View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 14, 2014

Everything you need to know about Cryptolocker

A virus smart enough to identify critical database files and steal high value data.

By Duncan Macrae

CryptoLocker, first discovered in September 2013, is a ransomware trojan that targets computers running Microsoft Windows.

A CryptoLocker attack can come from various sources, usually disguised as a legitimate email attachment. When it is activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

The malware then pops up a message offering to decrypt the data if a payment through either Bitcoin or a pre-paid voucher is made by a certain deadline. It also threatens to delete the private key if the deadline passes. If this deadline passes without payment the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.

The creation of Cryptolocker represents is a very significant moment in the history of viruses. It is an example of viruses now being intelligent enough to identify critical database files and steal high value data, not just data selected at random. The CryptoLocker "ransomware" virus then crushes the data with unique encryption keys, and is smart enough to take an electronic payment and then send a company the correct decryption keys and software.

As an example, this month Paul Goodison, a lawyer in South Carolina, USA, was targeted. He lost access to thousands of stored legal documents when the CryptoLocker ransomware, delivered as an e-mail attachment, permanently encrypted them.

He said: "It was actually an e-mail that looked like it was coming from our phone system because our system sends voice mail messages as an attachment," Goodson said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Goodson attempted to pay the $300 ransom to decrypt the files, but only after the deadline had passed. It was too late. He added: "The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it"

Although the virus can be fairly easily removed, files remain encrypted in a way that researchers have considered impossible to break. Some say that the ransom should not be paid, but do not offer any way to recover files. Others say that paying the ransom is the only way to recover files that had not been backed up. Payment often, but not always, has been followed by files being decrypted.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU