Fact File: Cryptolocker
Discovered: September 2013
Systems vulnerable: Windows
What is Cryptolocker?
Cryptolocker is a virus which classes as “Trojan Ransomware”. This means that the virus masquerades as a normal file, and is often transferred via email attachments to trick the recipient into downloading the file and infect their computer.
Cryptolocker only affects Windows PCs, but once the virus has infected a computer it establishes contact with a central database before it is activated. On activation, the virus encrypts files stored on the infected computer, and any storage devices connected to the computer.
When the encryption is complete, a message appears on the victim’s screen demanding payment in order to receive the key to decrypt the files. The threatening message has a countdown timer indicating how long the victim has left to pay before the data is lost forever. As an additional scare tactic, the message also states “Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.”
What’s being done about Cryptolocker?
In May 2014, Cryptolocker was isolated as the Gameover ZeuS botnet was taken down. Gameover ZeuS was used by cyber criminals to create a backdoor into target computers, allowing access for the Cryptolocker virus. With Gameover ZeuS taken down, the virus in the infected computers could not communicate with the server to activate, meaning victim’s data was temporarily safe from encryption.
Unknown the criminals, parts of the network were under the control of police forces and security firms, resulting in a database of victims and their decryption keys being captured.
There has since been an online portal set up which allows victims to obtain their decryption key for free (see below for more details).
What can I do if my computer has been infected?
Cryptolocker encrypts all your files with near unbreakable strength. This means there’s an extremely small chance that data will be recovered if there is no back up of the data.
Back-ups of data should not be restored whilst Cryptolocker is still present on a computer, otherwise you may lose that too!
Some users reported their data being restored after paying the ransom, however this is not recommended. There is no guarantee that the data will be returned and will just result in being £300 out of pocket. Not only does this fund cyber crime, criminals may not be able to return your data due to the National Crime Agency taking down control servers.
It’s not all bad news! The online portal, called Decrypt Cryptolocker, is set up to by security experts to provide victims with their key for free.
The portal requires an email address and to upload an encrypted file which does not contain any sensitive or personally identifiable information.
Remember: Make sure you regularly back up your data!