Cryptolocker typically relies on social engineering to infiltrate your environment. Spoofed emails are its best-known tools of attack, although some variants and copycats have been known to attack via drive-by download advertising or peer-to-peer network file sharing. The emails are sent from a spoofed address from a well-known company and include an enticing subject line – “ADP Payroll Alert” or “USPS Missed Package Delivery” are two known examples.
The emails will also include.zip files with similarly common names, like “ADP_Invoice_6556263.zip” and “Case_8377754.zip”. Within those .zip folders is a file disguised as a common extension – .docx or .xls. However, In reality the .zip contains an .exe which downloads onto the target computer configure itself to run on startup. Once downloaded, the malware establishes communication with a command and control server. Cryptolocker relies on a domain generation algorithm and hops between new servers routinely to avoid detection. Once the server connection is established, the malware generates a pair of encryption keys – one public, one private – using the huge RSA-2048 bit encryption algorithm and military-grade 256-bit AES encryption.
The public key is sent back to the target computer and is used to encrypt the victim’s files, scanning for popular business file extensions like .docx, .ppt, .xls, .accdb, and many more. The private key is kept back on the Cryptolocker server and is the only tool users can deploy to decrypt these files.