Nightmare malware: CryptoLocker

CryptoLocker is a particularly nasty piece of malware that has been terrorizing computer users since early September, 2013. It’s similar to other kinds of ‘Ransomware’ in that once it infects a computer, it offers to undo its effects if the perpetrator is paid.

Ransomware has been around for years, but CryptoLocker adds a new twist: it encrypts your data files – making them inaccessible – until you pay. So it’s not just annoying: it can effectively destroy your data. Without the proper key, the encrypted files cannot be decrypted. After you pay the ransom, CryptoLocker decrypts the encrypted files, making them usable again.

Other factors can exacerbate a CryptoLocker infection. IT workers who are able to remove the malware after data files have been encrypted may actually make things worse: without the malware in place, paying the ransom will have no effect – the files will stay encrypted.

CryptoLocker typically installs itself when an unwitting user opens an attachment in an email that appears to be from a legitimate business, such as a courier company. The attachment often looks like a PDF file, and appears harmless. But the attachment is actually executable, and it installs CryptoLocker. Once CryptoLocker is running, it will try to contact one of its control servers, from which it receives an encryption key. CryptoLocker then starts encrypting your files: it looks for files with specific extensions, on local and mapped network drives. It then displays its ‘ransom note’, which describes what has been done and how to pay the ransom, which is typically $300. You have four days to pay, after which the encryption key will be deleted and your files will be inaccessible forever.

I recently encountered CryptoLocker on a client’s PC. Luckily, the client’s anti-malware software detected the infection and prevented it from doing much damage. Among other things, it prevented CryptoLocker from contacting its control servers, so it never received an encryption key and didn’t encrypt any files. I was able to locate and remove the malware.

If you are hit with this malware, your best protection is a good backup. Without a backup, your only option is to pay the ransom. But don’t feel bad: you’re not alone. Plenty of other people have paid the ransom already.

So this is a good time to issue those familiar warnings to all computer users: back up your data, install good anti-malware software, and do not open email attachments or click email links unless you know the sender and what the email is expected to contain.

Ars Technica has additional information, and Bleeping Computer has an excellent FAQ for CryptoLocker.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

One thought on “Nightmare malware: CryptoLocker”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.