This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Upsurge in CryptoLocker ransomware

Share this article:
Upsurge in CryptoLocker ransomware
Upsurge in CryptoLocker ransomware

The US Government's Computer Emergency Readiness Team (US-CERT) has warned of an upsurge in the CryptoLocker ransomware virus.

CryptoLocker, which was first spotted in September, is a Trojan that is spread mainly through fake emails that mimic the look of legitimate businesses or via phony FedEx and UPS tracking notices. According to US-CERT, some users have also become infected following a previous botnet attack.

The agency said CryptoLocker “is associated with an increasing number of ransomware infections”.

The virus infiltrates then encrypts files in the user's computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days. Victims who pay the ransom receive a key that unlocks their encrypted files. According to the Bleepingcomputer.com IT support service, the ransom is currently two bitcoins or roughly £250.

However, on 1 November, the CryptoLocker developers twisted the knife by letting users recover beyond the three-day time limit - at a cost of 10 bitcoins or over £1,300.

US-CERT urges “users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident”, adding that anyone infected should immediately disconnect that system from the network and change all passwords once the malware is removed.

British security expert Mike Auty, senior security researcher at UK-based MWR InfoSecurity, confirmed that CryptoLocker is particularly virulent.

“It does have strong encryption,” Auty told SC Magazine UK. “The way that they have designed it makes it infeasible to recover from. They definitely took the time and effort to design it well. They haven't made any obvious mistakes.”

Auty said the security community had not yet tracked down the virus authors “because they are using an anonymising service to publish the website that you visit to be able to gain access to it”.

Asked about the choice of paying up or not, Auty said that it was, “…a very tough line. First off the decryption doesn't always work. And secondly it is extortion and if you allow yourself to be extorted there is nothing to stop them upping the price or doing it again to you.”

Auty suggested the best way to prevent infection was to have a good backup system. But he also said that, before it starts encrypting, the virus has to communicate with its command and control server using a domain it invents, but whose name relates to the time when the infection occurred. Knowing the time of the infection, an enterprise could identify the domain name and block traffic to it.

Otherwise, Auty said, because “so far the virus only stores itself in very specific, fixed, predictable locations”, domain administrators could apply software policy rules to stop unknown programs in that particular directory being run.

After infection, there is nothing you can do except pay the ransom or restore from backup, he said.

Auty said good technical write-ups on the ransomware are available from the Bleepingcomputer.com website and from Emsisoft, who were one of the first companies to analyse the ransomware when it first appeared in September.

In a 6 November blog post, security expert Brian Krebs called CryptoLocker “a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc — as well as any files on attached or networked storage media.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...