This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Upsurge in CryptoLocker ransomware

Share this article:
Upsurge in CryptoLocker ransomware
Upsurge in CryptoLocker ransomware

The US Government's Computer Emergency Readiness Team (US-CERT) has warned of an upsurge in the CryptoLocker ransomware virus.

CryptoLocker, which was first spotted in September, is a Trojan that is spread mainly through fake emails that mimic the look of legitimate businesses or via phony FedEx and UPS tracking notices. According to US-CERT, some users have also become infected following a previous botnet attack.

The agency said CryptoLocker “is associated with an increasing number of ransomware infections”.

The virus infiltrates then encrypts files in the user's computer and any mapped network drives. Once it has locked the user out, it demands a MoneyPak or Bitcoin payment within three days. Victims who pay the ransom receive a key that unlocks their encrypted files. According to the Bleepingcomputer.com IT support service, the ransom is currently two bitcoins or roughly £250.

However, on 1 November, the CryptoLocker developers twisted the knife by letting users recover beyond the three-day time limit - at a cost of 10 bitcoins or over £1,300.

US-CERT urges “users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident”, adding that anyone infected should immediately disconnect that system from the network and change all passwords once the malware is removed.

British security expert Mike Auty, senior security researcher at UK-based MWR InfoSecurity, confirmed that CryptoLocker is particularly virulent.

“It does have strong encryption,” Auty told SC Magazine UK. “The way that they have designed it makes it infeasible to recover from. They definitely took the time and effort to design it well. They haven't made any obvious mistakes.”

Auty said the security community had not yet tracked down the virus authors “because they are using an anonymising service to publish the website that you visit to be able to gain access to it”.

Asked about the choice of paying up or not, Auty said that it was, “…a very tough line. First off the decryption doesn't always work. And secondly it is extortion and if you allow yourself to be extorted there is nothing to stop them upping the price or doing it again to you.”

Auty suggested the best way to prevent infection was to have a good backup system. But he also said that, before it starts encrypting, the virus has to communicate with its command and control server using a domain it invents, but whose name relates to the time when the infection occurred. Knowing the time of the infection, an enterprise could identify the domain name and block traffic to it.

Otherwise, Auty said, because “so far the virus only stores itself in very specific, fixed, predictable locations”, domain administrators could apply software policy rules to stop unknown programs in that particular directory being run.

After infection, there is nothing you can do except pay the ransom or restore from backup, he said.

Auty said good technical write-ups on the ransomware are available from the Bleepingcomputer.com website and from Emsisoft, who were one of the first companies to analyse the ransomware when it first appeared in September.

In a 6 November blog post, security expert Brian Krebs called CryptoLocker “a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc — as well as any files on attached or networked storage media.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...

Russian-speaking criminals account for £420m of card fraud annually

Russian-speaking criminals account for £420m of card fraud ...

New research claims to quantify the scale of card fraud in Russian speaking circles. And according to Group-IB's analysis over the last year, that fraud clocks in at a hefty ...

Light-based printer attack overcomes air-gapped computer security

Light-based printer attack overcomes air-gapped computer security

Multi-function printers - a route to bypass air-gapped computer security.