Today I have tried to get the source and become a script kiddie to test in my virtual environment, REMEMBER just test within your own environment, don't try it on your host machine and other computers... in case the program crashed and you have lost the key :o)....
1.) As a victim, Windows 7 64x,... he browses a fake Google website, and find free PDF, haha (actually people get ransomware elsewhere, hacked websites or some other ;)...)
2.) The victim downloaded the so called PDF file (actually it's an exe with PDF icon, for testing purpose, all antivirus and warning are turned off)
5.) Wait, there's a file called "Read_IT.txt"... and the evil was asking for "ransom"...
and Yeah baby, the files were back to normal!
=========================================================
For the source code, you could get it from github, the sample is simply a .Net program, changed the parameters and compiled it again. From Readme, change the location of evil server, so that the encryption key could be sent to it. The blackmail message could be configured as well. For testing, HTTP is used, not HTTPS.
The password is created randomly and encrypt the files.
The decrypter just gets the input and decrypt the files.
For evil server, I was using the Kali Linux (any web servers will do), it's writing the key to a text file. The machine name, user name and key were saved. The key was randomly created.
For traffic, we can take a look on the pcap, it's sending the key back to the evil server, of course in real case, it may be HTTPS that we will have less information for analysis.
After some analysis, how about anti-virus detection? Normally when downloading an executable, it would warn you whether you want to keep or discard, and executing it, system may ask you whether you really want to run it, of course it's another story if the file was downloaded due to other means like browser exploitation.
Also, in the VM, the file was actually detected by the scanner. The hidden-tear.exe is also submitted to VirusTotal, it's detected as CryptoLocker. (https://www.virustotal.com/en/file/ad2cfd31e5220eaf3ca8bcab5b963505f203b96fa31a8002312ecc45708a3c41/analysis/1440052245/)
That's all for today, the demo is completed. Good luck and not suffering CryptoLocker anymore my friends :)