Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
It will then create one of the following autostart entries in the registry to start CryptoLocker when you login: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CryptoLocker" ... HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "*CryptoLocker"
The application includes windows that mimic “activators” or cracks for proprietary software, including Microsoft Windows, Microsoft Office, Team Viewer, Adobe Photoshop or even ESET Smart Security. The application chooses which window to display depending on the binary’s file name.
After infection, they scan the victim’s folder structure for files matching a set of file extensions, encrypt them and display a message window that demands a ransom in order to decrypt the files.
This malware contains a cryptocoin miner called BFGMiner that could allow it to mine Bitcoins, and other crypto coins, using the CPU power or graphic card on your computer.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.