The topics of Ransomware and CryptoXYZ have become extremely prevalent both here, and in the IT wildnerness of the web.
I have analyzed an array of samples of all of the different types of Crypto software I could find, using a small isolated Windows 7 Enterprise VM, even mapping some fake network drives to a bunch of Zero'ed-Out data files, to attempt to catch the crypto-variant in the act. What I've found in doing this, along with several other research sources is that the big-hitters in the crypto-game (CryptoWall and CryptoLocker), as well as the variant "Cryptographic Locker" are using _Microsoft Cryptographic API's_ to do their dirty work. From the moment you examine a process, or an injected process of one of these three, you'll start seeing Reg Keys being written to and read from, in the context of things such as "Microsoft...