Crypto-Wall and Crypto-Locker Hard to Defeat part 1 of 2

The different variants of crypto-ransomware have become an area of significant concern for information technology professionals.  There has been a decline in their confidence in endpoint protection solutions such as typical Internet security software products.  This decline, from 96% to 59%, shows how serious the crypto-ransomware threat has become for most network administrators.

The variants of this exploit are known as CryptoLocker, CryptoWall, CryptoDefense, Cryptorbit, HowDecrypt, and similar names.  They all work the same way.  Usually the exploit starts with a phishing email containing a ZIP file attachment.  Often these emails are masquerading as FedEx, UPS, or other shipping advice emails.  Opening the ZIP file will cause the installation of an executable Trojan horse program to install.   These emails also might contain a link that sends the unwary to a fake look alike web site, and once at the web site the Trojan horse program is surreptitiously downloaded and installed.

Once installed, many things start to happen to the infected system.  The malware starts to encrypt certain files types using RSA-2048 bit public-key encryption software.  The encryption software creates a “public key” which is stored on the victim computer in the Registry.  The computer will contact the attacker’s command and control server (CNC), where the “private key” is generated and stored.  The encryption software, which can take as long a s several hours to complete its task, is busily encrypting most of the files in your Documents, Music, Pictures, Favorites, Desktop, and Videos folders, as well as any files in attached external drives, USB flash drives, or network storage devices and mapped drives that may be located on a server. 

This can also affect cloud-based drives such as DropBox, Google Docs, and OneDrive (SkyDrive) files.  According to communication I had with online backup provider Carbonite, once the encryption begins, Carbonite’s software will begin to replace the unencrypted original files with encrypted replacements, rendering your carefully backup file unusable as well.

Once encryption is complete, new icons appear on your desktop named DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.url , DECRYPT_INSTRUCTION.html, and a shortcut to DECRYPT_INSTRUCTION.html.  These are instructions on how to receive the private key from the CNC server.  This usually involves paying a “service fee” of anyway from $200 to $1000.  Payment is to be made in BitCoin.  The infected system owner has 72 hours in which to comply.  Failure to respond on time increases the fee that needs to be paid.

The good news is that paying the ransom has generally resulted in the delivery of the private key and subsequent successful restoration of the encrypted files.

In my next post, we will discuss what to do to protect yourself from this exploit.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.