Variants: CTB Locker, torrent locker, cryptoDefence, cryptoWall, ACCDFISA, GpCode, Reveton, BitCryptor
It has been observed that the variants of malware family Win32/Trojan.Cryptolocker are spreading widely. Cryptolocker is spreading via malicious
hyperlinks shared via spam emails, social media, malicious email attachments (fake FedEx and UPS tracking notices), drive-by-download or as a part
of dropped file from other malwares. Cryptolocker encrypts files located within local drives, shared network drives, USB drives, external hard drives,
network file shares and even some cloud storage drives using RSA public-key cryptography (2048-bit), with the private key stored only on the
malware's control servers.. The ransomeware performs the following functions:
- Contact one of several designated command and control servers
- Server generates a 2048-bit RSA key pair, and sends the public key back to the infected computer
- Encrypts files located within local drives, shared network drives, USB drives, external hard drives, network file shares and even some cloud
storage drives (Microsoft Office, OpenDocument, and other documents, pictures, and AutoCAD files etc.)
- Disable infected system functioning & displaying message to user informing that files are encrypted
- Demands payment against decryption Key in order to decrypt the files, 300 USD or Euro through an anonymous pre-paid cash voucher (i.e.
MoneyPak or Ukash), or 2 Bitcoin
The payment time limit is around 72 or 100 hours, or the private key would be destroyed on server. Payment of the ransom allows the user to
download the decryption program, which is pre-loaded with the user's private key.
The CTB-locker new variants arrive posing as emails pretending to be from Google Chrome and Facebook.While the Google chrome email pretending to be a notification about updating the chrome browser, the latter arrives as Facebook account suspension notification. The emails instructs to follow the embedded link,eventually leading to download the ransomware malware disguised in PDF, chrome icons.

Aliases: Trojan-Ransom.Win32.Blocker.cggx (Kaspersky), Trojan:Win32/Crilock.A (Microsoft), Trojan.Gpcoder.G
(Symantec), TROJ_CRILOCK.AA (TrendMicro),Win32/Filecoder.BQ(ESET), Trojan.Ransomcrypt.F (Symantec),TROJ_CRILOCK.NS(Trend Micro)
Installation:
Once executed, it installs itself to the following location: %appdata%\¬{%clsid%}.exe
After installation, Cryptolocker encrypts special files and display the following message to user:

Opens a payment page as shown below:

After the installation is complete, the trojan deletes the original executable file.
Registry Changes:

Network Connections:
The trojan downloads encryption key by making a network connection to server names having the extensions like .biz, .co.uk, .com, .info, .net, .org
and .ru
Note: The number of infections of Trojan Cryptolocker reported in India are very low.
It is also reported that the variants of the crytolocker malware with the name CTB-Locker (Curve-TOR-Bitcoin) a.k.a. Critroni are spreading. The
Critroni malware along with the functionalities of Cryptolocker is capable of maintaining anonymity by using the TOR network for connecting to its
command and control server. The malware propagates via means of spam messages containing file encryptor as email attachments or by means of
file sharing applications, bogus flash player etc.
Once the malware is activated, it encrypts the complete data on the files system and displays message demanding bitcoins (anonymous crypto
currency) that can be transferred to the attacker¿s account using a link to ".onion" domain browsable Via TOR service only. The page shown after
encryption is given below:

CTB-Locker File System changes:
The malware makes the following file system changes:
%Temp%\.exe
%MyDocuments%\AllFilesAreLocked .bmp
%MyDocuments%\DecryptAllFiles .txt
%MyDocuments%\.html
%WinDir%\Tasks\.job
To encrypt the victim machine file system, the malware makes
use of the unusual cryptography known as Elliptical Curve Diffie Hellman Cryptography.
Counter Measures:
- Perform scanning on computer for possible infection with the removal tools mentioned below.
- Apply software restriction policies depending upon the operating system installed. Details are given below:
Windows XP Path : %UserProfile%\Local Settings\*.exe
Windows Vista/7/8 Path : %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
This setting universally prevents exe's running from the said location
- Conduct routine backups of important files, keeping the backups stored offline.
- Disconnect the infected system from wireless or wired networks to prevent the malware from further encrypting files stored over network shares
- Exercise caution while visiting links within emails received from untrusted users or unexpectedly received from trusted users.
- Do not download and open attachments in emails received from untrusted users or unexpectedly received from trusted users
- Exercise caution while visiting links to web pages.
- Protect yourself against social engineering attacks.
- Do not visit untrusted websites.
- Enable firewall at desktop and gateway level and disable ports that are not required.
- Avoid downloading pirated software.
- Keep up-to-date patches and fixes on the operating system and application softwares
- Keep up-to-date antivirus and antispyware signatures at desktop and gateway level.
Removal tools:
http://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
http://security.symantec.com/nbrt/npe.asp?lcid=1033
http://windows.microsoft.com/en-US/windows/products/security-essentials
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
http://blog.kaspersky.com/10new-
kis2015/
http://www.kaspersky.com/free-trials/multi-device-security?redef=1&reseller=blog_en-global