Sign up for our newsletter
Technology / Cybersecurity

Everything you need to know about Cryptolocker

CryptoLocker, first discovered in September 2013, is a ransomware trojan that targets computers running Microsoft Windows.

A CryptoLocker attack can come from various sources, usually disguised as a legitimate email attachment. When it is activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware’s control servers.

The malware then pops up a message offering to decrypt the data if a payment through either Bitcoin or a pre-paid voucher is made by a certain deadline. It also threatens to delete the private key if the deadline passes. If this deadline passes without payment the malware offers to decrypt data via an online service provided by the malware’s operators, for a significantly higher price in Bitcoin.

White papers from our partners

The creation of Cryptolocker represents is a very significant moment in the history of viruses. It is an example of viruses now being intelligent enough to identify critical database files and steal high value data, not just data selected at random. The CryptoLocker "ransomware" virus then crushes the data with unique encryption keys, and is smart enough to take an electronic payment and then send a company the correct decryption keys and software.

As an example, this month Paul Goodison, a lawyer in South Carolina, USA, was targeted. He lost access to thousands of stored legal documents when the CryptoLocker ransomware, delivered as an e-mail attachment, permanently encrypted them.

He said: "It was actually an e-mail that looked like it was coming from our phone system because our system sends voice mail messages as an attachment," Goodson said.

Goodson attempted to pay the $300 ransom to decrypt the files, but only after the deadline had passed. It was too late. He added: "The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it"

Although the virus can be fairly easily removed, files remain encrypted in a way that researchers have considered impossible to break. Some say that the ransom should not be paid, but do not offer any way to recover files. Others say that paying the ransom is the only way to recover files that had not been backed up. Payment often, but not always, has been followed by files being decrypted.
This article is from the CBROnline archive: some formatting and images may not be present.