Synopsis on Dissertation topic

Critical Analysis on Crypto Locker Attack

Critical Analysis on Crypto Locker Attack

Abstract
This document discusses about Ransomware Trojan along with its method of spread & its
preventive measures. It is a Malware where the victims files are encrypted & are forced to pay
the ransoms for getting the decryption keys for their documents. This document mainly focuses
on Crypto Locker Attack along with its inner-working, which was considered as first effective
Cryptographic Ransomware Trojan. In this document, I am going to review the code to
understand its working & try to provide a background why and how ransomware have become
such a major risk to not only personal computers, but mobile devices as well. This document will
further provide background on this class of malware and, more importantly, methods to prevent
its spread.
Keyword: - Crypto locker, Ransomware, Malware, Cryptography.

Synopsis on Dissertation topic

Critical Analysis on Crypto Locker Attack

1. Introduction:Cryptographic ransomware, though first envisioned by Moti Yung and Adam Young in 1996,
has only recently been fully realized and developed. Over the past few years, Ransomware
attacks have become much more complex, effective, and frequent. Factors such as anonymous
payment processing and new sophisticated encryption methods, have contributed to the rapid
growth of cryptographic ransomware this year.

History: Cryptographic ransomware for the most part was unseen in the wild until 2005. By 2006 there
were a large variety of worms and Trojans such as PGP Coder, Krotten, Cryzip, and Reveton,
that though were largely unsophisticated, were successfully implemented and distributed.
Though, these malwares were generally ineffective given broken symmetric encryption
methods and relatively easy retrieval of keys, they represent an important proof of concept for
this type of extortionary malware. As progress is made in network anonymity and encryption
algorithms, cryptographic ransomware has burgeoned into one of the most lucrative fields for
malware authors.
CryptoLocker a recent and widely publicized implementation of the concept was a
devastating malware which successfully extorted millions of dollars and likely caused the loss
of billions of files. CryptoLocker used advanced encryption methods and a state-of-the-art
botnet to infect and encrypt millions of users. Though CryptoLocker's author, Evgeniy
Bogachev, is now on the FBI's most wanted list, and CryptoLocker has been taken down, it
has spawned countless copycats and the security community is likely to see many more
derivatives over the next few years.

Applied Cryptography: CryptoLocker, in particular, uses both the AES-256 symmetric and the RSA-2048 asymmetric
key algorithms. Cryptolocker generates many 256-bit AES keys which are used to encrypt all
of the targeted files. Each of the victims files are first encrypted with a specific and unique
AES key. These keys are then further encrypted using a uniquely generated RSA-2048 public
key which is sent from the author's server. The malware then writes the RSA encrypted key to
the AES encrypted file. This pairs each of the files with its newly encrypted AES key for
decryption later. CryptoLocker's double encryption ensures that the private key is never

Synopsis on Dissertation topic

Critical Analysis on Crypto Locker Attack

transferred over the network and that victims have no feasible method of decryption without
the associated private key.

2. Methodology: The said Cryptolocker Ransomware is spreading using various ways by exploiting
vulnerabilities within victims systems. It might also infiltrate users operating systems via
infected email messages and fake downloads. The most famous exploit kit being used to
spread Cryptolocker is RIG exploit kit, which is known since April and May. This exploit kit
mostly uses malvertising as primary source of infecting the victim, sidelined with most
exploits related to Flash, Microsoft Silver lights and Java Platform, all of which are browser
related. The landing pages of this exploit kit have similar URI structure having constant
alphanumeric string, a vertical bar and then a variable followed by alphanumeric string.

3. Review of Literature: ThirdTier.net, Crypto Locker Warning: Dangerous New Virus.1

In this research paper, the author tried to create awareness along with the impact & the
loss which may be caused to the users due to this type of attack. Here the author has also
tried to explain the working of this Ransom ware along with precautionary methods to
overcome from such type of attacks.

NW3C Cyber Threat Advisory and Analysis Series,

Dealing with

Crypto Locker and Crypto Locker 2.0 Ransom ware Affecting Criminal
Justice Agencies 2.
In this Research paper, the Author defined different versions of Crypto Locker along
with their working & also discussed Preventive, Detective & Corrective methods to
overcome from them.

Open DNS, Solution Brief: Combating Ransom ware3

In this Research paper, the Author have defined the importance of Domain Generating
Algorithm in the working of Such type of Ransom Ware along with they have also
1 www.thirdtier.net/downloads/NewCryptolockerWarning.pdf- revised on- 18/12/2014
2http://www.nw3c.org/docs/research/cyber-threat-analysis-crypto-locker-ransomware-affecting-criminaljustice-agencies.pdf- revised on- 18/12/2014
3 http://info.opendns.com/rs/opendns/images/DS-OpenDNS-Combating-Ransomware.pdf- revised on18/12/2014

Synopsis on Dissertation topic

Critical Analysis on Crypto Locker Attack

defined how their Researchers have reverse engineered the DGA.As a result, by obtaining
the algorithm and have blacklisted every Crypto Locker domain name candidate through
2014 to proactively protect their customers.

McAfee Security, Protecting against Crypto locker & Crypto Wall4.

In this Research Paper, the Author have defined various Signatures & Extensions for
various Crypto Locker variants, symptoms, attack vectors and their prevention
techniques. In this paper they have also defined various Access Protection Rules that can
be setup in VSE to stop the installation and payload of this variant in your environment.

McAfee Labs , Nov. 12 2014, Threat Advisory: Ransom Crypto

locker5.
In this document, the Author has described Symptoms, Characteristics, list of Malware
encrypts, encryption techniques used by Crypto locker along with creating awareness
about this attack among different users.

Webroot, Crypto Locker:Your Money or Your Life6.

In this document, the Author observed that true security against ransom ware infections
requires a proactive, preventive protection method. By leveraging global threat data
delivered from the cloud, Webroot Internet security solutions stay ahead of malware and
safeguard your important data. Keep in mind, however, that remaining protected from
malware does not depend solely on adequate preventive security measures, but also
depends on responsible usage practices. In addition to Internet security software,
avoiding suspicious emails, attachments or links; making sure the OS and applications
are up to date; and backing up data regularly will ensure that your system or network are
protected from online threats like Crypto Locker.
4. Statement of Problem : 4https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/
PD25203/en_US/Cryptolocker_Update_RevD.pdf- revised on- 18/12/2014
5https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/
PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdf- revised on- 18/12/2014
6 http://i.crn.com/custom/CryptoLocker_ThreatBrief_us_11-19F.pdf- revised on- 18/12/2014

Synopsis on Dissertation topic

Critical Analysis on Crypto Locker Attack

After analyzing the above review of literature, the problem I have identified which made me
to work on this topic is that Crypto Locker is one of a kind of Ransom ware Trojan Attack
recently identified, as it has been isolated in May 2014 but it just might be the beginning.
Since we have created a barrier for criminal minds for some time but there is a possibility that
this type of attack will return in future with overcoming the loopholes in its present version.
5. Objective of the Study : Just to create awareness among the peoples so that they can take precautionary methods to
mitigate the risk & get themselves prepared from such type of attacks in future.

6. Research Methodology : The researcher is going research based upon Literature review by different authors &
researchers on CryptoLocker along with it the researcher is going to do a full source code
review to give a brief understanding of how a Cryptolocker Trojan works & finally based on
source code review the researcher will try to provide some preventive & detective measures
using IDS/IPS & Firewalls.

7. References : A. www.thirdtier.net/downloads/NewCryptolockerWarning.pdf- revised on- 18/12/2014

B. http://www.nw3c.org/docs/research/cyber-threat-analysis-crypto-locker-ransomwareaffecting-criminal-justice-agencies.pdf- revised on- 18/12/2014
C. http://info.opendns.com/rs/opendns/images/DS-OpenDNS-Combating-Ransomware.pdfrevised on- 18/12/2014
D. https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATI
ON/25000/PD25203/en_US/Cryptolocker_Update_RevD.pdf- revised on- 18/12/2014
E. https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATI
ON/24000/PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdfrevised on- 18/12/2014
F. http://i.crn.com/custom/CryptoLocker_ThreatBrief_us_11-19F.pdf- revised on- 18/12/2014