CryptoLocker Ransomware Information Guide and FAQBy Lawrence Abrams on October 14, 2013 @ 03:09 PM | Last Updated: September 19, 2014 | Read 663,980 times.
Table of Contents
The purpose of this guide
There is a lot of incorrect and dangerous information floating around about CryptoLocker. As BleepingComputer.com was one of the first support sites to try helping users who are infected with this infection, I thought it would be better to post all the known information about this infection in one place. This FAQ will give you all the information you need to understand the infection and restore your files via the decrypter or other methods.
In many ways this guide feels like a support topic on how to pay the ransom, which sickens me. Unfortunately, this infection is devious and many people have no choice but to pay the ransom in order to get their files back. I apologize in advance if this is seen as helping the developers, when in fact my goal is to help the infected users with whatever they decide to do.
All of this information has been compiled from my own experimentation with this infection, from Fabian Wosar of Emsisoft who first analyzed this infection, and through all the consultants and visitors who contributed to our 207 page CryptoLocker support topic. Big thanks to everyone who contributed information about this infection. This guide will continue to be updated as new information or approaches are gathered. If you have anything that you think should be added, clarified, or revised please let us know in the support topic linked to above.
CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.
When you first become infected with CryptoLocker, it will save itself as a random named filename to the root of the %AppData% or %LocalAppData% path. It will then create one of the following autostart entries in the registry to start CryptoLocker when you login:
The infection will also hijack your .EXE extensions so that when you launch an executable it will attempt to delete the Shadow Volume Copies that are on the affected computer. It does this because you can use shadow volume copies to restore your encrypted files. The command that is run when you click on an executable is:
The .EXE hijack in the Registry will look similar to the following. Please note that registry key names will be random.
Once the infection has successfully deleted your shadow volume copies, it will restore your exe extensions back to the Windows defaults.
The infection will then attempt to find a live Command & Control server by connecting to domains generated by a Domain Generation Algorithm. Some examples of domain names that the DGA will generate are lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, and xodeaxjmnxvpv.ru. Once a live C&C server is discovered it will communicate with it and receive a public encryption key that will be used to encrypt your data files. It will then store this key along with other information in values under the registry key under HKEY_CURRENT_USER\Software\CryptoLocker_0388. Unfortunately, the private key that is used to decrypt the infected files is not saved on the computer but rather the Command & Control server.
CryptoLocker will then begin to scan all physical or mapped network drives on your computer for files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c. When it finds files that match one of these types, it will encrypt the file using the public encryption key and add the full path to the file and the filename as a value under the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files Registry key.
When it has finished encrypting your data files it will then show the CryptoLocker screen as shown above and demand a ransom of either $100 or $300 dollars in order to decrypt your files. This ransom must be paid using Bitcoin or MoneyPak vouchers. It also states that you must pay this ransom within 96 hours or the private encryption key will be destroyed on the developer's servers.
More technical details about this infection can be at this blog post by Emsisoft.
This section lists all known file paths and registry keys used by CryptoLocker. The file paths and registry keys that are currently being used by CryptoLocker will be highlighted in blue.
The File paths that are currently and historically being used by CryptoLocker are:
The Registry key that is used to automatically start CryptoLocker when you login to Windows are found below.
For the above registry values, the current version is 0388. Please note that the * in the RunOnce entry tells Windows to start CryptoLocker even in Windows Safe Mode.
CryptoLocker also creates a registry key to store its configuration information and the files that were encrypted. In the past the registry key that was used was HKEY_CURRENT_USER\Software\CryptoLocker. Newer version now include the version of the malware, which is currently 0388, in the key name.
The registry key that is currently being used to store the configuration information is HKEY_CURRENT_USER\Software\CryptoLocker_0388. Under this key are 3 registry values that are described below:
Under the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files key will be a list of all the files that have been encrypted by CryptoLocker. This list is then processed by the decryption tool to decrypt your files if you paid the ransom. For each file that is encrypted, a new REG_DWORD value will be created that is named using the full pathname to the encrypted file. When naming the values, CryptoLocker will replace all occurrences of the forward slash character (\), with a question mark. An example of how an encrypted file's value entry would be named is C:?Users?Public?Pictures?Sample Pictures?Penguins.jpg. You can use the ListCrilock program to export a human readable list of these encrypted files from the registry into a text file.
Since the release of the CryptoLocker Decryption Service it is possible to decrypt files without this registry key being available. The new decrypter provided by this service will instead scan your files and attempt to decrypt them using the embedded private decryption key.
When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.
It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.
It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.
FireEye and Fox-IT have released a method of possibly retrieving your private decryption key and a decrypter to use to decrypt your files. These keys were made available through Operation Tovar and were not retrieved by cracking the encryption. To try and retrieve your key, please visit their site http://www.decryptcryptolocker.com/ and enter your email and upload a copy of one of your CryptoLocker encrypted files. The service will then try attempt to decrypt that file using all of the known encryption keys. If they are able to successfully decrypt your file, they will then email you the decryption key with instructions on how to use it.
In order to use the decryption you need to paste the entire decryption key they send you, quotes and all, after the --key argument of the Decryptolocker.exe program. An example of how you would decrypt all of the folders and files under a particular folder can be found in this post. As the instructions and how to use the tool are not particularly user-friendly, if you need any help, please see feel free to ask in the CryptoLocker Support Topic. It should also be noted that you can use a different script, that it appears the FireEye/Fox-IT one was based off of, as well. Instructions on using the alternative decrypter can be found here.
If your key is not available using the above methods, the only methods you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. More information about how to restore your files via Shadow Volume Copies can be found in this section below.
If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.
Paying the ransom will start the decryption process of the CryptoLocker infection. When you pay the ransom you will be shown a screen stating that your payment is being verified. Reports from people who have paid this ransom state that this verification process can take 3-4 hours to complete. Once the payment has been verified, the infection will start decrypting your files. Once again, it has been reported that the decryption process can take quite a bit of time.
Be warned, that there have been some reports that the decryption process may give an error stating that it can't decrypt a particular file. At this point we have no information as how to resolve this. Visitors have reported that the infection will continue to decrypt the rest of the files even if it has a problem with certain files.
This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection. You will know you are infected with Zbot as there will be a registry key in the form of:
Under these keys you will see Value names with data that appears to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to launch it.
An example Zbot/CryptoLocker email message is:
The current list of known CryptoLocker email subjects include:
CryptoLocker allows you to pay the ransom by sending 2 bitcoins to an address shown in the decryption program. Bitcoins are currently worth over $200 USD on some bitcoins exchanges. Earlier variants of CryptoLocker included static bitcoin addresses for everyone who was infected. These static addresses include:
Newer variants of CryptoLocker dynamically generate new bitcoin payment addresses for each instance of an infection. You can use the links above to see transactions into the wallet and out of the wallet.
CryptoLocker only encrypts data stored on network shares if the shared folders are mapped as a drive letter on the infected computer. Despite what some articles state, CryptoLocker does not encrypt data on a network through UNC shares. An example of a UNC share is \\computername\openshare.
It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoLocker.
As many anti-virus programs would delete the CryptoLocker executables after the encryption started, you would be left with encrypted files and no way to decrypt them. Recent versions of CryptoLocker will now set your Windows wallpaper to a message that contains a link to a decryption tool that you can download in case this happens. There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files.
When the CryptoLocker is first shown, you will see a timer that states you need to pay the ransom within 96 hours. Some people have reported that you can increase the time by rolling back the clock in your BIOS. So to increase the timer by 10 hours, you would change your clock in your BIOS to 10 hours earlier. The virus author has stated that using this method will not help. They have said that the private key required for decryption will be deleted from the Command & Control server after the allotted time regardless of how much time it says is left on the infected computer.
Tests by users, though, have shown that the private keys are not deleted and you can pay the ransom even if your time has run out. The steps that people have reported to work are:
It is unknown if this method will still work now that the CryptoLocker Decryption Service was created.
People have asked how they can contact the author of this infection when their payment does not go through. There is no direct way to contact the developer of this computer infection. They are, though, monitoring the various threads about this infection, including our CryptoLocker support topic, and have responded to infected user's issues as well as to give other messages on the home page of their Command & Control servers. The address for this Command & Control server can be found on the desktop wallpaper on an infected computer. The url that they specify to download the decrypter, can also be used to view the messages from the author. Simply go to the home page rather than the executable. So if the wallpaper has an URL of http://kjasdklhjlas.info/1002.exe, to see the message you would go to http://kjasdklhjlas.info/. Please note that this url is not valid.
As of 11/01/13, the Command & Control server home page was changed to the CryptoLocker Decryption Service. This decryption service can also be accessed via TOR at the address f2d2v7soksbskekh.onion/. This service allows you to upload an encrypted file that performs a search for your public key. When your public is found if you had previously paid the ransom, it will give you a link to your private key and decrypter. If you had not paid the ransom already then you will be given the option to purchase the private key and a decrypter. The cost of the private key remains 2 bitcoins if you within the standard 72 hour time frame, but if that has expired the price jumps to 10 bitcoins. At 10 bitcoins the ransom payment is over $2,290 USD.
Once a payment is made it must have 10-15 bitcoin confirmations before your private key and a decrypter will be made available for download. Once these confirmations have occurred a download link will be displayed that will allow you to download a standalone decrypter. This decrypter will already have your private decryption key stored in the program and can be used to scan for and decrypt encrypted files.
More information about this decryption service can be found in this news article: CryptoLocker developers charge 10 bitcoins to use new Decryption Service.
Previous Command & Control home page messages:
If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called Shadow Explorer. It does not hurt to try both and see which methods work better for you.
Using native Windows Previous Versions:
To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.
This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.
You can also use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
If you have DropBox mapped to a drive letter on an infected computer, CryptoLocker will attempt to encrypt the files on the drive. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder. If you need instructions on restoring an entire folder in DropBox, please click here.
To restore a file, simply login to the DropBox web site and navigate to the folder that contains the encrypted files you wish to restore. Once you are in the folder, right-click on the encrypted file and select Previous Versions as shown in the image below.
When you click on Previous versions you will be presented with a screen that shows all versions of the encrypted file.
Select the version of the file you wish to restore and click on the Restore button to restore that file.
Unfortunately the process outlined above can be very time consuming if there are many folder to restore. In order to restore an entire folder of encrypted files, you can use the dropbox-restore python script located here. Please note that this script requires Python to be installed on the encrypted computer to execute the script. Instructions on how to use this script can be found in the README.md file for this project.
There are currently three method that you can use to generate a list of files that have been possible encrypted. Each of these methods is outlined below.
Method 1: ListCriLock
If you wish to generate a list of files that have been encrypted, you can download this tool that I have created:
When you run this tool it will generate a log file that contains a list of all encrypted files found under the HKCU\Software\CryptoLocker\Files or the HKCU\Software\CryptoLocker_0388\Files key. Once it has completed it will automatically open this log in Notepad.
Another method is to use the Windows PowerShell (thanks prsgroup):
For systems with PowerShell, you can dump the list of files in the CryptoLocker registry key using the following command:
Make sure to include the "-Encoding unicode" parameter to ensure that filenames with Unicode characters are preserved.
Method 3: Omnispear's CryptoLocker Scan Tool
You can use the CryptoLocker Scan Tool from Omnispear to search for and list encrypted files found on your computer. This program will look for certain file identifiers that are normally found in a file based on that file's extension. If the file identifier does not exist it would indicate that the file is either encrypted or corrupted.
On a large network, determining the computer that is infected with CryptoLocker can be difficult. Some infected users have reporter that encrypted files will have their ownership changed to the user that the CryptoLocker program is running under. You can then use this login name to determine the infected computer.
You can also examine your network switches and look for the ports that have lights that are continuously blinking or show very heavy traffic. You can then use this to further narrow down what computers may be infected.
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:
The file paths that have been used by this infection and its droppers are:
In order to block the CryptoLocker and Zbot infections you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually. Both methods are described below.
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place.
A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
You can download CryptoPrevent from the following page:
For more information on how to use the tool, please see this page:
Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.
To manually create Software Restriction Policies you need to do it within the Local Security Policy Editor or Group Policy Editor. If you are a home user you should create these policies using the Local Security Policy editor. If you are on a domain, then your domain administrator should use the Group Policy Editor. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor, you will see a screen similar to the one below.
Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.
If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.
You can see an event log entry and alert showing an executable being blocked:
If you need help configuring this, feel free to ask in the CryptoLocker help topic.
If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.
Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.
Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.
ESET wrote a blog post about a new infection called CryptoLocker 2.0. Though this infection appears to be a new version of the CryptoLocker there are key differences that hint that this is just a copycat trying to benefit from the fame of the original infection.
The main differences between the two are:
When installed, the dropper will install the main executable as:
It will then create the following registry keys to autostart the program in normal mode and safe mode.
The infection encrypts files with the following extensions;
Over all, the developer of this malware drastically changed the approach of the original CryptoLocker. Instead of focusing on encrypting files and getting paid for the decryption key, this infection tries to throw the kitchen sink at you in order to maximize revenue.