We Have Your Files. If You Ever Want To See Them Again... Pay Now.

Over the past few weeks, a lot of media hype surrounding a nasty new type of malware called CryptoLocker has left many PC owners frantic. 

CryptoLocker is the latest in ransomware, released in the fall of 2013. The virus is spread largely via email, where it’s disguised as a legitimate attachment (typically under the façade of a FedEx or UPS customer service notice). While it may look like a .pdf, it’s actually an .exe file that once installed on your PC, encrypts all of your files (pictures, movies, music, documents – almost everything of value to an average user) using RSA and AES. It then holds them ransom, asking anywhere from $100 to $300 for the private key necessary for decryption. The ransom must be paid within 96 hours, or else the key will be destroyed and your files are, for all intents and purposes, gone forever.

What makes CryptoLocker unique – and also particularly awful – is that you can’t just undo the damage with traditional anti-virus software, like you could with other ransomware that “freezes” your computer until the money’s paid up. Technically, you can remove CryptoLocker: most anti-virus software will find and remove it without a hitch. But the affected files remain encrypted.

CryptoLocker also differs from other ransom-demanding malware in its apparent virulence. The infection rate is so high possibly due to the timing of its release: while most computer-savvy users can typically detect and delete an average phishing email before it does any damage, the holiday shopping season means a lot more email inboxes are seeing traffic from mass retail shipping services. “This lure is far more common for the holiday shopping season,” said Corey Nachreiner, director of security strategy at Watchguard Security.[1] “As people are doing more shopping online, they’ll be more likely not to suspect emails about packages. My guess is we’ll also see CryptoLocker mimicking emails from Amazon and other shopping sites, too.” Furthermore, after an initial infection, CryptoLocker doesn’t stop with local files: some versions of the malware are reportedly capable of encrypting files stored in removable media, external hard drives, network file shares and cloud storage services that automatically sync to local drives. US-CERT also warns that CryptoLocker can jump to other computers on an infected machine’s network, and that affected machines should be disconnected from the network immediately.[2]

Catching the criminals behind CryptoLocker won’t be a piece of cake either: the perpetrators demand the money through Bitcoin or Moneypak, both of which are private, decentralized networks of money exchanges. And newer variants of CryptoLocker dynamically generate new Bitcoin payment addresses for each new infection, so there’s no one main Bitcoin “wallet” to watch. Still, the fact that they are using Bitcoin doesn’t necessarily mean these transactions are anonymous and can’t be traced (see my previous post on Bitcoin at http://www.cspri.seas.gwu.edu/1/post/2013/08/whats-the-buzz-about-bitcoin.html).

Interestingly, new information reveals that the private key the criminals threaten to destroy if a victim fails to pay within the specified time limit may not actually be deleted permanently. According to security blogger Brian Krebs, the makers of CryptoLocker are now allowing users to pay even after the initial time window is up. The countdown clock remains, but the private key is still available: for up to ten times the original price.[3] This new provision brings in “business” from users who may have originally decided not to pay but since changed their minds, and also those whose anti-virus software automatically detected and deleted the CryptoLocker virus unbeknownst to the user, leaving the victim with a bunch of inaccessible files and no way to pay to retrieve them.  Newer versions of CryptoLocker now include a desktop background with a URL where the user can re-download the malware and then pay the ransom. “The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation,” says Krebs.[4] Of course, the new “service” offered up by the CryptoLocker criminals belies their claim that the private key is destroyed after the time elapses.

Is CryptoLocker the worst virus ever? No, definitely not. But it'll sure give you the biggest headache you've had this year should your machine become infected. In the meantime, the best way to protect yourself from CryptoLocker is by doing things you already should be: keep regular, reliable backups of your computer (most cloud backup services would work, but make sure they aren’t automatically synced to one of the drives on your machine – otherwise, they’ll be encrypted too should you get infected! A better option is to purchase a high-quality one with differential backups so you can restore a previous version). Use a real-time anti-virus software product. And for added protection, download one of the new free tools on the market like CryptoPrevent: it specifically looks for double-extension files, like the .pdf.exe that CryptoLocker needs to install itself.


[1] Lauren Orsini, How To Fight CryptoLocker And Evade Its Ransomware Demands, November 8, 2013, available at http://readwrite.com/2013/11/08/cryptolocker-prevent-remove-eradicate#awesm=~on0yIA5rA4DSe5.

[2] id.

[3] Brian Krebs, CryptoLocker Crew Ratchets Up the Ransom, KrebsonSecurity, November 6, 2013, available at http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/.

[4] Id.