Cryptolocker is a malware that made its first appearance on 5th September 2013 & continued its attack to late May 2014. This malign Cryptolocker Ransomware gained notoriety over the past few years for stealthily infecting a system & encrypting the files.
According to the detailed research by the security analyst, the Cryptolocker Ransomware attack utilized a Trojan that fired at the computers running on Microsoft Windows & was reported to have been published on the internet on 5th Sep’2013. It used corrupted e-mail attachments & an existing botnet named Gameover ZeuS to spread & proliferate. Upon execution, the Cryptolocker virus encrypted certain types of files stored on local & mounted network drives by using public-key cryptography. The private key for decrypting the data was stored only on the malware’s control servers.
Following the encryption of the files, the Cryptolocker Trojan called forth a message offering the victim to pay a certain amount (in bitcoin or a pre-paid cash voucher) within a stated deadline in order to decrypt the data. The message was further followed by a threat of the permanent deletion of data & private key in case the deadline passes.
Surprisingly, the treacherous malware operators offered to decrypt files & data through an online service for a considerably higher amount in bitcoin if the deadline was not met. However, the message made no suggestion about the release of encrypted content after the payment was made.
Though Cryptolocker Trojan removal was done easily, the infected files remained encrypted & researchers found it pretty much inconvenient to decrypt.
In the late May 2014, Operation Tovar, an international collaborative operation was carried out that extirpate Gameover ZeuS botnet, which was used by the cybercriminals to distribute malware. The operation also enabled a security firm involved to acquire the database of private keys used by Cryptolocker Ransomware. Thankfully, the security firm was able to build an online tool to recover the keys & encrypted files without paying the ransom.
Though, Operation Tovar was able to put an end to Cryptolocker Trojan attack, this malicious virus paved a way for a new generation of other sophisticated & precarious cyber threats.
Cryptolocker Ransomware that infected Microsoft Windows ranks among one of the first Ransomware Trojan. It infected over 500,000 PCs from September 2013 to May 2014. Though the virus was brought down by US authorities in late May 2014, Cryptolocker successfully spawned a few clones named CryptoWall, Crypt0L0cker & TorrentLocker.
A ZIP file for Cryptolocker attached to an e-mail arrives on the targeted system disguised as a PDF file. The Virus smartly takes the advantage of Window’s default behavior of hiding the extension from the file names.
Upon execution it creates the following file on the compromised computer:
%UserProfile%\Application Data\[RANDOM CHARACTERS].exe.
Once the executable file has been created, it creates the following registry entry to prompt its initiation every time the Windows start: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\”addon_v57″ = “%UserProfile%\Application Data\[RANDOM CHARACTERS].exe
Following the infection of the system, the Cryptolocker virus thoroughly searches the network, looking for files & data to encrypt. Cryptolocker uses an obnoxious method of encryption (RSA-2048 public-key cryptography) that is quite arduous to crack.
The files targeted by the Ransomware include .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsb, .ppt, .pptx, .mef, .nef, .raw, .rwl, .ptx, .pem, .pfx etc.
Each encrypted file was appended with the string: .mp3
Once the files are encrypted, the Trojan locks the desktop & displays a ransom message. The ransom note prompts the system owner to pay a ransom within the deadline in order to decrypt & recover the encrypted files. The message further threats the owner that failing to make the payment will result in the permanent deletion of the private keys.
At the initial outbreak of this malicious Trojan, infected users without established backups were given the choice of paying the ransom by various methods.
Payment Methods accepted by the Trojan include:
Victims have revealed that paying ransom amount did not offer any way of recovering the files, while some said that the master key to recover files that had not been backed up was to pay the ransom. Some other victims claimed paying the ransom did not always lead to the decryption of the files.
According to security analysts, cybercriminals behind Cryptolocker were successful in extorting a colossal amount of around $3 million from the victims of this Ransomware Trojan.
The cybercriminals use various strategies for malware distribution which include –
Targeted Operating System: Windows
Symptoms: User’s files are encrypted. All locked files are appended with .mp3 extension & a ransom note demanding a ransom of $300 in bitcoin prompts on the screen. These files hence cannot be accessed by the users.
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Tips to prevent your computer system from getting infected –
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.