What Is CryptoLocker?

CryptoLocker is a form of ransomware that restricts access to infected computers by encrypting its contents. Once infected, victims are expected to pay a “ransom” to decrypt and recover their files.

The primary means of infection is phishing emails with malicious attachments. These emails are designed to mimic the look of legitimate businesses and phony FedEx and UPS tracking notices.^[1]

Attackers disguised CryptoLocker attachments to trick unsuspecting users into clicking on an email attachment that activated the attack. Victims then had to pay a ransom to decrypt their files. CryptoLocker spread between early September 2013 and late May 2014.^[2]

The CryptoLocker ransomware attack occurred between September 5, 2013, and late May 2014. It was identified as a Trojan virus (malicious code disguised as something harmless) that targeted computers running several versions of the Windows operating system. It gained access to a target computer via fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.

Once a machine becomes infected, CryptoLocker removal becomes a difficult task as the virus finds and encrypts files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. By early November of 2013, CryptoLocker malware had infected about 34,000 machines, mostly in English-speaking countries.^[3]

A free encryption tool was released for this in 2014. But various reports suggest that upwards of $27 million was extorted by CryptoLocker.^[4]

US-CERT advises users to prevent CryptoLocker ransomware by conducting routine backups of important files and keeping the backups stored offline. Users should also maintain up-to-date antivirus software and keep their operating system and software up to date with the latest patches.

Users should also not follow unsolicited web links in emails and use caution when opening email attachments. And, as always, follow safe practices when browsing the web.^[5]

Once your users detect a ransomware demand or virus, they should immediately disconnect from the network. If possible, they should physically take the computer they’ve been using to their IT department. Only the IT security team should attempt a reboot.

Central to your response is whether to pay the ransom. That decision should be based on the type of attack, who in your network has been compromised, and what network permissions the holders of compromised accounts have.^[6]

Cryptolocker ransomware attacks are a crime, and organizations should call law enforcement if they fall victim. Forensic technicians can ensure systems aren’t compromised in other ways, gather information to better protect organizations going forward, and try to track down the attackers.

Sometimes, security researchers offer decryptors that can unlock files for free, but they aren’t always available and don’t work for every ransomware attack.

If organizations have followed best practices and maintained system backups, they can quickly restore their systems and resume normal working operations.^[4]

[1] U.S. Computer Emergency Readiness Team (US-CERT), “CryptoLocker Ransomware Infections”
[2] Dan Goodin (Ars Technica). “You’re infected—if you want to see your data again, pay us $300 in Bitcoins”
[3] Ryan Naraine (SecurityWeek). “CryptoLocker Infections on the Rise”
[4] Proofpoint. “Ransomware is Big Business”
[5] US-CERT. “CryptoLocker Ransomware Infections”
[6] Proofpoint. “The Ransomware Survival Guide”