CryptoLocker made its first appearance on 5th September 2013. It was seen until the end of May 2014. It is crypto ransomware or file encrypting ransomware. CryptoLocker was known to target primarily Europe and Australia in 2014. CryptoLocker was sometimes called TorrentLocker.

CryptoLocker was distributed mainly through spam email attachments. Usually, it was as an executable inside a zip file as an email attachment. The icons of the executable usually look like a PDF or document. This is usually for deceiving the user, as Windows by default does not display the file extension. As a result, the victim might end up clicking the executable. Gameover zeus was another source of CryptoLocker. Gameover zeus is known to communicate to its C&C server using peer to peer (P2P) techniques and then download CryptoLocker and other banking malware. Zeus Gameover was also known to be distributed over phishing emails and Cutiwal botnet.

After it executed on the victim's machine, CryptoLocker used to create a run entry to start itself on next boot. After that, it used to communicate with its command and control server. CrypotoLocker creates around 1,000 domains every day with its domain generation algorithm (DGA-explained in Chapter 1, Malware from Fun to Profit). The following are the steps used by CryptoLocker for its encryption process after successful contact with the C&C:

1. After successful communication with the C&C, the CnC generates a private and public key using the RSA-2048 algorithm (we name this RSA private key 1 and RSA public key 1). (Note, in all cases private key does not leave the C&C).

1. The public key ( RSA public key 1) is sent to CryptoLocker on the victim machine; it uses this for further encrypted communication. So if the CnC is taken down or it is offline, CryptoLocker proceeds further.
2. Ransomware can use RSA public key 1 to encrypt data and send it to the C&C, and the CnC decrypts it using RSA private key 1. So anybody intercepting the communication cannot decrypt it. Now since the communication between ransomware and C&C happens in a secure manner, the ransomware sends information about the victim machine to the CnC and requests for a key that it can use in the process of encrypting the files on the victim machine.
3. The C&C replies back with an RSA public key (we name this RSA public key 2)
4. CryptoLocker then looks for the file extension it is supposed to encrypt. Here is a list of file extensions CryptoLocker looks for:

2. After finding these file extension, the ransomware generates an AES-256 key and encrypts the file. This AES key is then encrypted with RSA public key 2.
3. This encrypted AES key and the encrypted files are written back to the original file.
4. In order to decrypt the encrypted files, one needs the RSA private key corresponding to RSA public key 2, which is in the C&C.

After encryption, the CryptoLocker screen pops up. It will display a message that provides a timeline to the victim to pay the ransom. The Ransom Notes and Warning messages shown were made using RSA 2048 bit, but it was not using such complex algorithm, which was revealed by a researcher (fakebit.com). Later it was found be using Rijendael Algorithm, symmetric key encryption algorithm, where the same key used for encryption and decryption.

A later version came with other encryption methods, such as AES-256.

CryptoLocker would charge the victim $300 to $400 and would ask them to pay within 72 hours. Its payment methods were not only limited to BitCoin, but also included different online currencies and cash coupons.

There was ransomware that used to be very similar to CryptoLocker. Torrentlocker, Cryptodefence, and PClock are a few of these. PClock gave a timeline of 72 hours to pay the ransom. CryptoLocker also had other versions - CryptoLocker 2 and CryptoLocker 3 .

We saw that Cryptowall, in order to encrypt files on the victim machine, was dependent on the CnC. Cryptodefence overcame it by generating the private-public key on the victim machine itself.

Microsoft researchers found one of its variants capable of sending emails.

CryptoLocker was put to an end by security agencies with Operation Tovar. The operation was meant to take down Gameover Zeus and its command and control servers. The FBI had announced a reward on Evgeniy Mikhailovich Bogachev, known by the aliases lucky12345 and Monstr (https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev):

CryptoLocker was also used for Ransomware as a Service (RAAS). CryptoLocker was known to be sold as a service in November 2015. It was sold by a group called Fakben Team and it was sold at $50. The buyer has a responsibility to distribute it and was supposed to share 10% of the ransom with the group. A CryptoLocker wave came back again in 2016 and faded away in a few months.