On Thu, 21 Nov 2013, Greg Broiles wrote:
> 
>> According to Steve Gibson at https://www.grc.com/sn/sn-427.txt, when
>> CryptoLocker contacts the central server(s), the servers generate a
>> unique (per victim) 2048-bit RSA keypair; the public key is sent from
>> the server to the infected machine. The infected machine generates
>> a random 256 bit AES key, which is then encrypted with the public key
>> and sent to the server, and used locally to encrypt the ransomed
>> files. The key stored in the infected machine's registry is the public
>> half of the RSA key.
> 
> I'm confused.
> 
> If the files are encrypted with a symmetric key, that key should still
> be on the server and can be used to decrypt everything? It would make
> more sense to encrypt it using the public key received, so nothing on
> the infected machine could decrypt the data?
> 
> Paul
> _______________________________________________

It makes sense, except for the fact that encrypting files with a RSA
Public key is far slower than encrypting them with a 256-bit AES key.
Since CryptoLocker's goal is to hit as many files as possible so it
catches something important, it makes sense for it to use the 256-bit
AES for a short period of time, as long as the AES key is deleted.

Almost sounds like it would be worth having some sort of software keep
their eyes open for CryptoLocker and grab the AES key, if possible,
proactively.


More information about the cryptography mailing list