1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

CryptoLocker ransomware

Discussion in 'Malware Removal Help' started by starbuck, Jan 4, 2014.

Thread Status:
Not open for further replies.
  1. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Sep 26, 2009
    Midlands, UK
    Operating System:
    Windows 10
    AMD Athlon II x2 250 Processor 3.00GHz
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper

    CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8


    This ransomware will encrypt certain files using a mixture of RSA & AES encryption.

    CryptoLocker will encrypt files on your system with the following extensions: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

    Once encryption is complete the payload then displays a message informing the user that files have been encrypted, and demands a payment of 300 USD or Euro through an anonymous pre-paid cash voucher (i.e. MoneyPak or Ukash), or an equivalent amount in Bitcoin within 72 or 100 hours (while starting at 2 BTC, the ransom price has been adjusted all the way down to 0.3 by the operators to reflect the fluctuating value of Bitcoin)


    In November 2013, the operators of CryptoLocker launched an online service which claims to allow users to decrypt their files without the CryptoLocker program, and to purchase the decryption key after the deadline expires; the process involves uploading an encrypted file to the site as a sample, and waiting for the service to find a match, which the site claims would occur within 24 hours.
    Once a match is found, the user can pay for the key online; if the 72-hour deadline has passed, the cost increases to 10 Bitcoin.
    This was due in part to the Anti Virus/Anti Malware vendors removing the Cryptolocker program and leaving the user with no way of paying the ransom if so desired.

    The notorious Cryptolocker ransomware, has taken a turn for the worse — it's evolved from a Trojan into a worm.

    The new variant lurks on file-sharing sites, pretending to be an "activator" that verifies pirated copies of Adobe Photoshop and Microsoft Office.
    Victims trying to get those paid software products for free will run the "activators," infecting themselves and copying the malware onto any USB drives that are subsequently plugged into their machines.

    When CryptoLocker was first released, it was being distributed by itself.
    The infection was typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc.
    These emails would contain a zip attachment that when opened would infect the computer.

    Newer malware attachments appear to be Zbot infections that then install the CryptoLocker infection.

    Is it possible to decrypt files encrypted by CryptoLocker?
    Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection.
    The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled.
    Note :
    Shadow Volume Copies are only available with certain versions of Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

    Newer variants of CryptoLocker will attempt to delete the Shadow Copies, but luckily enough it is not always successful.
    So it's still worth trying to restore your files using this method.
    Restoring your files using Shadow Copies is described in detail in the 'CryptoLocker Ransomware Information Guide and FAQ' link below.


    You can add a layer of protection to help safeguard your system.
    Use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths.
    You can run the tool CryptoPrevent to acheive this or you can add the restriction policies manually.
    Both methods are described in detail in the 'CryptoLocker Ransomware Information Guide and FAQ' link below.

    Backing up procedures are a MUST
    The existence of malware such as Cryptolocker reinforces the need to back up your personal files regularly.

    The 3-2-1 rule is good practice here – three backup copies of your data, on two different media, and one of those copies in a separate location.
    However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.
    Cloud storage services can help here.
    Cloud storage does not protect you if it is mapped to a drive letter on a protected machine.
    CryptoLocker will happily encrypt any drive letter it finds regardless of its endpoint

    These links will give you a lot more info on Cryptolocker.

    CryptoLocker Ransomware Information Guide and FAQ

    Cryptolocker thread at BC

    Cryptolocker ransomware, what you need to know

    Cryptolocker Ransomware Evolves to Spread on Its Own

    AES and RSA Encryption

    What you should know about Volume Shadow Copy/System Restore in Windows 7 & Vista (FAQ)
    Last edited: May 8, 2016
    IceMan37 and bob12a like this.
Thread Status:
Not open for further replies.

Share This Page