Category Archives: Internet crime

Cryptolocker malware is getting worse

A new variant of the nasty malware known as Cryptolocker is appearing on the Internet. Cryptolocker – once it infects your computer – encrypts all your files and then demands money to decrypt them. If you fail to pay within a specified time period, your files become permanently inaccessible.

The new version of Cryptolocker can apparently spread itself via portable media such as thumb drives. It is also often disguised as a software activation program for Photoshop and Microsoft Office on file sharing sites. The original Cryptolocker typically arrived in the form of a fake PDF file.

Disguising Cryptolocker as a software activation program is a particularly devious way to spread the malware. Every day, thousands of people who can’t afford the massively overpriced Office and Photoshop look for alternative ways to use that software, and now those people are going to be risking more than the ire of Microsoft and Adobe.

Nightmare malware: CryptoLocker

CryptoLocker is a particularly nasty piece of malware that has been terrorizing computer users since early September, 2013. It’s similar to other kinds of ‘Ransomware’ in that once it infects a computer, it offers to undo its effects if the perpetrator is paid.

Ransomware has been around for years, but CryptoLocker adds a new twist: it encrypts your data files – making them inaccessible – until you pay. So it’s not just annoying: it can effectively destroy your data. Without the proper key, the encrypted files cannot be decrypted. After you pay the ransom, CryptoLocker decrypts the encrypted files, making them usable again.

Other factors can exacerbate a CryptoLocker infection. IT workers who are able to remove the malware after data files have been encrypted may actually make things worse: without the malware in place, paying the ransom will have no effect – the files will stay encrypted.

CryptoLocker typically installs itself when an unwitting user opens an attachment in an email that appears to be from a legitimate business, such as a courier company. The attachment often looks like a PDF file, and appears harmless. But the attachment is actually executable, and it installs CryptoLocker. Once CryptoLocker is running, it will try to contact one of its control servers, from which it receives an encryption key. CryptoLocker then starts encrypting your files: it looks for files with specific extensions, on local and mapped network drives. It then displays its ‘ransom note’, which describes what has been done and how to pay the ransom, which is typically $300. You have four days to pay, after which the encryption key will be deleted and your files will be inaccessible forever.

I recently encountered CryptoLocker on a client’s PC. Luckily, the client’s anti-malware software detected the infection and prevented it from doing much damage. Among other things, it prevented CryptoLocker from contacting its control servers, so it never received an encryption key and didn’t encrypt any files. I was able to locate and remove the malware.

If you are hit with this malware, your best protection is a good backup. Without a backup, your only option is to pay the ransom. But don’t feel bad: you’re not alone. Plenty of other people have paid the ransom already.

So this is a good time to issue those familiar warnings to all computer users: back up your data, install good anti-malware software, and do not open email attachments or click email links unless you know the sender and what the email is expected to contain.

Ars Technica has additional information, and Bleeping Computer has an excellent FAQ for CryptoLocker.