Written by: Ryan Angelo Certeza

GOZ and CryptoLocker are two of the most notorious malware that we have seen as of late. CryptoLocker is a ransomware that not only locks the system it affects, but also encrypts certain files found in the system's hard drive. This may be a tactic to ensure that the victim pays the ransom, as there is no other way to decrypt the files but with a key that the cybercriminals responsible can only provide.

Trend Micro Tools for GOZ and CryptoLocker Malware
Platform Download link
32-bit Threat Cleaner for 32-bit systems
64-bit Threat Cleaner for 64-bit systems

GOZ, also known as P2PZeus/GameOver, is a ZBOT variant that uses its peer-to-peer (P2P) network to download its configuration file. If its peers are no longer existing, it uses its domain generation algorithm (DGA) to connect to a randomly-generated C&C, where it gets its configuration file.

History and Risk To Users

Since the discovery of CryptoLocker, the number of its victims has exponentially grown. In our October 2013 report, we have observed over a 30-day period that 64% of detected global infections were seen in the US. UK and Canada had their share of infections at 11% and 6%, respectively.

As with any ransomware, once the system is infected, the user is coerced to pay (a ransom) through online payment methods to regain computer usability. However, paying doesn’t guarantee access to the infected system. Moreover, CryptoLocker infections puts infected computers at an elevated risk of being rendered unusable. This is because once files are encrypted, almost all anti-malware tools are only able to remove the CryptoLocker variant from the system, leaving encrypted files unusable. Therefore, it is important to stop the CryptoLocker infection chain before it executes.

Meanwhile, GOZ variants cropped up in 2013. GOZ, being an offshoot of ZBOT malware, steals credentials used in banking and finance-related sites. It uses a configuration file downloaded from a specified URL. What separates GOZ from regular ZBOT malware is its P2P capability. When the specified URL where it intends to download its configuration file is inaccessible, GOZ begins to use its domain generation algorithm to generate new domains. The domains usually last for as long as one week.

Infection Routines

The infection starts as a spammed message with a malicious attachment. Should users open the attachment, which is usually detected as a UPATRE variant, then downloads and executes a malicious .exe file. The said file is also typically a ZBOT or GOZ variant.

Along with its malicious routines that include stealing online banking credentials, the detected ZBOT/GOZ variant then downloads a CryptoLocker variant onto the infected system. This variant, which serves as the final payload, is detected as a member of the TROJ_CRILOCK malware family.

Malicious Routines

Once inside the system it's infecting, CryptoLocker connects to randomly generated domains to download the public key to be used in encryption. The extensions of the domains include:

  • biz/home
  • co.uk/home
  • com/home
  • info/home
  • net/home
  • org/home
  • ru/home

CryptoLocker then searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. This encryption will be discussed in the succeeding question.

CryptoLocker changes the system's wallpaper with a notice that informs user that their important files are encrypted.


To decrypt these files and make them accessible again to users, they are persuaded to purchase the private key for either US $300 or 300 Euro. In some cases, the payment demanded can go as high as US $500 of 500 Euro.

Encryption mechanics

Cryptolocker encrypts the user's files with the AES-265 and RSA encryption method. Based on our analysis, the method itself should look like the following:

The RSA public key can only be decrypted with its corresponding private key. Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the files is not feasible as of this writing.

User Impact

Users affected by this threat may find their documents inaccessible due to Cryptolocker's encryption. This may result in data loss as well as severely hampering the user's productivity if their system contains work-critical documents.

The fact that the Cryptolocker variant here is a payload delivered by a ZBOT variant means that the routines of that malware also affects the user. The said ZBOT variant may lead to financial loss, as the stolen online banking credential may be used to initiate unauthorized transactions.

Best Practices and Solutions

Scrutinize email messages carefully. Be wary of every email you receive, specially those from unverified sources. Users can do this by doing their research or communicating directly to the purported sender to confirm if they sent the messages.

Refrain from clicking links embedded in email. It is best to avoid clicking links in email. However if you need to, make sure that your browser uses web reputation to check the link. As an added precaution, you can use free services like Trend Micro Site Safety Center to verify the reputation of the site.

Backup documents. Users should also do well to back up their documents. The 3-2-1 rule applies here – three backup copies of your data, on two different media, and one of those copies in a separate location. Cloud storage services (like SafeSync) can help here.

Regularly update software. Though no known GOZ, CryptoLocker, and ransomware were found to exploit any software vulnerabilities, it is best to update your software with the latest security patch. This provides added layer of protection against online threats in general.

Install security solution. Using reliable antimalware solution can detect such threats even before it begins. Security solutions like Trend Micro can even block malware-carrying spam even before they can reach your inbox.

For organizations, it is important to review policies related to email attachments and impose a strict attachment blocking policies. It is recommended to discourage employees to send executables via email messages.

Another security measure that organizations can impose is to configure certain machines with limited privileges, in particular those that has specific functions, to decrease chances of users executing malicious applications.

Because the needed private key to unlock the encrypted file is only available through the cybercriminal, users may be tempted to purchase it and pay the exorbitant fee. However, doing so may encourage these bad guys to continue and even expand their operations.

Trend Micro Protection

Trend Micro Smart Protection Network detects and deletes the known related malware if found in the system. Web reputation service (WRS) detects the known malicious domains in this attack and blocks access to them. If CryptoLocker fails to access these sites, it cannot download the public key which is needed in encrypting files. Email reputation service (ERS) blocks the known related spammed messages that deliver ZBOT/GOZ and CryptoLocker. In particular, the True File Type Filtering feature of ERS can alert users if the attachment is malicious.

In addition, Trend Micro products' behavior-based detection monitors the system for CryptoLocker and GOZ infection. For more information on how to properly configure this feature, please coordinate with your Trend Micro contact person or customer service.