[148203] in cryptography@c2.net mail archive
[Cryptography] Cryptolocker
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Thu Nov 21 20:31:50 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
Date: Thu, 21 Nov 2013 20:12:22 -0500
To: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
There's some malware making the rounds that applies a technique that's been talked about for years: It (allegedly) generates a public/private key pair, sends the private key off to the mother ship, then starts encrypting all accessible files. When it's done enough, it starts demanding money for the key to decrypt everything. One article about it:
http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/
Nasty piece of work, apparently - it locates and encrypts accessible network-mounted disks, so it often encrypts people's backups.
Anyway ... I'll leave the virus analysis and hunting to others. But there's also a crypto question here. Has anyone seen an analysis of what this thing *really* does internally. Obviously, it will *say* it's using all kinds of strong algorithms, but that doesn't mean it actually *is*. (In particular, I'm curious about how they are doing the encryption. Doing bulk encryption in RSA or even using elliptic curves is slow, though it might be fast enough for this purpose. The obvious technique would be to generate a random AES key per file, encrypt *it* with the public key and store that away, then use AES for bulk encryption. But I haven't seen any hints of a store of such keys anywhere; in fact, there are reports that the magic key is stored in one registry entry.
Anyone following this story from the crypto side?
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
