Destructive malware "CryptoLocker" on the loose - here's what to do

Filed Under: Cryptography, Data loss, Featured, Malware, Ransomware

SophosLabs has asked us to remind you about a destructive malware threat that calls itself CryptoLocker.

Sophos Anti-Virus detects it by the name Troj/Ransom-ACP, because that's exactly what it does: holds your files to ransom.

Demanding money with menaces

Malware that encrypts your data and tries to sell it back to you, or else, is not new.

In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989.

That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

The perpetrator, one Dr Joseph Popp, was tracked down in the USA, extradited to the UK to stand trial, displayed increasingly shambolic behaviour, and was ultimately kicked out of Britain and never convicted.

Fortunately, his malware was similarly shambolic: it used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available.

Sadly, the crooks behind the CryptoLocker malware haven't made the same coding mistakes.

The malware seems to do its cryptography by the book, so there is no way to recover your scrambled files once it has triggered. (You could, I suppose, try paying the ransom, but I recommend that you do not.)

What CryptoLocker does

When the malware runs, it proceeds as follows:

1. CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.

2. It produces a lengthy list of random-looking server names in the domains .biz,, .com, .info, .net, .org and .ru.

3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.

4. Once it has found a server that it can reach, it uploads a small file that you can think of as your "CryptoLocker ID."

5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer.

→ Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.

6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets.

→ Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be.

7. The malware then pops up a "pay page," giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.)

→ With the private key, you can recover your files. Allegedly. We haven't tried buying anything back, not least because we know we'd be trading with crooks.

What we have seen

SophosLabs has received a large number of scrambled documents via the Sophos sample submission system.

These have come from people who are keenly hoping that there's a flaw in the CryptoLocker encryption, and that we can help them get their files back.

But as far as we can see, there's no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble.

In the clumsy but categorical words of the criminals themselves:

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.

And that's why SophosLabs wanted us to write this article, since they're faced with the sad job of telling the victims that their files are as good as deleted.

How the threat gets in

SophosLabs reports two main infection vectors: via email attachments and via botnets.

Email attacks are fairly easy to avoid: take care with attachments you weren't expecting, or from people you don't know well.

Infection via a botnet is a little different, since the crooks are using the fact that you are already infected with malware as a way to infect you with yet more malware.

That's because most bots, or zombies, once active on your computer, include a general purpose "upgrade" command that allows the crooks to update, replace, or add to the malware already on your PC.

So take our advice: make it your task today to search out and destroy any malware already on your computer, lest it dig you in deeper still.

What you can do

Take this story as a warning, and don't forget that there are many other ways you could lose your files forever.

For example, you could drop your laptop in the harbour (it happens!); a thief could run off with your computer (it happens!); or you could entrust your files to a cloud service that suddenly shuts down (it happens!).

The endgame is the same in all cases: if you have a reliable and recent backup, you'll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

  • Stay patched. Keep your operating system and software up to date.
  • Make sure your anti-virus is active and up to date.
  • Avoid opening attachments you weren't expecting, or from people you don't know well.
  • Make regular backups, and store them somewhere safe, preferably offline.

Don't forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don't count as backup.

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

To the synchroniser, a document on your local drive that has just been scrambled by CryptoLocker is the most recent version, and that's that.

Further information

For advice on how to improve your security against this sort of threat in future, we've prepared a guide to prevention, cleanup and recovery. (The guide also features a fascinating video of the malware in action.)

For information on how to access our support knowledgebase, our sample submission system, and how to find us on the IT social business network Spiceworks, please see this article on the Sophos corporate blog.

, , , , ,

You might like

126 Responses to Destructive malware "CryptoLocker" on the loose - here's what to do

  1. Jeremy · 726 days ago

    I assume paying would decrypt the files but not remove the malware so they may screw you around again. If it can't contact any domains you're screwed once it's encrypted. Scary stuff.

    • Paul Ducklin · 726 days ago

      Assume you were infected with a variant of this stuff that you'd heard on the grapevine did neatly clean up after you paid the crooks (just to get some "good reviews" out there amongst previousvictims)...

      ...are you going to trust these guys that it'll turn out that way on your computer :-)

      • mika_brzezinski · 682 days ago

        "Assume you were infected with [...] this stuff that you'd heard [...] did neatly clean up after you paid the crooks [...] are you going to trust these guys that it'll turn out that way on your computer :-) "

        i don't have $300 but if i did, i would. it's not a matter of trust--what choice is there? i mean, i assume we're talking about irretrievable, sensitive or otherwise-important, data. unless you'd rather wait for a mathematical/cryptological breakthrough, it's a no-brainer. also, assuming they'd sent the private keys to previous victims already, why would they arbitrarily stop? they're making money and increasing faith (even further) in victims that, while they may not like what's happened to them, the only solution offered is--at least--legit.

        the simplest way for the average user to protect themselves imo is to buy a 1tb external drive (or as large as their budget allows) and get comfortable with *data* backups. sometimes, these articles only cater to technical people who are already practicing some level of information assurance.

        i think hyping people to stay up-to-date on everything is what makes non-technical users susceptible to legitimate-looking popups scaring them into "updating" some software package or operating system because they don't know what they're doing. i don't even have an anti-virus program and have never fallen victim to a virus. i could get attacked, yes, but given that i know several techies that have fallen prey to malware (quite a few times) in their lifetimes, how you use your system, and how paranoid you are, is more important than the latest virus definitions since good malware writers are not using a 3-year-old well-known signature.

        one question then i'm gone (sorry for the long post): which is safer? an up-to-date windows 7/8 or an ancient windows xp sp1? malware writers, whether for fun or gain, target systems that have big footprints that will give them a big impact so users need to think practically instead of having simplistic assumptions about having the latest software. i don't even update my software anymore if the changes are not material to me.

        • I was with you for the first half and then...

          I am interested in your assertion that you have never fallen victim to a virus - even if you have anti-virus software that's hard claim to back up.

          Modern malware is for the most part trying to avoid detection and be as stealthy as possible - the criminals want it sat on your computer for as long as possible so they can log your keystrokes, mine bitcoins or relay spam. Cryptolocker is very much the noisy exception.

          Also it doesn't just arrive in dodgy emails - an awful lot of malware gets distributed via legitimate but compromised websites. You cannot simply avoid 'likely' websites. And the websites that get compromised... you guessed it, they're often the ones that don't keep their software up to date. Once a vulnerability is found in a common content management system or plugin criminals can scan the *entire* web looking for vulnerable machines.

          And good malware writers may not be using 3 year old signatures but the 3 year old malware hasn't gone away. So long as it can find a foothold it spreads and it often continues to be successful (Conficker is a good example of this) precisely because people don't patch their systems.

          I'll let Paul answer your final question "...XP is more than five times as permeable to malware than Windows 8". Please see for the full explanation.

        • mika_brzezinski · 671 days ago

          i'm responding to mark stockley but i don't see a reply button on his comment so this might not nest properly.

          "I am interested in your assertion that you have never fallen victim to a virus..."

          to be unambiguous, i meant that i've never had malware that deleted my files/did a low-level format/encrypted my files/made my system unstable or any of the things that really make people mad about malware. i have had adware or minor things like that, but even then, it's because back then, i used to use 'free' software knowing that they bundled it with some other products and i often did not have a choice or was too lazy.

          it's possible that i have a keylogger (especially in the current state of affairs) or software using my spare cpu cycles to mine bitcoins, i guess, but whether that's not the case is not worth going into here.

          "Also it doesn't just arrive in dodgy emails[...] You cannot simply avoid 'likely' websites"

          yes, you can. *you* (and some others) might not be able to, but i do not use the internet like other people. for one, i do not really browse. when i hit the net, there are very few sites that i go to and they're ones which place high value on reputation (security, content etc.) even more than anything else. also, i turn *everything* on my browser off (javascript, images, cookies, plugins etc.) and only turn cookies on for a few minutes while i check my basic html mail.

          should everyone do this? no, but i'm telling you that that's how i use my system but i can (and do) go even further and use sandboxed or VMed browsers but i won't get into all the ways that i try to protect my system. i just want to impress upon you that richard stallman is not the only paranoid person in the world and there are people who do employ a high-level of checks and balances without losing productivity. i even manage to have a life, strangely.

          "[T]he websites that get compromised... you guessed it, they're often the ones that don't keep their software up to date"

          i never said "never update". i said i do not update if the changes do not matter in my case. that's what the information on the updates is for: does it apply to me? and to quote what i said:

          "i don't even update my software anymore *if the changes are not material to me* "

          obviously, security and stability matter (to pick two examples) and i pay attention to those. also, server admins are not non-technical users so they would know what they're doing. notice that i was referring to the susceptibility of non-techies:

          "non-technical users [are] susceptible to legitimate-looking popups scaring them into 'updating' [software]"

          clearly, administrators are not making decisions in the same way and they have other considerations that may not allow them to apply patches immediately e.g. see the rails security that happened in the beginning of the year. patches can be buggy, and some people are not able to just apply them (even if they're not buggy) because the patches can render certain features that third party developers had used to build necessary applications (that are no longer actively developed) useless, and the current applications therefore, useless.

          some people shoot themselves in the foot updating without making such considerations.

          "I'll let Paul answer your final question...Please see [link] "

          i'm not sure how much i should respond to paul here since he admits:

          "[...] I have still to finish reading the report in full...I just haven't got through it yet"

          lemme start with the statistics which i don't like but i must play the game.

          "[...] XP is more than five times as permeable to malware than Windows 8"

          xp (31.22%) is also used 5 times as much as windows 8 (6.66%) although that probably means nothing in that context. if windows 8.1 is (statistically) secure now (i.e. the *rate* of infections is lower), it still might not mean what we think it means in terms of security because the high-severity vulnerabilities/malware are the ones that matter. according to that report, medium vulnerabilities account for the majority (52.9%) so xp is probably taking more than its fair share of those, not because it's more insecure, but the kiddies are intimately familiar with it.

          paul and i appear to agree on something (which was actually the point that i was clumsily trying to get across on the last paragraph of my previous comment):

          paul: "The most common platform, you can argue, is more likely to be singled out by malware writers..."

          me: " malware writers, whether for fun or gain, target systems that have big footprints..."

          to conclude, there's no question -- i concede -- that software gets more secure relative to older software that it replaces (on average, anyway) but so does the software to undo that security. the gap between secure and insecure is best increased, in my opinion, by changing behaviour and usage.

    • JES · 718 days ago

      Our company got this bad last week. We paid the ransom, and the program fixed all the affected files. It then deleted itself. We ran a cleaner afterward, and it didn't find anything to remove.

      • I found this article while trying to a copy of the source to this malware to try to reverse engineer a key to decrypt. This guy PAID the ransom and the "key server" belonging to the crooks is no longer online. He is out the $300 AND all the data.

        Do NOT pay ransom. You are just funding the creation of even worse ransomware in the future.

    • The malware itself is pretty easy to delete. Any decent AV will remove if after a scan.
      But once removed, there is NO way of ever recovering the files, as the encryption-key will be removed and any other data the crooks use to retrieve the decryption key after you've paid.

      No matter what, if you've paid to decrypt your files or you're giving up, clean your whole pc and start over with a fresh install of you OS.
      Be sure to format everything that could contain even a part of the virus: MBR, register, RAM (remove all power sources), ...

      • NvR4GeT · 710 days ago

        That wouldn't be necessary. This is a simple application that encrypts files? It's not a RootKit. This is an application that runs, usually placed in your App Data folder on Windows 7. You would just need to delete this file to prevent the software from running again. Then cleanup the folders and search the registry for the name of the application. After that check your LMHOST file for any unique entries. Then your done. As far as files go, there's a way around anything. I'll be looking into this further and deving something up and attempting to get that pc infected and see what I can dig up. Monitoring your TCP/IP Connections during the infection would be key. The last thing anyone has probably attempted was to hack into the guys server and see if they can get the Private keys out of there. I'm sure this person is great at software development, but having a secure server? I doubt it.

        • Sure · 707 days ago

          There's no way to know what private key matches what public key. If you don't have the private key there is no way to decrypt the encrypted files.

    • jazz · 687 days ago

      cant we just wireshark the IPs being used and YANK the inet plug?

  2. maarten · 726 days ago

    Does cryptolocker target macs? (cross platform user here)

    • Paul Ducklin · 726 days ago

      I'm not aware of Mac ransomware of the "encrypt files and sell you the key" sort.

      • Rick Smoot · 652 days ago

        I own a Mac and received two pop-up "Crypto" demands. In the first case, about a month ago, it appeared to do nothing. I was able to reboot with no problem and have had no issues with my machine. Then just yesterday, another that locked Safari. I shut the machine off manually and when it rebooted there were again no apparent effects. It appears completely normal. Is it possible the machine is "infected" in some way without my knowledge? All of my files are backed up so should I re-format my harddrive with the Apple disc? I am not a techi so be nice! I am using my work computer for this forum.

        • Ralph · 636 days ago

          I run a mac with Parallels running Windows XP. I got hit today. Any files on the mac desktop became locked, including, unfortunately my 500Gb external that was plugged in via USB. I think that is due to any desktop files also are shown on the Windows desktop. Any files on the mac 'Macintosh HD' (if you see what I mean), were un-affected.

          I uninstalled Parallels and dumped the files. Annoying but for me, not the end of the world as it was just my home mac, now if it had been the office, whoa, big problem!

          It also affected all .psd photoshop files, but I actually think that is where it snuck in, in a .psd sent by a client.

          • Paul Ducklin · 636 days ago

            Be careful with file sharing, whether it's over a network, a USB cable or via a virtualisation solution!

            When I mix the OS X and Windows ecosystems (I use VirtualBox to run Windows on OS X) I only ever share my OS X home directory into the Windows VM "read only." If I want to export stuff from Windows, I mount a single directory in ~/Temp to use as a dumping ground. Just in case.

        • The only "crypto" I've seen on the Mac is a Javascript version running in browser. It generates 150 consecutive popup menu windows to create the impression you really are locked. You can get around it.

          Unless you ok installation of software whose author you don't know (perhaps mistaking malware for a legitimate product like Adobe Flash...always check the full domain of a site before downloading), you are very unlikely to get a real virus on the Mac.

          To be safe, only get applications from the App Store (which is a curated application environment closely monitored by Apple.

          • Paul Ducklin · 628 days ago

            One problem to bear in mind about the App Store: software accepted for inclusion isn't allowed to have components that integrate with the operating system itself, such as kernel drivers.

            That means no features like file filtering, which is pretty much a necessity for a proper anti-virus program. Just *finding* viruses is not enough - you need to be able to block access to infected files, if you want effective protection.

            In short: any anti-virus in the App Store almost certainly has no "on access" (also known as "real time") component, can't do virus prevention, and should therefore be avoided.

            (In case you're wondering why our free Mac Anti-Virus is available from the Sophos website but not from the App Store...)

    • Machin Shin · 725 days ago

      Does it really matter? Even if you can feel all warm and fussy knowing your safe from this right now, do you really think that means no one will ever write it for a mac? Your much better off protecting against it now than you are waiting. You never know, you might be the "lucky" one who is the first to see the mac variant, and by then it is too late.

      • badgerdog · 725 days ago

        +1 for 'warm and fussy'

      • Pete · 723 days ago

        Given that CryptoLocker traverses network drives, no data is safe near it - mac, linux or windows. Easiest scenario is that someone with an infected windows box is on a network where a mac writable file share is present.


        • This raises a good point about Mac OS X (or iOS or any OS) security. If you give someone write permission to the drive that contains the OS you open yourself to the possibility that a malware author *could* have written in code to detect this scenario and use the vulnerability to insert malware into an otherwise secure Mac OS X drive.

      • Machin ShinShinShin · 701 days ago

        Yes it does matter, it matters because I know that those extra 1000 I paid for my computer provides that warm and fussy feeling.

      • RedBud · 690 days ago

        Not to brag... But if you would be using a Mac, local files would be easily retrievable using Time Machine, Mac's backup service. So, even if the virus did exist for Macs (which it does not seem to), destruction would be much less and system restore would be a snap.

        • There are many good reasons to buy a Mac but please, please don't buy one because you think it or Time Machine offers some magical level of protection against a theoretical future Mac version of Cryptolocker.

          • I am a dyed-in-the-wool Mac enthusiast and advocate Mac OS X and iOS for better data security, but Mark is spot on. There was a report from a researcher in Australia that their client was using a similar incremental backup system (Windows based, but a similar approach to Time Machine). Because the encryption caused so many bit-level changes to the drive the software made fresh backups of everything and deleted old backups to make room for the new corrupted files. You would get the same effect with Time Machine where oldest backups are deleted once drive becomes full (unless you had a drive big enough to hold both the old uncorrupted copy of all files AND the new locked ones). I just glanced at the Time Machine control panel and thought that option could be turned off but didn't see the check box.

            The best defense is to make multiple backups, and to have backups not connected to the machine whose contents you are trying to protect. You could do this with Time Machine on the Mac (which I recommend since it allows you to restore your machine from backup to the point where the windows will even open up as you had them at the time you performed the backup). To do so you would periodically attach an additional backup drive (have separate drives for daily, weekly, monthly backups, and unmount them and disconnect them safely after the backups are complete), configure Time Machine to perform a complete backup to that drive.

            The best defense on ANY system is redundancy (multiple copies of mission critical data), and storing the backups in multiple locations NOT connected in any way to the network. If you building burns down, you don't want all your backups in that building. If your network is compromised you don't want all your data to be likewise vulnerable. Connecting computers creates convenience but it also creates risk.

    • haha · 722 days ago

      Since you bought a mac in the first place. You probably deserve it

    • Don · 702 days ago

      there have been reports of Mac's being infected.

    • The Official Geek · 682 days ago

      Not at this time but don't think if this keeps going that it wont make it there...Most of the home computer and alot of business run on windows thats why its always targeted.

  3. Be careful out there. BACK UP your files!

    • Jordan · 711 days ago

      just turn off auto back up and sync for online storage (ie google drive). Once the file is encrypted, its considered "changed" so it starts to sync and then that copy is now encrypted as well.

  4. Clive · 725 days ago

    Will an up to date Sophos protected PC stop the encryption if a user clicks on that attachment?

    • Paul Ducklin · 723 days ago

      It should prevent the malware program from running at all, so it will never even try to "call home" for its encryption key, let alone get to the point where the scrambling starts.

  5. LindaB · 725 days ago

    MACs are known to be vulnerable to this sort of malware, so the fact that an unexpected dialog appears should be a warning. So take the sensible steps suggested no matter what OS you use. Personally I do not and would not use any cloud service either as they can be vulnerable. (Personally I see no benefits to me in using the cloud!)

  6. Jones Acton III · 725 days ago

    There's quite a voluminous thread building over at Bleeping Computer Forums - up to 46 pages @ last check - indicating that quite a few folks are actually paying the ransom (due to an unfortunately-too-typical disdain for proper backup procedures, no doubt); CriLock has also dominated the Patch Management List conversations over the last six weeks, with many of the professionals amongst the membership recommending the blocking of any and all .zip file actions, apparently. IMHO, Software Restriction Policies preventing executables from running in AppData/Roaming appear to be the best palliative at this point, despite the impact that can have on legitimate programs whose developers have chosen that location from which to run.

    [Commented edited for length]

  7. natasha · 725 days ago

    This has just come on my computer and giving me 71 hours to pay them what do will I lose everything on my computer?

    • Anonymous · 725 days ago

      I understand you might want the confirmation from someone saying "yes", but did you even read the article above?

    • natalie · 721 days ago

      Its just happened to my mams laptop, she has lost everything from pictures, documents and videos. It came up you have 72 hours to pay, it went away then came back the next day : Don't have a clue how to sort it out.

  8. mark · 725 days ago

    if you pay them, then they now have your credit card details which can then be either used and abused or sold off to others.

    Don't Pay

    • Stace · 724 days ago

      Unless you get a disposable card. Not that I'm recommending paying them, just saying there's a way to without giving your own details :)

    • Steve · 721 days ago

      They only accept Green Dot Moneypak cards or Bitcoins.

  9. pipedream · 724 days ago

    Just get the files from your backups and reinstall a clean system.

  10. ajlane · 724 days ago

    just got this last nite, cannot believe people can be so mean. How depressing.

  11. anon · 724 days ago

    > But as far as we can see, there's no backdoor or shortcut:
    >what the public key has scrambled, only the private key
    >can unscramble.

    Kasperksy can clean this ?

    • Paul Ducklin · 724 days ago

      You're referring to Kaspersky's "deblocker" page...a couple of people have pointed at that.

      But I don't think that page deals with *this* malware, just some other sorts of ransomware.

      I *really* hope hope I'm wrong, and that there *is* a backdoor or shortcut...

      ...but I have a sinking feeling that I'm right, and once CryptoLocker strikes, it's a Game Over situation for your documents.

      If anyone knows sure to let us know!

    • Randy · 717 days ago

      No. Kasperksy looks for viruses, it doesn't decrypt encrypted data.
      Consider this a life lesson on doing proper backups on your system data.
      Wipe your hard drive, reload the OS, reinstall your programs and retrieve your program's data from your backup.
      If you didn't backup then you are screwed. Much better now to take the ransom money that you would have paid to the hacker and buy a good USB 3.0 backup drive with it. Then USE it.
      If something is worth storing on your computer then it's worth backing up.

      • EdC · 712 days ago

        BUT--do not leave the backup drive attached. do a full virus scan, attach the external drive, perform the backup and detach the drive.

        • Frustrated and sad · 597 days ago

          Ok so if your back up was attached :( is it affected as well or does it not go to it? Hoping I'm able to reload it after clean up?

  12. James · 723 days ago

    I dont know why people are saying they get your card details.

    Think this through....

    Firstly they dont charge your card directly they ask you to pay via a third party (similar to paypal), so at no time do they actually get you card details.

    Secondly, if you pay it, get your private key then phone up your card company (providing you use a credit card) and advise you didn't receive the goods you paid for, the amount will be refunded and you walk away with an unlocked machine costing you nothing but a phone call!

    So please everyone stop making a fuss over nothing, secondly, if this was a real issue with the power of cloud computing which can break SSL and WPA2, it wouldnt take more than a day or two's computing time to crack the private key anyway, so why doesnt someone do this and charge people $50 a time, and make the money rather than the hackers....

    • Paul Ducklin · 723 days ago

      James is both right and wrong here - as a previous commenter noted, the ransomware example above expects you to pay with Bitcoins (a sort of digital cash) or via a MoneyPak (effectively a disposable credit card).

      So they don't get *your* card details. They just get some of your money.

      But it isn't "a day or two's computing time" to crack each private key, as far I can see. All the power of the cloud *can't* break SSL or WPA2, at least not in any routine and general way.

      (That's why no-one's doing it :-)

      • Jim H · 723 days ago

        He is also wrong due to the fact the credit card company will not honor the fraud claim since a victim *WOULD* receive the MoneyPak that was purchased. What the victim does with the MoneyPak is not the credit card companies problem.

    • Anonymous · 687 days ago

      love this guy

  13. Damien M · 723 days ago

    Encryption used By this malware is RSA 2048. Good Luck paying a guy $50 to generate the private key. Let me know how you get on :). I believe at the current processing rates and cracking trends RSA 2048 bit encryption will be trusted up to about at least 2030.

  14. Richard · 723 days ago

    Dropbox (at least) allows you to go back to old (hence unscrambled) versions of files.

    • booma · 689 days ago

      It does not I am afraid, I got hit and so did my dropbox files, and those shared folders too, so impacted the businesses that shared them with me... however, they have clean originals, fortunately

      • Anonymous · 654 days ago

        Dropbox stores a full version history of the files you upload .. You should be able to recover from those (use the web interface)

  15. Aftab A · 722 days ago

    Does this affect even systems connected to network shares or simply the local data on the machine

    • Paul Ducklin · 722 days ago

      The malware runs with the same permissions and powers as any program you launch willingly.

      So if there's a file you could locate and access with, say, Windows Explorer (whether on your own hard disk, USB key, network share, cloud storage vault magically turned into a drive letter by special software driver)...

      ...then the malware could locate it too.

      If you have write access to it, so does the malware.

      PS. It isn't a virus, so it doesn't copy itself over the network and *infect* other computers. But it can *affect* them.

  16. TechGURU · 722 days ago

    If a computer has network drives, like share drives and any other drives are also getting encrypted. If it's infected, remove if from network and take files that were not encrypted and wipe it.

  17. john collyer · 721 days ago

    been hacked by cryptolocker how do i get rid of this

    • Paul Ducklin · 721 days ago

      You could try the Sophos Virus Removal Tool.

      It won't decrypt the files, since only the crooks can do that. But it will sort out the malware, and indeed any other malware you might have (some people are getting CryptoLocker as a side-effect of *already having some other malware* on their computer).

  18. Jones · 721 days ago

    Faced with 14,786 encrypted files over local and mapped network drives, even restoring from backups vs paying the $300. The paying $300 seems more cost effective.

  19. Rentz · 721 days ago

    For anyone interested, I had a machine get this and paid via bitcoin and everything was successfully decrypted.

  20. CEPACS · 721 days ago

    In the article it says "Sophos Anti-Virus detects it by the name Troj/Ransom-ACP", does that mean that it will detect it BEFORE it actually does its damage then?

    • Paul Ducklin · 721 days ago

      Yes, if you have the on-access (real time) scanner enabled (it's on by default).

      That's the part that checks files before they run, thus preventing malware, not merely detecting it. If it doesn't run, it can't do any damage :-)

      If you want to see what happens, head over to the link below, where we have a short video.

      You'll see the malware getting blocked, and then run again without Sophos active to show you how long it takes before the pay page pops up, and what happens to your files when it does:

  21. Brokensyntax · 718 days ago

    Cryptolocker targets all accessible shares, so while a Mac may not be directly targeted if an infected system has access to a file share, or the Mac accesses file shares on the infected system, those files are subject to destructive encryption.

    Several people in large infrastructures have attested that paying the piper does result in decryption of files, however, this is a bad president to set.

    I have been in discussion with a few AV/Security research vendors for what I believe to be a critical flaw in the virus' design.

    I have obtained copies of the virus to work from, and will be running testing on my personal VLab in the near future, but lack the sophistication and horsepower of security firms.

    • Brokensyntax · 718 days ago

      Did I really allow auto-correct to do that to me?
      Bad precedent! That's better.

    • Jason N · 493 days ago

      +1 for "bad president" :)

  22. DD-London · 717 days ago

    I need to get some data back.
    I know its a very bad move but we need to.
    Paul, do you know if this works?
    Do you know anyone it has actually worked for?

    And has anyone actually used Bitcoins? im techy but it look more dodgy than the virus...

    • Paul Ducklin · 714 days ago

      As I wrote in the article, " With the private key, you can recover your files. Allegedly. We haven't tried buying anything back, not least because we know we'd be trading with crooks."

  23. Uk-reader · 715 days ago

    Just thinking. Why not a save a copy of your private key beforehand someplace safe, and then use it in the emergencies like this? Does it make sense?

    • Paul Ducklin · 715 days ago

      This isn't *your* private key. The crooks generate a public/private key pair on demand, send you the public key and keep the private key on their own server. You never have a copy of the private key to kkep.

      Therefore, after you have unknowingly locked your own data, only they can unlock it.

  24. dmolavi · 715 days ago

    Would blocking the listed domains at your firewall prevent the encryption from occuring, since the public/private key pair would not be able to be generated? If so, is anyone tracking what domains are used (ie, is the list above all inclusive and the people responsible aren't adding new domains to the list dynamically)?

    • Paul Ducklin · 714 days ago

      As far as I am aware, the encryption only starts if a public key has been acquired from the crooks, which mean the malware has to be online and have "called home." There is no offline mode.

      Of course, blocking the domains should always be a last ditch protection, as it means the malware is already running and perilously close to trouble...stopping the malicious EXE from launching in the first place is your best solution.

      We track the list and try to block it - it's not static, by the way, so it has a new list of 1000 domains each day. You can calculate each day's list, so it's not entirely *random*, but it isn't exactly *static* either :-(

      • dmolavi · 714 days ago

        How is each day's list calculated? I already have other protections in place that should prevent this, along with a good dose of common sense and instructions for those at home, but just in case...

      • yss · 703 days ago

        Does yanking the network cable out of the PC work?

  25. Switch · 715 days ago

    Just in short.
    Is there a way to determine on which Date/Time the Virus scrambled the Files?

    I have Backup Solution, but I wont testing every Backup-State just to find out its allready scrambled...!

    The Virus was recieved on Monday per Mail and the PopUp came on Wednesday.

    So it has 3 Days and access to the ServerFolder.

    I just want to know if theres a possibility to find out on wich date/time i have to Point the recovery without the need to recover last Sunnday.

    Ohter Question: How long goes the encrypting Process at all? Debending on amount of Files? Days Hours Minutes?

    Thanks a Lot

    • Paul Ducklin · 713 days ago

      The malware reads the timestamp on a file before it encrypts it, and sets it back afterwards. So you can't look only for files that were modified recently.

      Why don't you find a file you know is encrypted now, and load a copy of that file, and that file only, from your last N backups? If you find the file is encrypted in your backup, you know you need to go back further...

      The encryption depends on the number of files. How long does your backup take? The malware is going to take about that long or less...

  26. Rob Kelham · 714 days ago

    They hacked me! I have backups. If I delete my "current" files and restore with by backups, have I beaten system? e.g. will the software still be on my machine to come back and byte me?

    • Paul Ducklin · 714 days ago

      Remove the malware first, or it won't "come back and bite you," it'll never have left :-)

      The scrambled files aren't malicious, so you can remove and replace them at your leisure.

      Just don't plug your backup drive in until you've zapped the malware - it encrypts any file it can see/reach, not just files on the C: drive.

  27. moses · 714 days ago

    was hit three weeks ago and it encrypted 500gb of my company data. luckily i do backup data regularly.

  28. randy · 714 days ago

    We are using Sophos UTM. Does a pretty good job of blocking access to malicious/suspicious sites. Even trying to grab a tool that can be used to write policy to prevent execution of exe in the appdata areas is blocked with normal settings.

    So, that raises the question of getting an infection and the result of and or "if" sophos blocks access to suspicious sites. will that mitigate infection results?

  29. Laz · 714 days ago

    Let them accidently target a US Federal computer, and they can wait patiently for the Hellfire missile Drones to drop through their chimney.

  30. TomasHo · 711 days ago

    People write they've been "hit", but actually, unless there really is a malware backdoor, this is a "virus" which relies on someone being dumb enough to open an attachment in an email without checking the extension. Reminds me of the old joke about the lazy virus programmer who just sent out an email saying "This is a virus, but I am not a very good programmer. Please format your hard-drive.".

    Part of the problem is the stupid "feature" in windows of hiding extensions - ever since it was introduced I set all computers within my power to display extensions, as well as hidden and system files.

    That said, I'll backup my files this week. Prevention helps.

    • hidden · 701 days ago

      Hidden File Extensions, YES a very stupid idea. It is a default setting and a very bad one. All it takes is one dbl-click on filename.txt.exe (you never see .exe) and whammo!

    • Victim · 687 days ago

      --this is a "virus" which relies on someone being dumb enough to open an attachment in an email without checking the extension.--

      Not true. Got attacked and have not opened any email from unknown senders and have not opened or even received attachments in a very long time.

    • Stacey E. · 354 days ago

      I was not "dumb enough" to open an infected email. This happened to me via a website.

  31. John H · 708 days ago

    it says it installs itself in Documents and Settings folder does that mean it only affects XP machines? That folder was replaced with Users in Vista til now.

  32. Guest123456789 · 705 days ago

    Why cannot the goverment seek the owners of these damn servers and SHUT THEM DOWN!!! The virus cannot live if it dont have servers to feed it!!

  33. Yarryd · 702 days ago

    The biggest victims of this new threat happen to be medium to large sized enterprises. I am a systems analyst for a company out here in Columbia, MD and we have been having alot of our users coming to me with cryptolocker infections. We are getting 1 new cryptolocker ticket per week and this is the most sophisticated virus of its kind. I'm looking at a laptop right now that is infected. Your files and data are held hostage. I mean, a ransomware that uses PKI pretty much renders the infected party at the mercy of the attacker because only they have the private key. Once that key is destroyed you are pretty much outta luck. These guys are crooks so they already have no credibility. Who is to say that after you pay the ransom that they'll honor their end of the bargain and give you the right decryption code.

    Has anyone here paid the money and gotten their files back?? I'd like to hear from you if so. y.lowery[at]gmail[dot]com

  34. Mondo · 701 days ago

    Is there a way of preventing this malware from encrypting your files? Because I have an idea of how to prevent it.

    What if you had all of your files encrypted already?
    Would that be doable?
    Would it be too much of a hassle?
    And if so, will that prevent cryptolocker from encrypting them again?

    Please give advice.

    By the way, I have not been infected, just ran into this article, and grabbed my interest.

    • Steve L · 685 days ago

      Someone else had this idea on another forum and the answer,sadly, was that files can be encrypted numerous times. So that would not prevent.
      Good thought though.

  35. debbie · 701 days ago

    I'm a pc user and not as tech savvy as those posting here. I bet there are a lot of people like me who need some xtra help.

    Ques: I have a popular anti-virus/malware security and firewall, am I likely to be protected?

    If a friend/someone sends me an email with a link, IF I use it will I get infected or does their and my security check it?

    I do not have an external Hard drive, would backups be done with USB Flash drives, etc. ?

    OK, Hope yall don't mind my simple questions, but I intend to beat this Malware ! ha.
    Thank YOu, I did learn a lot from the article AND the subsequent posts. That is how I'm learning, but these ques still come up. Appreciate any replies and hope you're not infected. damn malware and the people who create it !

    • Steve L · 685 days ago

      I would contact your software provider and ask them.
      Flash drives would work but external drives are relatively cheap and you would only need one

  36. This sounds like a rather fun virus I must say. Nasty little creature.

    Now here's a question: Why are the domain names that the virus tries to access and are listed still actually going to the proper servers? The owners of the domains are engaged in illegal activities which virtually every domain registrar has stipulations concerning in their user agreements (that you check the box on) when you buy the domain. Couldn't the domains simply be forwarded somewhere else or disabled? A takedown request for those domains shouldn't be too difficult.

  37. Computer Dummy · 701 days ago

    I got infected with this malware about a month ago. I had two people using my computer, and since it's a little nothing machine with games and other entertainment only. Nothing I couldn't easily replace. I went to my son's account and it was OK. So I used his account to do system erasure and took the machine back to factory condition. That's an easy solution for those who have no irreplaceable vital data.encrypted. But, holy smokes folks, just back up everything. That's the real answer.

  38. Barry · 700 days ago

    after getting rid of the virus how do you get it back so you can pay to clean up your files

    • Steve L · 685 days ago

      If you really trust these slime balls ,you have to pay before you remove the "virus" or you can't decript your files

  39. E. Hvinden · 700 days ago

    We received this on a client machine - Windows server with Shared Files (106 Gb) - This will require hours to restore, and we are not sure which machine infected it. This sucks big time...hope they trace this to the dudes and hit them hard!!!! Navy Seals and Delta are standing by!!!

    There goes my weekend!!!

    Well, this will probably lose our client for us...even though the stupid users most likely clicked on the link!!!!

  40. Greg · 699 days ago

    They have gone too far and they dont even know it yet.

    Its inevitable that the wrong people will get this virus. Once that happens, if it hasnt already. The writers and organizers of this virus will have limited time themselves.

  41. Les · 695 days ago

    Can we turn back the clock on the computer to get back to the 72 hours - instead of paying the $2100-- And I can't find a link to pay them - now that the virus has been removed.

  42. LandSailor · 693 days ago

    If I have a shortcut on my desktop to a NAS on my home network, would the virus open the short cut and have access to encrypt my files? There is no drive maping to the NAS. Thanks.

  43. rm · 690 days ago

    If it is using known registry entry to store the public key for encryption, what about preinstalling the registry entry then restrict access to it. Then it is not able to store its encryption key and can not encrypt the users files.

    If it uses this key, HKCU\Software\CryptoLocker\Public Key , then create this key before infection and lock it so it can not be used. Would that not thwart it?

    • We don't advise doing this. It might work for a bit but a) we can't be sure of the unintended consequences and b) if it does work it will work until it doesn't - malware does not stand still and you can expect that, if it were successful, a simple countermeasure would be dealt with in subsequent versions.

      As Chester Wisniewski put it: "Registry manipulation is not a reliable technique for dealing with Cryptolocker. A broken clock is right twice a day, but you would be a fool to rely on it."

      Your best chance of stopping it from infecting your systems is up to date anti-virus and your only chance of recovery is to take regular backups.

  44. Anonymous · 687 days ago

    Im no programmer, but could we not as a community setup an alternative option... Just thinking of distributed computing efforts of & SETI... RSA2048 is a B**ch to crack with one pc... but what about 1000, 10000, 100,000? Just wondering what kind of power you would need to do this?

    • Paul Ducklin · 687 days ago

      Intractable, I'd say. And even with all the computers in the universe running at full whack for as long as it takes...that only cracks on e key, and gets one chap his data back.

      So you'd have a second, even harder problem - how would you choose whose key to crack first?

      (A hardware random number generator, like they use for national lotteries, would be the way to do it. Try to get consensus on that, though :-)

      • Joel · 549 days ago

        Actually, instead of cracking one key, use the distributed computing power to generate rainbow tables. Not sure how long it would take to gen those tables for RSA2048, but every cycle devoted to cracking would at least be towards the common good of everyone involved.

        There are 300 million people in america. How long would it take a million desktop PC's to make those tables? (if they don't already exist)

        And if we got some corps with high powered servers to donate spare cycles, then how long?

        Not saying it's the answer, but certainly an interesting question

        • Paul Ducklin · 548 days ago

          You can't use rainbow tables to crack RSA, I'm afraid.

  45. DC8capt2 · 685 days ago

    Does this malware only affect XP machines, or does it do all OSs?

    • Paul Ducklin · 685 days ago

      It *infects* Windows, but since it scrambles any files it can access from an infected Windows computer, even over the network, it can *affect* users of other OSes indirectly.

  46. WSQT admin · 656 days ago

    The solution to this is obvious: Run data recovery (foremost/photorec, etc) and get back all "deleted" files. Forget decrypting the copies, find the "deleted" originals!

    It takes time to copy and encrypt many files. Therefore, this malware probably can't start deleting files until it is done encrypting them, for fear of discovery. That would prevent any files from being overwritten unless the extra time to "shred" them is taken.

    If the malware "deletes" each file immediately after encryption, at least some files still would not be overwritten and could be recovered. I have not seen the offending software, but I would not want to write attack code against an enemy that risked showing itself with the first file it tampered with, presumably neither would these gangsters.

    Lastly, don't ever pay or you are part of the problem. Since I have multiple offline backups that are never auto-synced, I would simply wipe the disk, reinstall from my last known good OS image, and copy back all my files from backup. That is, if anyone ever ported this crap to Linux in the first place...

    If you don't have backups, you WILL lose your files, just the cause of loss will probably be a hard drive failure or severe filesystem corruption. Shit happens, for everyone who had unbacked up files held hostage, hundreds lost them to simple failures. Back your files up today, and shut those wallets!

    • Kathrine · 555 days ago

      I keep seeing this crap on UNIX. You need to get educated. UNIX, AIX, HP-AIX and LINUX systems are no loner exempt from attacks. Windows is more susceptible but you'd better be taking precautions with your UNIX systems as well.

  47. I was hit with the Cryptolocker. We are financial firm. Unfortunately, I didn't have the proper IT procedures in place to prevent this. Users are dumb. That's the simple fact and one of mine just clicked on the link. She left for vacation with her computer on and after 3 days the system had encrypted her files. The worse part is that the Networkfile share got corrupted and our replication server corrupted those as well.

    We paid the ransom and we did receive back our files but it was a scare event.Feel free to contact me if you would like.

  48. twart · 612 days ago

    How long it takes to encrypt data on drive C:/?

  49. Anonymous · 608 days ago

    ¿Virus? What is it?
    (Linux user)

  50. omendata · 493 days ago

    Just make sure your run keys are protected so that nothing can be installed. Its the first place malware tries to inveigle itself into.

    When i first started as a security analyst ten years a go this was the very first thing i ever did and I have never had a virus infection - I also dont run an AV the only thing I use now is Spyware Terminator and its not bad at all - Sophos as an AV would be one of my choices for a client. The guys that work for Sophos are the dogs bollox.

    Use autoruns to find all the vectors for malware install - it doesnt show all but its pretty comprehensive then use registry editor or group policy to lock it all downj - its not actually brain surgery.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog