1. CrytoLocker

• A ransomware trojan
• Targeted computers running Microsoft Windows.
• First observed by Dell SecureWorks in September 2013 (CryptoLocker).
• Principle
• It breaks into the system,
• Infects specific files, and
• Demands ransom for recovery from the infection.

2. Configuration: Processes in CryptoLocker

• System consists of two parts:

• S and its internal components:

• S contains E, to search files in the system.

• Other various processes.

• The other to give permission for an external process to enter S.

• Other processes except E have the same priority of m. 

3. δ-Calculus

• System∷=S_((0) ) [E_((0) )∥P1_((m) )∥P2_((m) )∥ P3_((m) )∥…∥Pn_((m) ) ]〈SYS,NET〉∥(F in)^∞
• F∷=P1∥P2∥P3∥…∥CL∥CP∥…
• CL∷=in_t1  S.new I.new D.nil
• D∷=kill CL.exit     
• I∷=(in) ̅_t2^p  E.W
• W∷=nil△_∞ (nil,nil,SYS(trigger).NET((download) ̅ ).W)
• CP∷=NET(download).in_t3  S.new K.(get) ̅_t4^p  K.(get_tj^p  Pi.new Pi^′.kill Pi)^n.(SYS.((ReqM) ̅ ).SYS(sendM))△_t5 (OP,kill K.exit,nil)
• OP∷=(get_tk^p  Pi^′.new Pi.kill Pi^′ )^n.exit

4. Operational  Requirements

3. ITL View

4. ITS View

5. Execution Model

6. Simulation/GTS

1) Normal Case

2) Abnormal Case: Deadlock

7. GTS Logic

1) Requirements

• The (new I) and (new D) actions of CL should be executed after the (in S) movement action of CL.
• δ_(CL,S)<CL:(new I)∧CL:(new D)
• CL:(in S)<CL:(new I)∧CL:(new D)
• The (kill CL) action of D should be executed after the movement of I, that is, the (put I) movement action of CL.
• δ_(CL,I)<D:(kill CL)
• CL:(put I)<D:(kill CL)
•  K should be in CP all the time.
• K⊂CP

2) Normal Case

3) Abnormal Case