Gruppo TIM
Gruppo TIM

The CryptoLocker ransomware

CryptoLocker is a ransomware capable of blocking documents on your computer by encrypting them with a password and making it impossible to open files, a malicious software that infects Windows operating systems.

It was identified for the first time at the end of 2013 and, according to estimates, its ascent was a record: because it managed to extort as much as 27 million dollars in just two months of life.

The malware was further refined in 2017, when it bothered many small and medium-sized businesses by nailing their employees’ computers.

 

What is CryptoLocker

CryptoLocker is a type of ransomware designed to infect computers with a Trojan. It is programmed to attack Microsoft Windows systems and block access to files until a ransom is paid to the malware authors.

Once installed, CryptoLocker encrypts certain files detected on the infected computer and displays a ransom note on the screen, asking for hundreds of dollars in bitcoins to receive the decryption key.

 

How CryptoLocker works

The Trojan spreads as an email attachment and through a P2P file sharing botnet. It is executed when the victim opens the attached ZIP file by entering the password included in the message and tries to open the contained PDF.

CryptoLocker takes advantage of the default Windows behavior of hiding the extension from file names to mask the true .EXE extension of the malicious file.

Once active, the malware encrypts certain types of files mounted or stored on local network drives using RSA public key encryption, keeping the private key only on the malware control servers.

CryptoLocker encrypts files to a level that makes them unrecoverable, leaving victims with only two options to regain access to their files: pay the ransom (with no real guarantee that payment will actually release the files) or restore them from backup copies.

However, the joint efforts of police forces from multiple countries made it possible to access the database of private keys used by CryptoLocker.

This database was in turn used to create an online tool for recovering keys and files without having to pay the ransom.

 

Who are the targets?

CryptoLocker only works on PCs with Windows XP, Vista, Windows 7 or Windows 8, as it is designed to take advantage of the features included in those operating systems.

It has no effect on Apple devices, smartphones or tablets.

According to the FBI and other law enforcement agencies, CryptoLocker operators have successfully extorted millions of dollars in ransom payments.

By the end of 2013, a few months after its release, the malware had already infected more than 235,000 computers.

 

How to avoid CryptoLocker

Defending yourself against CryptoLocker is quite simple.

First of all, it is advisable to update the operating system and install a good, up-to-date antivirus: even if it is not always able to detect the latest versions of the constantly evolving ransomware, it still remains a valid shield.

Another trick to take is obviously to avoid the easy click: this malware spreads via e-mail using social engineering techniques, and you must pay attention to the file extension and the origin of the email.

Sometimes, you could be lured by a link conveyed through social networks, so it is useful to always pay attention.

Instead, a backup of the data (or, if already done, an update), that is a copy of your files, is essential.

Backup should be done frequently to an external hard drive, such as a USB stick. In this way, if the malware were to infect the PC, a copy of the data would remain protected, giving us the opportunity to restore everything if necessary.

Here are some tips to protect yourself from CryptoLocker:

  • Be wary of e-mail messages from unknown senders, especially those that contain attached files.
  • Disable hidden file extensions in Windows. This will help recognize any malicious file used in the attack.
  • Establish a backup system for critical files. This will help mitigate the damage caused not only by malware infections, but also by hardware problems or other incidents.
  • Use a professional security solution that can neutralize these attacks.
  • If your computer gets infected and you don’t have a backup copy of your files, it would be better not to pay the ransom. Paying only serves to turn malware into a profitable business model and contribute to the success of this type of attack.

 

Paying the Ransom: Yes or No?

When you are forced to see your computer locked and your work lost, the question is legitimate: to pay the ransom or not?

Sometimes the figure is not very high, it is around 800 dollars: it is a strategy of cybercriminals, they ask for an affordable payment to give the impression that the game is worth the candle.

Furthermore, these malware spread with phishing campaigns, which aim to get as many users as possible on the network.

In reality, once the sum has been disbursed, you do not always get back your data.

Furthermore, paying both an organization and a criminal business are fueled. For this reason, even the postal police suggests never paying the ransom.