Everything you need to know about Cryptolocker


by Duncan MacRae| 14 February 2014

A virus smart enough to identify critical database files and steal high value data.

CryptoLocker, first discovered in September 2013, is a ransomware trojan that targets computers running Microsoft Windows.

A CryptoLocker attack can come from various sources, usually disguised as a legitimate email attachment. When it is activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers.

The malware then pops up a message offering to decrypt the data if a payment through either Bitcoin or a pre-paid voucher is made by a certain deadline. It also threatens to delete the private key if the deadline passes. If this deadline passes without payment the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

The creation of Cryptolocker represents is a very significant moment in the history of viruses. It is an example of viruses now being intelligent enough to identify critical database files and steal high value data, not just data selected at random. The CryptoLocker "ransomware" virus then crushes the data with unique encryption keys, and is smart enough to take an electronic payment and then send a company the correct decryption keys and software.

As an example, this month Paul Goodison, a lawyer in South Carolina, USA, was targeted. He lost access to thousands of stored legal documents when the CryptoLocker ransomware, delivered as an e-mail attachment, permanently encrypted them.

He said: "It was actually an e-mail that looked like it was coming from our phone system because our system sends voice mail messages as an attachment," Goodson said.

Goodson attempted to pay the $300 ransom to decrypt the files, but only after the deadline had passed. It was too late. He added: "The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it"

Although the virus can be fairly easily removed, files remain encrypted in a way that researchers have considered impossible to break. Some say that the ransom should not be paid, but do not offer any way to recover files. Others say that paying the ransom is the only way to recover files that had not been backed up. Payment often, but not always, has been followed by files being decrypted.

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

717 people like this.
1536 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.