[148211] in cryptography@c2.net mail archive
Re: [Cryptography] Cryptolocker
daemon@ATHENA.MIT.EDU (Chris)
Thu Nov 21 22:48:20 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <490EB11F-71B5-437A-927D-0BFC1B5FDBC2@lrw.com>
From: Chris <chris.trott@plett.com.au>
Date: Fri, 22 Nov 2013 14:45:26 +1100
To: Jerry Leichter <leichter@lrw.com>
Cc: Greg Broiles <gbroiles@gmail.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8809595419001620115==
Content-Type: multipart/alternative;
boundary=Apple-Mail-C9E89E6A-904C-4558-B0AF-A8714589ED57
Content-Transfer-Encoding: 7bit
--Apple-Mail-C9E89E6A-904C-4558-B0AF-A8714589ED57
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
> On 22 Nov 2013, at 2:16 pm, Jerry Leichter <leichter@lrw.com> wrote:
>=20
>> On Nov 21, 2013, at 9:08 PM, Greg Broiles wrote:
>> According to Steve Gibson at https://www.grc.com/sn/sn-427.txt, when Cryp=
toLocker contacts the central server(s), the servers generate a unique (per v=
ictim) 2048-bit RSA keypair; the public key is sent from the server to the i=
nfected machine. The infected machine generates a random 256 bit AES key, wh=
ich is then encrypted with the public key and sent to the server, and used l=
ocally to encrypt the ransomed files. The key stored in the infected machine=
's registry is the public half of the RSA key.
> This does mean that if you manage to catch the program while it's running,=
you can (in principle; the practice may be quite difficult) extract the AES=
key, which is all you need - the RSA keypair is purely secondary. =20
>=20
>=20
Perhaps a large enough crib file could be placed on the drive prior to encry=
ption? This way you may be able to recover the key?
Cheers,
Chris=
--Apple-Mail-C9E89E6A-904C-4558-B0AF-A8714589ED57
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: 7bit
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div><br>On 22 Nov 2013, at 2:16 pm, Jerry Leichter <<a href="mailto:leichter@lrw.com">leichter@lrw.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div>On Nov 21, 2013, at 9:08 PM, Greg Broiles wrote:</div><blockquote type="cite"><div dir="ltr">According to Steve Gibson at <a href="https://www.grc.com/sn/sn-427.txt">https://www.grc.com/sn/sn-427.txt</a>, when CryptoLocker contacts the central server(s), the servers generate a unique (per victim) 2048-bit RSA keypair; the public key is sent from the server to the infected machine. The infected machine generates a random 256 bit AES key, which is then encrypted with the public key and sent to the server, and used locally to encrypt the ransomed files. The key stored in the infected machine's registry is the public half of the RSA key. <br>
</div></blockquote></div>This does mean that if you manage to catch the program while it's running, you can (in principle; the practice may be quite difficult) extract the AES key, which is all you need - the RSA keypair is purely secondary. <div><br></div><div><br></div></blockquote><div><br></div><div>Perhaps a large enough crib file could be placed on the drive prior to encryption? This way you may be able to recover the key?</div><div><br></div><div>Cheers,</div><div><br></div><div>Chris</div></body></html>
--Apple-Mail-C9E89E6A-904C-4558-B0AF-A8714589ED57--
--===============8809595419001620115==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8809595419001620115==--
