Cryptolocker

CryptoLocker is a ransomware specimen designed to infect Microsoft Windows computers through a Trojan.

CryptoLocker: definition

CryptoLocker is a ransomware specimen designed to infect computers through a Trojan. It is programmed to affect Microsoft Windows systems and block access to files until a ransom is paid to the malware authors.

Once installed, CryptoLocker encrypts certain files it finds on the infected computer and displays a ransom note on the screen, demanding hundreds of dollars in bitcoin for the decryption key.

 

Operation

The Trojan spreads as an email attachment and through a botnet for P2P file sharing. It gets run when the victim opens the attached ZIP file by entering the password included in the message, and attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.

Once active, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. CryptoLocker encrypts files to a strength which renders them irretrievable, leaving victims with only two options to recover access to their files: pay the ransom (with no real guarantee that making the payment will actually release the files) or restore them from backup copies.

However, the combined efforts of police forces from multiple countries has allowed the database of private keys used by CryptoLocker to be accessed. This database has been in turn used to build an online tool for recovering the keys and files without paying the ransom.

 

Targets

CryptoLocker only works on PCs running Windows XP, Vista, Windows 7 or Windows 8, as it is designed to exploit features included in those operating systems. It doesn't affect Apple devices, smartphones or tablets.

According to the FBI and other law enforcement agencies, the operators of CryptoLocker have successfully extorted millions of dollars in ransom payments. By the end of 2013, just a few months after being released, the malware had already infected more than 235,000 computers.

 

How to avoid CryptoLocker

This malware spreads via email by using social engineering techniques. Follow these tips to protect yourself from CryptoLocker:

  • Be particularly wary of emails from senders you don’t know, especially those with attached files.
  • Disable hidden file extensions in Windows. This will help you recognize the malicious file used in the attack.
  • Have a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.
  • Use a professional security solution, such as Panda Dome, capable of neutralizing these attacks.
  • If you become infected and don’t have a backup copy of your files, our recommendation is not to pay the ransom. That only serves to turn the malware into a profitable business model and contributes to the flourishing of this type of attack.