Identifying Computers infected with the CryptoLocker ransomware virus (Crilock.A).

CryptoLocker Ransomware Virus

CryptoLocker, also known as Trojan:Win32/Crilock.A, is ransomware that will encrypt files on your local disk or on any mapped shared folder attached to your computer. This message will actually instruct you to pay a ransom in order to decrypt your files. Once a system is infected, you will see a countdown like this.

 

CRYPTOLOCKER RANSOMWARE SCREEN YOUR PERSONAL FILES ARE ENCRYPTED
CRYPTOLOCKER REGISTRY KEY VALUES IN SCOPE ACTION

 

CryptoLocker Detection with Scope Actions

CryptoLocker creates very specific registry keys and values that can be detected with a Goverlan Scope Action.

Here are the registry keys to search for:

HKEY_CURRENT_USER\Software\CryptoLocker

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Value: CryptoLocker

Value: CryptoLocker_<random_number>

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Value: *CryptoLocker

Value: *CryptoLocker_<random_number>

Note: the “*” asterisk means that CryptoLocker can also be started in Safe Mode.

CryptoLocker stores a list of files that were encrypted in the following registry key:

HKEY_CURRENT_USER\Software\CryptoLocker\Files

 

Action Module for detection of CryptoLocker registry keys

Create a new scope action that queries for all of the registry keys and values listed.

Here are two really good examples of how to create Scope Actions.

http://blog.goverlan.com/2013/03/scope-actions-helping-you-wear-the-many-hats-of-it-systems-support/

 

Here is what the action module should look like.

DETECT CRYPTOLOCKER REGISTRY KEYS AND VALUES WITH A GOVERLAN SCOPE ACTION
CRYPTOLOCKER REGISTRY KEY VALUES IN SCOPE ACTION

 

Run the Scope Action to start the detection process.

When the Scope Action has finished, choose the Data Sheet Model report to see a list of systems that have the registry keys.

GOVERLAN REPORT OF SYSTEMS WITH CRYPTOLOCKER REGISTRY KEYS AND VALUES
SYSTEMS INFECTED WITH CRYPTOLOCKER VIRUS

 

Click on a system to see the registry values.

CRYPTOLOCKER REGISTRY KEYS AND VALUES REPORT
CRYPTOLOCKER REGISTRY KEY VALUES IN SCOPE ACTION

 

With this information you can begin can begin to identify infected hosts and begin your remediation steps.

Conclusion

For further information on the CryptoLocker ransomware, go to these sites:

http://en.wikipedia.org/wiki/CryptoLocker

http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FCrilock.A&ThreatID=-2147284168

http://community.spiceworks.com/topic/381787-crypto-locker-making-the-rounds-beware

Leave a Reply