| ID | X0030 |
| Aliases | None |
| Platforms | Windows |
| Year | 2013 |
| Associated ATT&CK Software | None |
CryptoLocker is a family of ransomware. [1]
| Name | Use |
|---|---|
| Initial Access::Spearphishing Attachment (T1566.001) | The malware is sent to victims as an attachment [1] |
| Command and Control::Encrypted Channel::Asymmetric Cryptography (T1573.002) | The malware encrypts messages with a public RSA key [1] |
| Command and Control::Application Layer Protocol::Web Protocols (T1071.001) | The malware uses http to communicate with C2 [1] |
| Name | Use |
|---|---|
| Impact::Data Encrypted for Impact::Ransom Note (E1486.001) | The malware launches Internet Explorer to show ransom notes [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | The malware creates an "autorun" registry key [1] |
| Execution::User Execution (E1204) | The malware relies on victims to execute [1] |
| Discovery::File and Directory Discovery (E1083) | The malware searches for user files before encrypting them [1] |
| Name | Use |
|---|---|
| Command and Control::C2 Communication::Send Data (B0030.001) | The malware sends a hash value generated from system information [1] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | The malware receives a public key from the C2 [1] |
| Command and Control::Domain Name Generation (B0031) | The malware uses an internal domain generation algorithm [1] |
| Command and Control::C2 Communication::Authenticate (B0030.001) | The malware sends a phone-home message with encryption to start [1] |
SHA256 Hashes
- a2bc3059283d7cc7bc574ce32cb6b8bfd27e02ac3810a21bd3a9b84c17f18a72
- 0be1f445537f124b5175e1f2d1da87e2e57aa4ba09ea5fe72b7bafaf0b8f9ad2
[1] https://www.secureworks.com/research/cryptolocker-ransomware