CryptoLocker Definition

CryptoLocker is a form of ransomware that restricts access to infected computers by encrypting its contents. Once infected, victims are expected to pay a “ransom” to decrypt and recover their files.

The primary means of infection is phishing emails with malicious attachments. These emails are designed to mimic the look of legitimate businesses and phoney FedEx and UPS tracking notices.[1]

Attackers disguised CryptoLocker attachments to trick unsuspecting users into clicking on an email attachment that activated the attack. Victims then had to pay a ransom to decrypt their files. CryptoLocker spread between early September 2013 and late May 2014.[2]

CryptoLocker Virus Example

History of The CryptoLocker Virus

The CryptoLocker ransomware attack occurred between September 5, 2013, and late May 2014. It was identified as a Trojan virus (malicious code disguised as something harmless) that targeted computers running several versions of the Windows operating system. It gained access to a target computer via fake spoofed emails designed to mimic the look of legitimate businesses and through phoney FedEx and UPS tracking notices.

Once a machine becomes infected, CryptoLocker finds and encrypts files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. By early November of 2013, CryptoLocker malware had infected about 34,000 machines, mostly in English-speaking countries.[3]

A free encryption tool was released for this in 2014. But various threat reports suggest that upwards of $27 million was extorted by CryptoLocker.[4]

CryptoLocker Prevention

US-CERT advises users to prevent CryptoLocker by conducting routine backups of important files and keeping the backups stored offline. Users should also maintain up-to-date antivirus software and keep their operating system and software up to date with the latest patches.

Users should also not follow unsolicited web links in emails and use caution when opening email attachments. And, as always, follow safe practices when browsing the web.[5]

CryptoLocker Virus Removal

Once your users detect a ransomware demand, virus, or network threat, they should immediately disconnect from the network. If possible, they should physically take the computer they’ve been using to their IT department. Only the IT security team should attempt a reboot.

Central to your response is whether to pay the ransom. That decision should be based on the type of attack, who in your network has been compromised, and what network permissions the holders of compromised accounts have.[6]

Ransomware attacks are a crime, and organisations should call law enforcement if they fall victim. Forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organisations going forward, and try to track down the attackers.

Sometimes, security researchers offer decryptors that can unlock files for free, but they aren’t always available and don’t work for every ransomware attack.

If organisations have followed cybersecurity best practices and maintained system backups, they can quickly restore their systems and resume normal working operations.[7]

[1] U.S. Computer Emergency Readiness Team (US-CERT), “CryptoLocker Ransomware Infections.” November 2013.

[2] Dan Goodin (Ars Technica). “You’re infected—if you want to see your data again, pay us $300 in Bitcoins.” October 2013.

[3] Ryan Naraine (SecurityWeek). “CryptoLocker Infections on the Rise.” November 2013.

[4] Proofpoint. “Ransomware is Big Business.” May 2019.

[5] US-CERT. “CryptoLocker Ransomware Infections.” November 2013.

[6] Proofpoint. “The Ransomware Survival Guide.” 2017.

[7] Proofpoint. “Ransomware is Big Business.” May 2019.