Skip to content →



CryptoLocker was a ransomware trojan which targeted computers running Microsoft Windows and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin”(Wikipedia)

Infection Process

The CryptoLocker infection process start when the Microsoft Office Word is opened. Microsoft allow users to inject a macro scripting code inside documents, and give the possibility to execute it automatically when the document is opened.

“A macro is a series of commands and actions that help to automate some tasks – effectively a program but usually quite short and simple. However they are created, they need to be executed by some system which interprets the stored commands” (Wikipedia)

Analyzing the documents we received through a suspicious mail we extract the macro inside. The macro used by hackers to infect the machine is a Visual Basic module that is able to create new files inside the TEMP folder and download the real malware from a C&C server through an HTTP GET request. To avoid antivirus detection the malware is represented by a .PNG image containing a VB code inside.

Here is a sample took from the original macro that show how the malware can communicate with his C&C server and how the code is obfuscated.


Many characters are obfuscated (xx) on purpose. The macro we found inside is a VB macro with many functions to hook the malware and download the real .exe from another server.

After the dropper executes the malware the system is encrypting the personal files with public PGP key and storing the private key in the CC server with time bomb.



Published in News >> Research >>


Leave a Reply

Your email address will not be published. Required fields are marked *