Showing posts with label ransomware. Show all posts
Showing posts with label ransomware. Show all posts

Detecting and Mitigating a CryptoLocker Attack with EnCase

Alfred Chung

The most recent Verizon Data Breach Investigations Report (DBIR) revealed that crimeware is a serious problem for the construction, information, and utilities industries, representing over 30 percent of incidents. Among the most devilish in the ransomware trojan category is CryptoLocker.

How CryptoLocker Works

CryptoLocker arrives as a ZIP file attached to a seemingly innocent email. Once unzipped, the malware installs its payload in the user profile folder, adds a key to the registry to initiate run on startup, then starts phoning home to a command-and-control server. After connection, the server pushes out a 2048-bit RSA key pair and sends the public key back to the computer, encrypts files across local hard drives and mapped network drives with the public key, and logs each encrypted file to a registry key. At that point, the user gets a message that his or her files have been encrypted and a Bitcoin ransom is demanded.