The devastating Windows CryptoLocker “ransomware” malware employs state-of-the-art encryption technologies to reversibly encrypt all user-created files falling within view of the user's login account. It also employs equally state-of-the-art Internet operations tactics to thwart ready interception and control by law enforcement authorities. Consequently, CryptoLocker has generated an unprecedented level of concern and interest within the professional malware remediation community as well as within corporate information technology professionals, and tech savvy computer literati. Professionals and informed semi-professionals have asked whether this or that approach would work for containing the malware's efforts and effects.
To facilitate individual CAREFUL & RESPONSIBLE exploration, this page makes
LIVE MALWARE available for private forensic evaluation and experimentation.
Please observe the following guidelines and recommendations:
- If you do not feel completely comfortable handling actively live malicious software, please do not proceed any further. It is SO EASY TO MAKE A MISTAKE that you MUST ESTABLISH a mistake-proofing containment system.
- You should NEVER ATTEMPT to experiment with malicious software on any system containing, or having access to, irreplaceable files.
- CryptoLocker must have Internet access to function. It must be able to contact “the mother ship” for a pre-encryption key interchange. So isolating it from all Internet contact will not work.
- Each piece of malware is enclosed within a benign password protected ZIP archive file. It should be safe to download the ZIP file, since the executable within is not just obfuscated, it is truly encrypted, with the password and cannot be executed. You may wish, in any event, to download the ZIP file to a removable media drive.
- To obtain the ZIP file from GRC's servers, mark and copy the entire highlighted link, then paste it into a web browser URL and manually remove the spaces which surround both forward slash (/) characters. That will make the link “live.”
- These standard ZIP file archives are protected under the password: infected
- PLEASE PLEASE PLEASE be extremely careful! It is our sincere wish is that you will only benefit from access to this malicious software and that you will not hurt yourself or anyone else. Please treat this malware with the utmost respect and care.
- REMEMBER TO DESTROY the un-zipped executable file after you have finished with it. NEVER leave it lying around. In the event that the executable code is sensitive to its own name, we HAVE NOT RENAMED THE FILE to make its dangerous nature obvious, so its malicious nature WILL NOT BE OBVIOUS if anyone should encounter it. BE SURE TO DELETE IT (and empty the trash) to prevent its inadvertent unwitting execution.
A small selection of VERY MALICIOUS malware:
- CryptoLocker Ransomware - Newest Version, February 10th, 2014
- Link: https://www.grc.com / malware / CryptoLocker_02-10-2014.zip
- Rather well detected: 35/50 (see current “Virus Total” for this file)
- Zip Contains: 44217C15F30538A1FBDF614C9785C9B7.exe
- Uncompressed size: 395,776 bytes
- SHA-256: 62f199dedfffef4eb71c33bdf22f4a9b3276f8a831999788059163fae43db48e
- CryptoLocker Ransomware - TWO Two Versions, January 22nd, 2014
- Link: https://www.grc.com / malware / CryptoLocker_01-22-2014.zip
- VERY Poorly Detected: 6/48 (see current “Virus Total” for this file)
- Zip Contains: 1002.exe
- Uncompressed size: 257,024 bytes
- SHA-256: 5291232b297dfcb56f88b020ec7b896728f139b98cef7ab33d4f84c85a06d553
- Poorly Detected: 19/50 (see current “Virus Total” for this file)
- Zip Contains: 1003.exe
- Uncompressed size: 261,120 bytes
- SHA-256: 8cf50ae247445de2e570f19705236ed4b1e19f75ca15345e5f00857243bc0e9b
- CryptoLocker Ransomware - Newer Version, December 21st, 2013
- Link: https://www.grc.com / malware / CryptoLocker_12-21-2013.zip
- VERY Poorly Detected: 5/46 (see current “Virus Total” for this file)
- Zip Contains: 082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe
- Uncompressed size: 972,288 bytes
- SHA-256: 3d9af2cb75bf685209ca0cfcc84e7ece27a2007044c2dc4b0ddcbc7fb141ad3e
- CryptoLocker Ransomware - Older Version, November 20th, 2013
- Link: https://www.grc.com / malware / CryptoLocker_11-20-2013.zip
- Poorly Detected: 17/47 (see current “Virus Total” for this file)
- Zip Contains: Vcffipzmnipbxzdl.exe
- Uncompressed size: 846,848 bytes
- SHA-256: c7dc529d8aae76b4e797e4e9e3ea7cd69669e6c3bb3f94d80f1974d1b9f69378
- CryptoLocker Ransomware - Near Original Version, September 10th, 2013
- Link: https://www.grc.com / malware / CryptoLocker_9-10-2013.zip
- Well Detected: 42/47 (see current “Virus Total” for this file)
- Zip Contains: {71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
- Uncompressed size: 346,112 bytes
- SHA-256: d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
Not CryptoLocker, but well known and quite pernicious banking credential-stealing malware:
- Zeus / ZBot / Rootkit Banking Trojan - Recent on November 26th, 2013
- Link: https://www.grc.com / malware / Zeus_Zbot_Rootkit_Banking_Trojan.zip
- Poorly Detected: 24/44 (see current “Virus Total” for this file)
- Zip Contains: invoice_2318362983713_823931342io.pdf.exe
- Uncompressed size: 252,928 bytes
- SHA-256: 69e966e730557fde8fd84317cdef1ece00a8bb3470c0b58f3231e170168af169
![[Home]](https://www.grc.com/mb-home.gif){kind=small}
![[Products]](https://www.grc.com/mb-products.gif){kind=small}
![[Services]](https://www.grc.com/mb-services.gif){kind=small}
![[Freeware]](https://www.grc.com/mb-freeware.gif){kind=small}
![[Research]](https://www.grc.com/mb-research.gif){kind=small}
![[Other]](https://www.grc.com/mb-other.gif){kind=small}