CryptoLocker
CryptoLocker is a Windows-based ransomware family first seen in September 2013 that encrypts victim files using strong public-key cryptography and demands payment for decryption, typically within a 72- to 96-hour deadline. The malware is described as using RSA-2048 together with AES, retrieving a public key from command-and-control infrastructure and keeping the private decryption key off the victim system. It targets valuable user and business data including Microsoft Office documents, photos, MP3 files, databases, certificates, archives, and other common file types on local drives and mapped network drives; some reporting also notes mounted backups can be encrypted. CryptoLocker commonly arrives via phishing and spam campaigns, including ZIP attachments containing executables disguised as PDF files, and was also distributed through watering-hole attacks and by the Gameover Zeus botnet/Zbot infections. It persists from randomly named executables in %AppData% or %LocalAppData% using Run/RunOnce registry entries, records encrypted files in the registry, and attempts to delete Shadow Volume Copies via vssadmin. Payment methods mentioned in the content include Bitcoin, MoneyPak, prepaid cards, Ukash, and cashU, with ransom amounts commonly cited around $100 to $300, though some victims reportedly paid more. The malware was heavily associated with Gameover Zeus and the criminal enterprise tied by U.S. authorities to Evgeniy Mikhailovich Bogachev; DOJ and related reporting state GOZ was a primary vehicle for seeding CryptoLocker infections. Reported impact figures in the content include more than 234,000 infected computers, including over 117,000 in the United States, and more than $27 million in ransom payments in its first two months online. Targeting was global, with the United States specifically noted as heavily affected and business users frequently impacted; examples include an insurance company in Pittsburgh and a Massachusetts police department. Law-enforcement and private-sector disruption during Operation Tovar/Gameover in June 2014 seized or neutralized infrastructure associated with CryptoLocker, after which the original CryptoLocker distribution network was disabled. Notable indicators and artifacts directly mentioned in the content include registry paths such as HKEY_CURRENT_USER\Software\CryptoLocker\Files and HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files, autostart entries under HKCU\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, execution from %AppData% or %LocalAppData%, use of DGA-generated domains, and the command to delete shadow copies: vssadmin Delete Shadows /All /Quiet.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The malicious software... can sneak into your machine via an email attachment or a 'drive-by download', which you would not even be aware is taking place.
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
The infection will also hijack your .EXE extensions... The .EXE hijack in the Registry will look similar to the following... [HKEY_CLASSES_ROOT\.exe] @="Myjiaabodehhltdr" ... [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open\command] @="\"C:\\Users\\User\\AppData\\Local\\Rlatviomorjzlefba.exe\" - \"%1\" %*"
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
Privilege Escalation
1 technique
Privilege Escalation
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
Stealth
3 techniques
Stealth
These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.
Defense Impairment
1 technique
Defense Impairment
The infection will also hijack your .EXE extensions... The .EXE hijack in the Registry will look similar to the following... [HKEY_CLASSES_ROOT\.exe] @="Myjiaabodehhltdr" ... [HKEY_CLASSES_ROOT\Myjiaabodehhltdr\shell\open\command] @="\"C:\\Users\\User\\AppData\\Local\\Rlatviomorjzlefba.exe\" - \"%1\" %*"
Discovery
2 techniques
Discovery
Command and Control
6 techniques
Command and Control
This service is available by connecting directly to a Command & Control server's IP address or hostname or through Tor via the f2d2v7soksbskekh.onion/ address.
This service is available by connecting directly to a Command & Control server's IP address or hostname or through Tor via the f2d2v7soksbskekh.onion/ address.
GOZ includes code that permits the defendants to install additional malicious software onto computers infected with GOZ. The defendants and their co-conspirators have used this capability to install Cryptolocker onto numerous computers within the GOZ botnet.
This decryption service can also be accessed via TOR at the address f2d2v7soksbskekh.onion/.
Impact
2 techniques
Impact
Infected machines typically display a warning that the victim’s files have been locked and can only be decrypted by sending a certain fraction or number of Bitcoins to a decryption service run by the perpetrators. Victims are given 72 hours to pay the ransom. | CryptoLocker is a prolific and very damaging strain of malware that uses strong encryption to lock files that are likely to be the most valued by victim users, including Microsoft Office documents, photos, and MP3 files.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a ransomware family that used TOR-based victim communication, contrasted with Petya and NotPetya's email-based approach.
Referenced as a previous ransomware example for comparison with WannaCry's TOR-based C2 design.
Ransomware that encrypts files on local and mounted network drives using a hybrid cryptosystem: AES for file encryption and RSA public-key cryptography for encrypting AES keys, with the private key stored on attackers’ control servers. It propagates via email attachments, uses a Domain Generation Algorithm (DGA) to reach C2 infrastructure, maintains persistence via parent/child processes, and replaces original files with encrypted temporary files.
Early ransomware cited as an example of earlier-stage defense evasion using basic command-line scripts before the evolution to more advanced techniques.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.