Forensics Method Quickly Identifies CryptoLocker Encrypted Files

A researcher may have found the quickest route to learning which files are encrypted in CryptoLocker ransomware infections.

If CryptoLocker is teaching enterprise IT and security people anything, it’s that backup is king.

The ransomware is unforgiving; it will find and encrypt documents on local and shared drives and it will not give them back. Experts don’t advise victims to pay the ransom, which means infected computers must be wiped, and lost files must be recovered from backup.

However, one Boston-area forensics specialist and malware analyst working for a large enterprise may have found a clue as to identifying the files CryptoLocker encrypts, which could mean the difference between restoring terabytes of backup data versus a few gigabytes.

The infection at this particular enterprise happened in October. A user fell victim to a phishing email and followed a link to a site where CryptoLocker awaited. The malware was detected within a couple of hours by the firm’s antivirus, but not before it had encrypted thousands of files on the local drive and drives mapped to the user’s laptop, and presented the user with the now-familiar bitmap image explaining the attacker’s demand for ransom.

The laptop was pulled from the network, wiped and analyzed. That’s when the analyst, who goes by the Twitter handle @Bug_Bear and asked not to be otherwise identified, noticed that the NTFS Master File Table creation and file modified dates on the encrypted files were unchanged. He then compared those results to the Master File Table from the Windows file server as well, using a pair of tools, analyzeMFT and MFTParser, to go through close to 10GB of Master File Table data.

“Identifying some known encrypted files by the $FN file name, I noted the only date in the MFT record that coincided with the infection was the MFT Entry Date or date the MFT record itself was modified,” he wrote on his Security Braindump blog. “Using this, I filtered out all records that had $SI or $FN time stamps that preceded this.”

Through this method, he was able to identify more than 4,000 files that had been encrypted by CryptoLocker and recover those files from backup.

He told Threatpost that he believes the malware uses a technique called File System Tunneling to avoid detection, and that’s what led him to find the encrypted files.

“In NTFS, if you delete a file and then recreate it with the same name in the same folder within 15 seconds, it takes on the attributes of the original files; all the file dates would match up,” he said. “I think that’s what we’re seeing. The only date that won’t change is the NTFS Master File Table date which is the date it was created in the database for NTFS itself. That will change and that’s what I’m seeing and that’s what I used to find these files.”

CryptoLocker, unlike other ransomware, encrypts files and then demands a ransom for the decryption key. It is spreading primarily through phishing campaigns heralding phony Federal Express or UPS tracking notifications. Victims are told they must make payments via MoneyPak or Bitcoin before a 72-hour payment deadline expires and the files are lost forever.

Bug_Bear called the attack straightforward, efficient and effective. He also said backup is a company’s best defense, along with a solid incident response plan.

“The only way I know of to find these files is what I used,” he said. “I’m thankful for other people out there writing these tools because if I didn’t have these tools, [parsing] 10GB of hexadecimal would be quite the chore.”

Suggested articles


  • David on

    "followed a link to a site where Cryptolocker awaited" So I take it Cryptolocker can be contracted from opening/landing on a bad web page,doesn't have to come from opening a .exe attachment or file?
  • Bugbear on

    David In this attack a malicious have applet was used. I verified this via timestamps in appdata\local\temp and the related idx file in java cache under appdata\locallow Not atypical these days. 99% of compromises I see in my enterprise happen this way. No local admin rights needed and with the onslaught of java vulnerabilities as if mate, often there is no intereaction required. If there is a security warning many users will just click thorough it.
  • Lock This on

    That was a nice bit of detective work. I'd like to cryptolock the malware author's lung-cage.
  • Bugbear on

    David Most attacks I am seeing, including this one, are links to malicious Java Applets. You can often verify this with timestamps that line up with a Java tmp file in %userporfile%\appdata\local\temp and and idx file in the java cache located in %userporfile%\appdata\locallow (which will contain the url). With the many vulns in Java these days, a user may or may not be presented with a security warning (Newer versions of Java are better at this). Tim aka bugbear
  • LLS on

  • Wayne Collier on

    The laptops we analyzed which were infected with Cryptolocker had a registry key under HKCU\Software\Cryptolocker with all the files it had encrypted. This listing also included the network shares that were encrypted, as well as, the local files.
  • David on

    This 11 year old Gateway doesn't have Java installed at present.
  • Bob on

    Here is another person's experience at finding what was encrypted. "I just went into the log file for Cryptolocker (I think it was in programs etc) and there was a list of everything it had encrypted with file paths etc. No rocket science involved. So I was able to cheerfully tell the customer that YES it did affect "these" files on your network.
  • daniel on

    Everyone can put all data, before encrypting (72 hours) on a dvd or cd. After that can't be encrypten. That can't be posible even so the data have been virused.the time it is up.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.