Crypto malware intended for home users will target music, picture, and video files. This key is later used by the malware to present the list of encrypted files to the user and to speed up decryption.īased on the file types list, it is also clear that business users are specifically targeted. Last but not least the malware will log the encryption of the file within the HKEY_CURRENT_USERSoftwareCryptoLockerFiles registry key. Both the RSA encrypted AES key, as well as the AES encrypted file content together with some additional header information are then written back to the file. The AES key is then encrypted using the unique RSA public key obtained earlier. This key will then be used to encrypt the content of the file using the AES algorithm. *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem,įor each file matching one of these patterns, the malware will generate a new 256 bit AES key.
It does so by searching through all connected drives, including mapped network shares, for files matching one of the following patterns: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, The command and control server replies with the victim’s IP address, as well as a unique RSA public key, that will be used by the malware during the further encryption process.Īs soon as the infection specific RSA key has been obtained, the malware will look for files to encrypt. The malware has two possible ways to contact its master: First by contacting the hardcoded IP 184.164.136.134, which has since been taken down. Once the system is infected, CryptoLocker tries to establish a connection with its command and control server.