CryptoLocker urgent alert - here's how YOU can help!

Filed Under: Featured, Malware, Ransomware

We've seen a resurgence in interest in the CryptoLocker ransomware, not least because the UK's National Cybercrime Unit (NCU) put out a warning about it yesterday.

The NCU burst onto the cybercrime fighting scene as part of the UK's newly formed National Crime Agency (NCA), which became operational just a month ago, on 07 October 2013.

The NCA is part of the UK's effort to tackle organised crime, including crimes launched by electronic means.

And CryptoLocker has been a strange baptism of fire for the agency dubbed by some "the British FBI."

What CryptoLocker does

If you've been following the story, you'll know that CryptoLocker is malware that deliberately scrambles your precious data files, such as documents and spreadsheets, and offers to sell you a decryption key to get them back.

The price the crooks are charging is currently hundreds of pounds.

Of course, if you have a decent anti-virus, you're unlikely to get infected in the first place, and if you have a decent backup you should be able to recover your data even if the worst happens.

But if you don't, then you're stuck.

As far as we can tell so far, the crooks who are operating the CryptoLocker crimeware haven't left any holes or backdoors by which you can recover your data without paying up:

  • The decryption key is different for each victim, so you can't share your key with the next guy.
  • The encryption used is strong enough that it can be considered impossible to crack.
  • The crooks don't let your key out of their sight until payment is received.
  • No-one, to the best of our knowledge, has been able to get into the crooks' own network to recover the keys.

Why the risk is high

Even though CryptoLocker is already well known, having made headlines for several weeks, and and tips on how to avoid it have been widely publicised, things may yet get worse.

The NCA's recent alert warns that emails containing infectious attachments "may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular."


The attachments are often disguised, warns the NCA, as files that sound important enough to open, but not of a sort usually associated with viruses and malware, "for example, a voicemail, fax, details of a suspicious transaction or invoices for payment."

Of course, crooks have known for years that attachments can be made to look like images, or audio files, or documents, by giving them names like VOICEMAIL.MP3.EXE or INVOICE_SCAN.JPG.EXE.

You see VOICEMAIL.MP3, which seems innocent enough, but Windows sees VOICEMAIL.MP3.EXE - in other words, an executable file, better known as a program.

So instead of firing up your media player, opening the attachment runs the malware.

How you can help

Even if we can't find the crooks to stop the ransom process and get back all the keys created so far, we don't have to be victims.

If you are the go-to IT expert for your friends and family, you can help:

  • Warn your friends about the dangers of unsolicited email attachments.
  • Check that they have a proper anti-virus and are keeping it up-to-date.
  • Show them how to make backup copies of their precious files and to store the backups safely.
  • Make sure they keep up-to-date with patches for their operating system and software.
  • Get them to read up about CryptoLocker so they are in no doubt about the risk.
  • Use CryptoLocker as evidence why prevention is better than cure.


If you are looking for useful material to use in advising your friends and family, Naked Security has the following excellent resources at hand:

• How CryptoLocker works.

• CryptoLocker prevention, cleanup and recovery.

• A video showing CryptoLocker in action.

• Five tips for protecting against ransomware

Remember: an ounce of prevention is worth a pound - in this case, hundreds of pounds - of cure.

, , , , ,

You might like

18 Responses to CryptoLocker urgent alert - here's how YOU can help!

  1. MTB · 692 days ago

    Are spam filters able to scan inside of a zip for an exe?

    • Paul Ducklin · 692 days ago

      A decent one will be able to (Sophos's certainly can). In addition, you probably also want to block so-called double extensions, thus automatically treating files that end ".doc.exe," or something similar, as suspicious.

      • Ben · 692 days ago

        Are there any innocent uses of double extensions? Would it not be more sensible to treat *.*.exe as suspicious? (where * is a wildcard)

  2. Feminism Now · 692 days ago

    We should teach people not to make malware rather than blame victims imo :\

    • Stace · 690 days ago

      I think they know, Fem; they just don't care. For them it's about the money and probably a bit of power-trippin when they make some. Teaching victims and potential victims is about the most we can do to diminish the bad guys' returns.

  3. Anonymous · 691 days ago

    Surely the software is transmitting the details to a server? Why ha sthis not been tracked down? Or at least. why has the proxies not been tracked down, torn apart and then traced the next server?

    • Paul Ducklin · 691 days ago

      If you look at the "how it works" article you'll see that the server chosen by each victim is rather a moving target. the malware tries a whole list of server names each day until it gets through, and if ever it can connect, the damage is done. (There's only a small exchange needed to generate the locking key - that's why the crooks don't upload your data, which could take a long time and be error prone, just scramble in it situ.)

  4. Jan Doggen · 691 days ago

    And one additional measure: disable the default "Hide extensions for known file types" check box in Explorer. I still consider this one of the stupidest moves MS ever made in Windows.

    • Paul Ducklin · 691 days ago

      I'll see your "Hide Extensions" and raise you "AutoRun" :-)

      (Many OSes have some sort of file and name hiding by default. In Unix, for instance, the ls command that lists directories suppresses by default any filenames starting with a dot. So this kind of "file system dishonesty" has a long history. And doesn't that make the crooks laugh?)

    • Michael James · 690 days ago

      And in Windows 7, hiding/showing file extensions is done via Control Panel>Folders>Options>view.

  5. Derek · 691 days ago

    How are ransom payments made?
    Why are they not traceable?

    • Paul Ducklin · 690 days ago

      Moneypak or Bitcoins. That's why the payments aren't (easily) traceable. Or, more importantly for the victims, reversible.

  6. Bart · 690 days ago

    Does Sophos A-V detect and avoid this malware?

  7. Joe · 690 days ago

    Apologies for being ignorant, but I would have thought that any attachment that carries a .exe file extension should be detected by the ISP and ought not to be transmitted or the recipient warned not to open same.

  8. njorl · 690 days ago

    As several comments seem to engender a "showing file extensions will deliver us from evil" mindset, I'd like to throw in a reminder about the encrypted, executing, ZIP file. (Extension will be ".zip", or "", "", etc.)

    With these, the e. mail text tells you the password for the ZIP file, but the mail scanners haven't been made so complex as to sniff it out to be able to recognise the malware within the attachment.

    Using your AV for a manual scan of the ZIP file is also unlikely to raise the red flag.

    The ZIP files are mailed out with very many random passwords used for their encryption, meaning there's no signature common to them (or even a practical subset of them).

    Once you've typed in the password, I think AV on-access scanning has the opportunity to detect the malevolence of the temporary, unencrypted, file that drops from the ZIP file, and thwart the attack. But you shouldn't have let things go that far, of course!

  9. Steve · 689 days ago

    Does anyone know anything about the email attachment? What is the naming convention used? What are the typical subjects for the emails?

    I'd like to know so I can see whether our email filtering system is picking up any of these emails, and hence the problem is "knocking on our door" so to speak.

    I know Sophos should block the attachment, and our application control should also block execution of the program, but I'd like to know whether my company is under threat from this malware.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog