Removal seems to be easy
Step 1: Boot up the infected computer, press F8 at the very beginning, choose “Safe Mode with Networking” and press Enter to get in safe mode with networking.
Step 2: Press Ctrl+Alt+Del keys together and stop CryptoLocker processes in the Windows Task Manager.
Step 3: Open Control Panel from Start menu and search for Folder Options. When Folder Options window opens, click on its View tab, tick Show hidden files and folders and non-tick Hide protected operating system files (Recommended) and then press OK.
Step 4: Search for all infected files and registry entries and remove them from your computer as follows:
%Temp%\[RANDOM CHARACTERS].exe
C:\Documents and Settings\<Current User>
C:\Users\<Current User>\AppData\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\random
Other sources
%AppData%\random.exe
%LocalAppData%\random.dat
%LocalAppData%\random.exe
on the other hand fixing the damage seems near impossible
Connection with the C&C server is established through either a hardcoded IP (184.164.136.134, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org are both active and point to 173.246.105.23.
• The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.
• On first contact the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return it receives a RSA public key. In my case this has been:
• -----BEGIN PUBLIC KEY-----
• MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkQBZgSk3NNo54cxwl3nS
• zZHMhFI4oU0ygX81IFsktcaCAIUrMSnUVQEcFvhcidh/5JuE+piQY5Z3iuDcKqiF
• 0yWZ7rck+xC1i/xaY5nNxJnh/clEqO8qRNg9DTe6qDlVO8PAHgr882dUHTzZgdAN
OWR8+5rWxck9LxtB8+DSE8cWy
• The key is saved inside the HKCU\Software\CryptoLocker. If you want to capture the key on your system, the easiest way to do so is to break on CryptStringtoBinaryA.
• The malware targets files using the following search masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe
encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where "\" has been replaced with "?". I haven't looked into the meaning of the DWORD value yet.
All systems I have looked at were infected through social engineering. Victims got emails with alleged customer complaints containing attachments that were infected with a malware downloader. The downloader then downloaded and installed the actual CryptoLocker malware. Based on the targeted file types list, it is also clear that the malware is specifically targeting business users. Crypto malware targeted towards home users, will target music, picture, and video files. This malware though primarily targets file formats used by companies, completely ignoring common home user file types.
To recover the AES keys used to encrypt the files, you will require the private half of the RSA key that was generated by the server. Without access to the server, decryption is impossible.
