Created in 2013, CryptoLocker is a ransomware that targets all Windows versions. Through asymmetric encryption, certain files available on the user’s PC are encrypted, and a ransom message is displayed. The sum requested for the decryption of the files is between $100 and $300 and it comes with a timer that threatens to delete the encryption key in case the money is not paid in the next 72 hours via Bitcoins or MoneyPak vouchers.
How Does CryptoLocker Infect the User’s PC?
CryptoLocker enters the user’s PC through an email attachment. The corrupted file is disguised as an email message concerning account charge alert, missing package delivery, or other customer support issues from a popular company.
The file has a .zip attachment and by opening it, the user lets the ransomware in and infects the computer. The .zip files are offered in the form of normal PDF files, which can easily mislead the user.
The Encryption of the CryptoLocker
CryptoLocker is usually distributed via an attachment, which is downloaded by the user. Then it saves itself on the PC to the root of the %AppData% or %LocalAppData% folder path, where the program settings are stored, along with temporary files created by applications. CryptoLocker creates a file in the registry, which is automatically launched as soon as the user logs in.
Then the CryptoLocker deceits all the files with an .EXE extension on the user’s computer and thus next time the executable is launched the program attempts to delete the Shadow Volume Copies on the victim’s PC, so that it wouldn’t be able to restore the files that are encrypted. Once the Shadow Volume Copies are deleted, the .EXE are being restored to the Windows defaults.
CryptoLocker uses asymmetric encryption. This means that it requires a public and private key. It finds the Command & Control server to get the public key for the encryption of files that are encrypted. CryptoLocker ransomware can encrypt files with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.
Once the files are encrypted, the PC user receives a ransom message on the screen. In case the user does not transfer the required payment, the encryption key stored on the C&C server is destroyed between 24 and 72 hours from receiving the message.
The cyber criminals claim that the code for the encryption is generated on the infected computer itself, which means that if the decryption key is deleted, then the data cannot be restored. In the last versions of CryptoLocker, the cyber criminals present an option for uploading the infected file to a website, provided by CryptoLocker, offering an attempt to decrypt it. The result might be reported to the user within 24 hours after the upload, but then the decryption price is raised to 10 BTC.
How to React If Your Computer Is Infected with CryptoLocker?
Users who find out that their PC is infected with CryptoLocker should immediately disconnect it from the Internet in order to stop further encryption. Many of the users who have paid the ransom inform that a new message appears on the screen confirming that the verification process has been started. This process goes on for up to 3-4 hours. When it is completed, an automatic decryption of the files starts. In some cases, a message appears that certain files cannot be decrypted.
Preventing a CryptoLocker Infection
In order to prevent CryptoLocker Infection on their computers, the users should:
- Use a password protection in case of file-sharing
- Remove services and programs that are not needed
- Block or remove email attachments that distribute infections
- Use a firewall for incoming connections
- Disable the automatic launching of .exe files
The Return of CryptoLocker
During a massive operation called “Operation Tovar” led by the FBI, the US Department of Justice, Europol and the NCA, at the beginning of June 2014, the communication between Gameover Zeus and its C&C servers has been disconnected. Through a combination of Gameover Zeus and CryptoLocker botnets, the cyber criminals were targeting users all over the world, affecting around 500,000 computers before the successful operation.
The cyber criminals were using Gameover Zeus to infect the computers of the users with CryptoLocker and then display the ransom message to the victims. New versions of the ransomware appeared shortly after that with an improved code. Among them are New CryptoLocker, CryptoDefense, CryptoWall, DirCrypt. They are expected to create new networks of infected computers. In some of the new versions, the user gets instructions for the payment in text-files in the encrypted folders, while in others the payment is requested through TOR anonymity network which hides and protects the cyber criminals’ identity.
Remove CryptoLocker automatically with Spy Hunter Malware – Removal Tool.
You may want to clean your system with a powerful anti-malware solution. For future reference, always remember to back up important files so that ransomware consequences are decreased to the minimum. For that purpose, an external storage device may be used, as well as a cloud service.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter