Ransomware – public enemy number one in today’s digital landscape. Malicious software designed to block access to a computer system until a sum of money is paid has become the most common form of cybercrime.
This week a client of ours was attacked by Crypt0l0cker, a known ransomware strain, which is making a comeback in European countries . Luckily we were able to quickly localize all affected users and prevent the malice from spreading. Of course, after the fact I was curious to find out how the attack was carried out.
At first glance, it looks complex and cumbersome. But in reality, after tracing it with a debugger, it becomes rather simple and straight forward. The only relevant parts that need to be reversed are the following:
ActiveXObject. Additionally, we can already see that the
run method will be called on this object. All that is left to do is to decode the actual command that will be executed.
By checking the values returned by each of the functions we get the following output:
ActiveXObject created earlier appears to execute a powershell command, and to understand it we need to take this reversing exercise one stop further. The easiest way, again, is to pop a powershell CLI and check the resulting value inside the
Invoke-Expression call, which leads us to the answer:
To conclude, the 500+ lines of obfuscated code amount to these 4 simple expressions that download the cryptolocker  from a hacked Vietnamese gift shop , and execute it, unleashing the encryption beast on the unsuspecting hard drive. As far as today goes, there are no known decryptors for this locker. The ransom is $500, which goes up to $1000 if it’s not payed by the first deadline. This means complete data loss and a system reinstall from scratch. Having a backup with all your important data is definitely the easiest, cheapest and most secure thing you can do to remediate the damage suffered from a Crypt0l0cker infection.