This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Upsurge in CryptoLocker ransomware

Share this article:
Upsurge in CryptoLocker ransomware
Upsurge in CryptoLocker ransomware

The US Government's Computer Emergency Readiness Team (US-CERT) has warned of an upsurge in the CryptoLocker ransomware virus.

CryptoLocker, which was first spotted in September, is a Trojan that is spread mainly through fake emails that mimic the look of legitimate businesses or via phony FedEx and UPS tracking notices. According to US-CERT, some users have also become infected following a previous botnet attack.

The agency said CryptoLocker “is associated with an increasing number of ransomware infections”.

The virus infiltrates then encrypts files in the user's computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days. Victims who pay the ransom receive a key that unlocks their encrypted files. According to the Bleepingcomputer.com IT support service, the ransom is currently two bitcoins or roughly £250.

However, on 1 November, the CryptoLocker developers twisted the knife by letting users recover beyond the three-day time limit - at a cost of 10 bitcoins or over £1,300.

US-CERT urges “users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident”, adding that anyone infected should immediately disconnect that system from the network and change all passwords once the malware is removed.

British security expert Mike Auty, senior security researcher at UK-based MWR InfoSecurity, confirmed that CryptoLocker is particularly virulent.

“It does have strong encryption,” Auty told SC Magazine UK. “The way that they have designed it makes it infeasible to recover from. They definitely took the time and effort to design it well. They haven't made any obvious mistakes.”

Auty said the security community had not yet tracked down the virus authors “because they are using an anonymising service to publish the website that you visit to be able to gain access to it”.

Asked about the choice of paying up or not, Auty said that it was, “…a very tough line. First off the decryption doesn't always work. And secondly it is extortion and if you allow yourself to be extorted there is nothing to stop them upping the price or doing it again to you.”

Auty suggested the best way to prevent infection was to have a good backup system. But he also said that, before it starts encrypting, the virus has to communicate with its command and control server using a domain it invents, but whose name relates to the time when the infection occurred. Knowing the time of the infection, an enterprise could identify the domain name and block traffic to it.

Otherwise, Auty said, because “so far the virus only stores itself in very specific, fixed, predictable locations”, domain administrators could apply software policy rules to stop unknown programs in that particular directory being run.

After infection, there is nothing you can do except pay the ransom or restore from backup, he said.

Auty said good technical write-ups on the ransomware are available from the Bleepingcomputer.com website and from Emsisoft, who were one of the first companies to analyse the ransomware when it first appeared in September.

In a 6 November blog post, security expert Brian Krebs called CryptoLocker “a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc — as well as any files on attached or networked storage media.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.