CryptoLocker ransomware - see how it works, learn about prevention, cleanup and recovery

Filed Under: Featured, Malware, Ransomware

This article explains how the CryptoLocker ransomware works, including a short video showing it in action.

The article tells you about prevention, cleanup, and recovery.

It also explains how to improve your security against this sort of threat in future.

CRYPTOLOCKER - WHAT IS IT?

CryptoLocker, detected by Sophos as Troj/Ransom-ACP, is a malicious program known as ransomware.

Some ransomware just freezes your computer and asks you to pay a fee. (These threats can usually be unlocked without paying up, using a decent anti-virus program as a recovery tool.)

CryptoLocker is different: your computer and software keep on working, but your personal files, such as documents, spreadsheets and images, are encrypted.

The criminals retain the only copy of the decryption key on their server - it is not saved on your computer, so you cannot unlock your files without their assistance.

They then give you a short time (e.g. 72 hours, or three days) to pay them for the key.

The decryption key is unique to your computer, so you can't just take someone else's key to unscramble your files.

The fee is $300 or EUR300, paid by MoneyPak; or BTC2 (two Bitcoins, currently about $280).

To understand how CryptoLocker goes about its dirty work, please see our step-by-step description.

→ Our detailed article is suitable for non-technical readers. It covers: how the malware "calls home" to the crooks, how the encryption is done, which file types get scrambled, and what you see when the demand appears. You may want to keep the article open in another tab or window to refer to while you read this page.

WHAT DOES CRYPTOLOCKER LOOK LIKE?

CryptoLocker reveals itself only after it has scrambled your files, which it does only if it is online and has already identified you and your computer to the encryption server run by the criminals.

We therefore recommend that you don't try the malware out yourself, even if you have a sample and a computer you don't care about, because you can't easily test it without letting your computer converse with the crooks.

However, we know you would love to see what it does and how it works, so here is a video made by a our friend and colleague Mark Rickus, of Sophos Support.

We recommend this video because Mark has pitched it perfectly: he doesn't rush; he doesn't talk down to you; he lets the facts speak for themselves; and he brings an air of calm authority with just a touch of wry humour to what is a rather serious subject:

→ Can't see the details in the video on this page? Watch directly from YouTube.

HOW DO I DETECT AND REMOVE IT?

You can use the free Sophos Virus Removal Tool (VRT).

This program isn't a replacement for your existing security software, because it doesn't provide active protection (also known as on-access or real-time scanning), but that means it can co-exist with any active software you already have installed.

The Virus Removal Tool will load, update itself, and scan memory, in case you have malware that is already active.

Once it has checked for running malware, and got rid of it, then it scans your hard disk.

If it finds any malicious files, you can click a button to clean them up.

If CryptoLocker is running and has already popped up its payment demand page, you can still remove it and clean up, but the Virus Removal Tool cannot decrypt your scrambled files - the contents are unrecoverable without the key, so you may as well delete them.

Even if you don't have CryptoLocker, it is well worth scanning your computer for malware.

The criminals are known to be using existing malware infections as "backdoors" to copy CryptoLocker onto victims' computers.

We assume their reasoning is that if you have existing, older malware that you haven't spotted yet, you probably won't spot CryptoLocker either, and you probably won't have backup - and that means they're more likely to be able to squeeze you for money later on.

CAN CRYPTOLOCKER SPREAD ON MY NETWORK?

Fortunately, CryptoLocker is not a virus (self-replicating malware), so it doesn't spread across your network by itself.

But it can affect your network, because it searches extensively for files to encrypt.

Remember that malware generally runs with the same permissions and powers as any program you choose to launch deliberately.

So, any file, on any drive letter or network share, that you can locate and access with a program such as Windows Explorer can be located and accessed by CryptoLocker.

That includes USB drives, network file shares, and even cloud storage folders that are made to appear as a drive letters by special software drivers.

A Naked Security reader just commented that from a single infected computer, he was "faced with 14,786 encrypted files over local and mapped network drives."

So, if you haven't reviewed the security settings on your network shares lately, this would be a good time to do so.

If you don't need write access, make files and folders read only.

SHOULD I PAY UP?

We'll follow the police's advice here, and recommend that you do not pay up.

This sort of extortion - Demanding Money with Menaces, as a court would call it - is a serious crime.

Even though CryptoLocker uses payment methods (MoneyPak, Bitcoin) that keep you and the crooks at arm's length, you are dealing with outright criminals here.

Of course, since we don't have 14,786 encrypted files, like the reader we mentioned above, we acknowledge that it may be easier for us to say, "Don't pay" than it is for you to give up on your data.

Obviously, we can't advise you on how likely it is that you will get your data back if you do decide to pay.

IS IT THE WORST VIRUS EVER?

We don't think so, although that is cold comfort to those who have lost data this time round.

Losing files completely is a terrible blow, but you can lose data in lots of other ways: a dropped hard disk, a stolen laptop or just plain old electronic failure.

The silver lining with CryptoLocker is that the criminals don't actually take your data - they just leave it locked up where it was before, and offer to sell you the key.

In many ways, malware that isn't so obvious and agressive, but which steals your files, or monitors your keyboard while you login to your bank, or takes snapshots of your screen while you're filling out your tax return, can be much worse.

In those cases, the crooks end up with their own duplicate copies of your data, passwords and digital identity.

If you have a recent backup, you can recover from CryptoLocker with almost no consequences except the time lost restoring your files.

Identity theft, however, can be a lot harder to recover from - not least because you have to realise that it's even happened before you can react.

Even if all you have on your computer is zombie malware of the sort that crooks use to send spam, doing nothing about it hurts everyone around you, and imposes a collective cost on all of us.

That's why we are urging you to DO THESE 3 security steps, and TRY THESE 4 free tools, even if you haven't been hit by CryptoLocker.

HOW DO I ENSURE THERE'S NO "NEXT TIME?"

Here are five "top tips" for keeping safe against malware in general, and cyberblackmailers in particular:

  • Keep regular backups of your important files. If you can, store your backups offline, for example in a safe-deposit box, where they can't be affected in the event of an attack on your active files. Your backups will be rendered useless if they are scrambled by CryptoLocker along with the primary copies of the files.
  • Use an anti-virus, and keep it up to date. As far as we can see, many of the current victims of CryptoLocker were already infected with malware that they could have removed some time ago, thus preventing not only the CryptoLocker attack, but also any of the damage done by that earlier malware.
  • Keep your operating system and software up to date with patches. This lessens the chance of malware sneaking onto your computer unnoticed through security holes. The CryptoLocker authors didn't need to use fancy intrusion techniques in their malware because they used other malware, that had already broken in, to open the door for them.
  • Review the access control settings on any network shares you have, whether at home or at work. Don't grant yourself or anyone else write access to files that you only need to read. Don't grant yourself any access at all to files that you don't need to see - that stops malware seeing and stealing them, too.
  • Don't give administrative privileges to your user accounts. Privileged accounts can "reach out" much further and more destructively both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

Click to go to download page...

, , , , ,

You might like

80 Responses to CryptoLocker ransomware - see how it works, learn about prevention, cleanup and recovery

  1. Compursinc · 370 days ago

    We experienced an infection last month from Cyptolocker. There was no way to reverse the encryption at that time. Has anyone come up with a way to reverse it now. I still have a client who has a NAS drive which has the data on it however nobody has been able to unencrypt it so the data is useless.

    • Paul Ducklin · 370 days ago

      A unique RSA keypair is generated for your computer on the crooks' server.

      The crooks send the public key to your computer for the malware to use when locking your files; the private key needed to reverse the process is kept on their server.

      I dont think anyone has found any sort of implementation error, hole, backdoor, shortcut, or whatever in the cryptography used by the crooks. If you use standard crypto procedures and don't try to invent your own, it's not that hard to get it right.

      The functional detail of the malware is covered in a bit more detail (seven steps to disaster :-) in this article:

      http://nakedsecurity.sophos.com/2013/10/12/destru...

      As far as we can tell so far, the data is useless - I'd cut my losses, reformat the drive and hatch a backup policy for the future...

    • Tmac · 360 days ago

      If you created any restore points, Restore to an earlier point of C:. That solved our problem. Save the restored files, then reload the machine to make sure the malware goes away.

    • traffikator · 357 days ago

      if this is important to the customer as I assume, it may be your only way to pay the ransom, clean up and take the system off line. Sorry.

  2. Wayne · 370 days ago

    My understanding is that CryptoLocker encrypts certain types of files. Does this list of file types include backup files? If so, it may impact sites that do disk to disk backups.

    • Paul Ducklin · 370 days ago

      You can find the entire list here:

      http://nakedsecurity.sophos.com/2013/10/12/destru...

      • Jeremy · 370 days ago

        According to Reddit the list has expanded now. It also covers all PDF files and more. Best practice is to backup on an external drive that's not connected to the comp. It seems like they are still honoring decryptions.

        • Paul Ducklin · 370 days ago

          Good point - the list in our earlier article is precise *for that exact variant of the malware*, but new variants with altered operational details are easily made.

          So the list is more of an advisory or a reminder (notably that this thing attacks a lot of important stuff!) than a specification.

          Having said that, the list I linked to already included pretty much any MS Office file type, and IIRC all the various Adobe Creative Suite file types, so for most users it's going to end in tears anyway, with or without *.pdf on the list :-(

      • Wayne · 370 days ago

        I don't see .bkf or .vhd there. Interesting...

    • David Armstrong · 365 days ago

      If your back up files are saved as encrypted then Crpytolock cannot encrypt them I am told by our iT dept.

      • xorinzor · 354 days ago

        I'm about 99.9% sure that's not true, you can encrypt anything, even an already encrypted file, that doesn't necessarily make it more secure though, in some cases you can apply some very advanced math to decrypt a file without using all the algorithm-layers used to initially encrypt the file.

        long story short: backup to an ext. drive disconnected from your computer, or even beter, use a proper anti-virus and keep it up to date, also use adblocker and just don't visit weird websites if you don't know what you're doing

  3. R. McClain · 370 days ago

    I am an amateur,and long time subscriber and user. I did watch the video, but am a Mac user; never had a PC. What are the dangers with a Mac? I assume the same, but would be nice to see a video using a Mac as well.

    Thank you.

    • Paul Ducklin · 370 days ago

      This malware strain is Windows only, so the danger of a Mac getting *infected* by this variant of CryptoLocker itself is nil, assuming you don't dual-boot or run Windows in a virtual machine, of course.

      Nevertheless, if you've got file sharing turned on, your OS X Mac might get *affected* if a Windows user to whom you have granted access gets infected. His CryptoLocker program might trash some of the files on your disk. That's why we're advising you to check your file sharing permissions - a good thing to do from time to time anyway.

      (We've got some videos showing Mac malware round and about on our site...if you search for "Mac malware" or "Mac malware video" you'll come across some items that might be of interest...but fortunately nothing quite on this scale, at least so far.)

  4. Ibus R · 370 days ago

    Is their any way to find the servers which they are using?
    Names of servers seems to be random is it encrypted or really registred as that name?
    I think this is one of the desctructive malwares of moderns days.

    Thanks
    Ibus R

    • Paul Ducklin · 370 days ago

      The way it works is explained here:

      http://nakedsecurity.sophos.com/2013/10/12/destru...

      The names are random (well, pseudrandom) and look like garbage. The idea is that the crooks only have to have one of them working each day, and your CryptoLocker "client" will eventually get through, call home, and that's that.

      If you see a load of wacky DNS requests, as detailed in the article above, coming from your PC, I suggest that you disconnect from the network, get hold of the Virus Removal Tool on another PC, copy it to a USB key and use it to scan the offline computer...as long as it doesn't successfully call home, it won't trigger, since it needs the public key to encrypt the files.

      In practice, however, since it tries one name per second and (IIRC) there are 1000 names in the list for each day, it's as good as guaranteed to get through in under 20 minutes (1000" = 16'40"), even if the crooks only register one domain and it's the last one in the list.

    • Jeremy · 370 days ago

      I have visited many of their websites. IT seems they are all in Russia and the Ukraine. Also according to virustotal 38/48 virus scanners can pick up the latest variant. So if you have an up to date virus scan such as Avira, Sophos, Symantec, McAfee, Kaspersky, MBAM Pro or MSE it will nearly always pick it up.

  5. Anonymous · 370 days ago

    You didn't state whether using 'System Restore' could possibly mitigate this infection/encryption. Any ideas?

    • KathPoole · 163 days ago

      System Restore doesn't affect documents or pictures, according to the system restore blurb. Rats.

  6. Andrew · 370 days ago

    I have a question if anyone can answer it , what would happen if your files are already encrypted with your own key and they are in your own vault within your computer ?

    Would this malware still be able to encrypt your personal files?

    • Paul Ducklin · 370 days ago

      The answer to that is, "It depends."

      The malware will scramble any file that:

      1. Is on a drive and in a folder it can locate.

      2. It has write access to.

      3. Is on the list of files to attack. (The malware carefully ignores OS and software files so your computer still works - they need that so you can get online and send them the money.)

      So if you have an encrypted "vault" file that is mounted, the malware probably won't be able to write to it, because the file will be locked for the exclusive use of the encryption program.

      However, if the "vault" is mounted, the malware will be able to look inside it, and may be able to trash individual files inside it.

      Very loosely speaking (if not 100% accurately), any file that you can list by name in an Explorer window, and that you could remove by hitting [Del], can be found and attacked by the malware.

      • Andy · 359 days ago

        thanks for the information bearing this in mind I now have a program that encrypts and hides all files and puts them into a safety vault and removes it from explorer so as not to be visible, however there are some drawbacks you need to remember what the vault is called otherwise you can lose all your files .if at anytime you forget the password and or enter it incorrectly all files are deleted from the drive including the vault. scarey stuff , so always a good idea to have a stand alone drive with backups of all your files.

    • chris · 351 days ago

      Theoretically, the malware would take your already encrypted files and encrypt them again with the new key. This would be true only if the file extension of the encrypted file was one it was looking for.

  7. Dave B. · 370 days ago

    What are the chances that Windows 7 users could just delete the encrypted files and recover them using shadow copy (previous versions)?

    • I think it depends which version of cryptolocker you had, some users have been able to recover using shadow copy but there are many who still weren't able to. Worth a shot.

    • Paul Ducklin · 370 days ago

      I'm not a VSS afficionado, but from how I think it works and what it does, then if you have a shadow copy that was made before the malware triggered, you basically have a backup containing unencrypted copies of all the files that got trashed, right? Which is surely just what you need?

      As far as I aw aware, trashing a DOC file with CryptoLocker is pretty much the same, programmatically, as opening it in Word, overwriting it with garbage, and saving it.

      A shadow copy, *if you have one from a suitable time in the past*, can recover files trashed by human blunder, so why not by CryptoLocker malevolence?

      But clean up the malware on your network first- see @Paul's comment below for why :-)

      • anon · 364 days ago

        Assuming vss is enabled and the recovery snapshots are not corrupted (they do get corruption from time to time, unrelated to the malware), then once the malware is removed from the system you could recover your files. But vss is not a substitute for backups. Encryption is not the same as opening a file and overwriting it with garbage and saving it, but the net effect to you the user is the same.

  8. sud0x · 370 days ago

    Do you know if this type of ransomware only targets known file extensions? or does it encrypt every single file on one's computer?

    • Paul Ducklin · 370 days ago

      See above (the thread started by @Wayne).

      The list of files in *this* variant can be found here:

      http://nakedsecurity.sophos.com/2013/10/12/destru...

      Other variants may have a different list, so damage may vary somewhat. But it doesn't smash every file - notably, the operating system and you software files are mostly left alone, so that your computer keeps working.

      The crooks don't want to kill your computer completely - since you need to be online to pay them the money, zapping *all* your files would kill the goose that was about to lay the golden Bitcoins :-)

  9. Paul · 370 days ago

    I have spent the whole week dealing with this.
    Encrypted files are safe !!
    We didn't know a computer had a virus and every time we restored a Backup within a couple of hours it was knackered again.
    We found the virus by chance by looking at open shares on the server and 1 PC had about 100 files open, but the user wasn't there and I had rebooted the server since they had left.
    Once we pulled this off of the network we could use previous backups and restore points, BUT only from before that PC had been infected.
    The backups and restore points were still working with the encrypted files. Therefore we were restoring encrypted data.

    • dean · 349 days ago

      I believed it's not your computer, it comes from web sites; for instance, my 3 encounters were from Clicksor sponsored and ad marketed sites.

  10. banin · 369 days ago

    at our organization one of the users had that malware!
    I'm sorry if it mentioned up , but is it possible to recover the user's files after removing the malware ??

  11. Paul Ducklin · 368 days ago

    Long answer, "It might just be possible, but you'd have to negotiate with the crooks, and trust that they were lying when they said that they would delete your decryption key permanently after 72 hours."

    Short answer, "No."

    See the section "CryptoLocker - what is it?", and also look at the explanation here:

    http://nakedsecurity.sophos.com/2013/10/12/destru...

  12. Does the software prompt with the demands the instant it retrieves a key pair, after a certain time spent encrypting, or after it cannot find any more files to encrypt?

    It's worth knowing, as users should be aware if immediately powering down a system once spotting this prompt will at least minimise the damage. From the video it appeared as thought it was still using a fair amount of CPU time making me think encryption was ongoing after the prompt.

    • Paul Ducklin · 365 days ago

      AFAIK, it displays the pay page as soon as it can, whether it's finished encrypting or not.

      So if you see the pay page, I don't think it would do any harm to shut down immediately, boot from a recovery CD (Sophos Bootable Anti-Virus would do the trick) and try to extract your important files to an external drive - if you don't have a backup you might be able to save some of your work even at this late stage.

      Assume the worst, though. Don't rely on this approach to leave anything behind...the encryption itself doesn't require a huge amount of work, at least on the local drive, so it happens pretty quickly.

  13. Henry · 366 days ago

    This points up the value of performing frequent backups. I prefer an external hard-drive that can then be disconnected from the computer.

    If you have a backed up version of a file, can a comparison of it and the same file after encryption, allow you do decipher the decryption key?

    • xanadian · 365 days ago

      I had the same issue with someone else. I figured a known-plaintext would work, or something similar (since I already had a backup of a file that had been affected by the virus), but not against the RSA algorithm, apparently. Or so I've read.

    • Paul Ducklin · 365 days ago

      No.

      What you're thinking of is a known plaintext attack, but those don't work if you implement the encryption "by the book" (whether you use public key encryption, traditional secret key encryption, or both).

  14. Altaf Patel · 366 days ago

    Can anybody lodge Cyber Crime against malware creator? Or is it defeat of IT against malwares ? Our manager got that virus and now all our business is badly affected.

  15. DD-London · 365 days ago

    Can anyone (that's not a criminal) confirm they have actually recovered files by paying the ransom?
    We spoke to Action Fraud a UK government helpline (0300 123 2040) the chap I spoke to had about 10 callers with the virus, 3 had paid but did not get data restored. He didn't know of anyone that had.

    • Bob Johnson · 364 days ago

      Many accounts say yes, it usually takes up to 48 hours for them to confirm that they received payment. In addition to unencrypting your files, it installs a process on your computer preventing re-infection

      • Jorge Reyes · 203 days ago

        If that last part is correct, is it not possible to discover how to replicate their process for preventing re-infection? If a group of devoted security researchers paid the ransom studied the process that prevents re-infection. Compared results, they could eventually create a algorithm for creating these re-infection processes and sell it to a anti-virus company for a lot of money.

  16. Oscar D. · 365 days ago

    We have just been hit with this malware monday night and I will have to say that it is a nightmare! It encrypted about 80gb of data (pictures,word,excel,ppt) We have a kaspersky antivirus server and i am extremly upset it didn't detect it. The computer infected had mutliple drives in a file server and it encrypted all the files that the user had access to. At this point I am debating if i should pay the $300. If I come to a solution I will post it.

    • Paul Ducklin · 365 days ago

      Sorry to hear that Kaspersky missed it. (I'll not be gloating. You win some, you lose some.) Sounds as though the user might have had more write access than strictly necessary - could be a good time, when this is done and dusted, to review how broadly you allow write access to files.

      If you give user X write access to 100,000 files of which they'll only change 2 or 3 a month, it's probably worth giving them write access to 0 files and editng their access when it's really needed.

      Yes, that adds some extra administrative effort...but it can prevent large-scale disasters, whether deliberately or accidentally caused.

      It's like not giving everyone a key to the stationery cupboard for the rare occasions they need a new pencil when no-one's around :-)

    • Dave · 358 days ago

      Paying the money will not get your files unlocked. They tell you it will to get you to pay.

      • Larry · 356 days ago

        I can say that at least at some point in the past, paying did get your files unencrypted. Someone I know ended up paying and got access back to all files. We backed them up and then wiped the hard drive before allowing just the files to be restored.

      • ipjd2000 · 349 days ago

        This is not true. Payment does get the files unlocked and is the only reasonable step if you have a large number of files affected. We had 300GB of client files affected by cryptolocker. It took approx. 10 hours to decrypt all of them, but it did work.

  17. Rajesh · 365 days ago

    What is the best option for offline backup?

    • Paul Ducklin · 365 days ago

      External hard disks? USB flash drives?

      They're easy to use and store. With USB3 I can transfer up to 3GB/minute from my Mac to the external disk, so even backing up things like 20GB virtual machine files and rendered videos is a quick process.

      They're easy to store off-site, too. And if you use a regular filing system (e.g. NTFS, Mac HFS+) you can easily encrypt the whole disk so you know that it can't easily be viewed by unauthorised users.

  18. anon · 364 days ago

    System restore does not backup data, only system related files and configuration information. You should make an image backup of your entire system as a matter of best practice and then do a file backup and retain them at least a couple of weeks. Don't leave the backup drive connected to the computer when not actually backing up.

  19. mal · 363 days ago

    Thanks for the video. Does anyone know what image file the malware drops onto the desktop?
    If you watch the video closely at 4:31, right after it changes the deskop background, it drops a randomly named image.
    Is it a list of files it encrypted for the user to "verify"?

    • Paul Ducklin · 363 days ago

      It's just a warning/threat text that you see if the malware process is shut down so the foreground window (as shown above) is no longer covering it.

      It says something along the lines of, "Now look what you've done! Your anti-virus cleaned up the malware and so now you can't buy the key back, hahahaha." (I made that up, but you get the idea.)

      IIRC it even advises deliberately reinfecting yourself if you want a second chance at contacting the crooks to buy back the key.

  20. Oscar D · 363 days ago

    In reference of the post I made two days ago in here. It is confirmed in my case that after paying the $300 to Cryptolocker through MoneyPak worked, it took about a day to process the payment and another day to decrypt all the files back to its original state... I then disconnected the computer infected keeping it away from the network and made a backup on an external hd to scan and verify the integrity of the documents (pdf, word, excel etc) before putting it back up on the file server. The only reason I payed them is because I did not have recent backup of the encrypted files. =/ So people I learned my lesson check that your backups are ok so you can

    • Marty · 351 days ago

      so do you have the key? will it work for every one infected if you gave it to us?

      Marty

      • Paul Ducklin · 351 days ago

        From the article above:

        "The decryption key is unique to your computer, so you can't just take someone else's key to unscramble your files."

        So, no, it wouldn't work.

  21. Compursinc · 357 days ago

    We have now seen this three times with different clients.
    While there is no way to reverse the encryption we have come up with some good ideas.

    First the clients email were affected so we have been able to capture all of their emails with attachments for them.

    Next we did save other types of files such that were not encrypted.

    Non of the clients where willing to pay the ransom. We reviewed all of the options with them.

    Finally the applications still work so the backups which were available and any flash drives were able to be used to restore what ever data was important.

    This is the worst thing I have ever seen in my 30+ years in the IT field.

    If someone comes up with a fix this is worth almost any price.

    • Larry · 356 days ago

      Sadly it appears to most that the bad guys in this case wrote a real RSA public/private key encryption program. No Private key, no decryption. So there won't be any magic remedy, although I can picture someone CLAIMING that ability for even more $.

  22. My father works with an IT group, and started there recently. The company did not have a Backup, or anything else to prevent this program from destroying several clients' data, which spells death for a company whose main source of income is data storage. Paying up was literally their only option, and the decryption program they use will stop running completely if it encounters a file it can't decrypt,requiring you to restart the decryption process. It was a nightmare to deal with and a train wreck to observe.

  23. Debbie L. · 351 days ago

    I work for a small mortgage company that has been around for over 25 years. We have about 10 years of files on a server, and unfortunately, NO BACK UP! We have paid the ransom today in the hopes of having our files returned decrypted as we cannot even fathom or chance losing all of our files. We also in the last couple of years went paperless, so you can see our desperation. I will keep you posted regardless! Starting over from scratch is just not an option...

    I hope the FBI can catch these guys...And would love any suggestions on how to deal with the aftermath.

    • dean · 349 days ago

      If your company allow access to web sites then i assume it was downloaded from it because all my 3 encounters were from Clicksor sponsored and ad marketed sites. Did the ransom image stated you been doing illegal activities and pretending they were from federal? The only way to get system back is buy MoneyPak then input the code?

  24. NBG · 351 days ago

    Is it really so difficult to trace where these payments are going? Arms length is one thing, felony extortion is another. I would say it is possible to trace the payment if law enforcement knows about it from the start. Someone has to be the steady recipient of this money.

    • Paul Ducklin · 351 days ago

      Generally speaking, you can see Bitcoin transactions reaching a destination...but making sense of that destination (e.e.g tying it to a person) can be very tricky, if not almost as good as impossible.

    • Jermaine · 350 days ago

      I agree. I know that Bitcoin is, in theory, untraceable but we're talking national intelligence agencies. I don't buy for one minute they're that incompetent. If they wanted to catch the extortionists, they could.

  25. If the malware continues to encrypt after you notice it, then use a sacrificial file and then you have a before and after. In theory, how many files are needed to reconstruct a key after some number-crunching [which could take a VERY long time, but still less than infinite time to never recover dead files].

    • Paul Ducklin · 351 days ago

      In theory, it's just not possible to recover scrambled files without the key. The crooks seem to have programmed the cryptographic parts correctly.

  26. f**youchelios · 351 days ago

    Talk about "damned if you do, damned if you don't", there's no guarantee that the files recovered are actually infection or corruption free.
    You might pay up and find a month down the road that files have subtle errors.

  27. Bill J · 350 days ago

    I run Mac OX Mavericks, but I also have Parallels running. How do I protect my Mac file system since Parallels shares it across the VM boundary?

  28. Mark · 337 days ago

    The pop-up is not coming up. I need to get my files and since I did not have backups I will need to pay. Any suggestions on how?

  29. I have read around where Windows System Restore will be able to restore the files that were encrypted to its original state. If that is the case, then softwares that perform instant restore such as RollBack Rx should be able to restore the system and its files to state before the infection, yes? or am I missing some crucial cryptography component that will even locks down such restore options?

  30. Alan Edwards · 298 days ago

    I have also got this problem, several file servers have hundreds of files on them that I cannot access due to encryption.
    The pc on the network that had the warning notice does no longer have it so I am unable to pay if I wanted to.

    Can anyone please advise how if I wanted to pay for the un-encryption I could pay.

    Thanks in anticipation.

    Regards

    Alan

  31. DONT FUKKEN SPAM ME!!! · 263 days ago

    Most of these answers suggest paying up and sound like they're very much supportive of this type of filthy rotten crook and making this rubish sound so sophisticated.

    My suggestion is before you pay a cent contact:

    http://www.fbi.gov/contact-us/

    http://www.actionfraud.police.uk/report_fraud

    ...or the authority in your Country and ask them what they suggest. If the money can be digitally transfered then surely it can be digitally traced? Someone has to receive it and the authorities have the technology and the authority to demand who does.

  32. Dave Leippe · 246 days ago

    If I encrypt a document with a file type on the Cryptolocker list, will that file be visible to cryptolocker and be encrypted again?
    I suspect that a file that I encrypt is still listed in the MFT and would be found by cryptolocker.

    • Paul Ducklin · 246 days ago

      If CryptoLocker can open, read and write the file using the Windows API, then it can encrypt it for its own purposes, regardless of whether it was encrypted before. As far as I am aware, it decides whether to try rewriting a file based only on its extension.

  33. Anonymous · 238 days ago

    "Fortunately, CryptoLocker is not a virus (self-replicating malware), so it doesn't spread across your network by itself." you meant a 'worm' by self-replicating malware ?

    • Paul Ducklin · 238 days ago

      CryptoLocker is not a virus (it is not self-replicating), which means it's not a worm either.

      (All worms are viruses, but not all viruses are worms. Worms are a special subset of viruses that are self-contained, i.e. do not need a host file to infect.)

  34. Max Headroom · 224 days ago

    Wow - 146 days and no one's tracked these guys down yet?
    Server names means DNS lookups - DNS lookups means TLD entries, registration info and traceable IPs.
    At the very least, I'm surprised no one has (D)DoS'ed these a-holes yet (pardon my french ...)

    • Paul Ducklin · 224 days ago

      Well, the servers and domain names move around all the time...and how do you trace someone's IP number if they registered via a proxy on some home user's zombified PC?

      Not saying it can't be done, just (sadly) that as so often happens, all the rules that squeeze legitimate users to give up loads of PII in return for getting online services (it's not as though collecting all that stuff puts us at any risk if there's a breach, and it's not as though breaches happen very often, ha!) doesn't put a whole lot of strain on the crooks :-(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog