Cryptolocker is a relatively new kind of ransomware that was first detected in the wild in September 2013. Ransomware for those who do not know the term refers to malicious software that, when executed on a PC, encrypts files on it so that they cannot be accessed anymore unless decrypted.
Cryptolocker displays a ransom notification to the user of the system that states that the ransom -- usually between $100 and $300 -- has to be paid to unlock the files again. If the demand is not met in 96 hours, the option to do so will expire and the files will be lost forever.
The malware lands on PCs the same way other malware does. In the case of Cryptolocker, it is usually through email attachments that contain the malicious payload. This can be (fake) customer support emails from companies such as Fedex, UPS or DHS for example, and the payload is usually disguised as a PDF file using the same icon that PDF file use.
If you look at the full file name, you will notice that it is in fact an executable program ending with .pdf.exe that should never be executed.
If your computer gets infected because you have run the executable file and your antivirus solution did not pick up on it, the following background process is started by it.
- The malicious program adds itself to the autostart of the system.
- It will then connect to a control server on the Internet and retrieve a public encryption key.
- Once the key is downloaded, the software will scan all local and network drives on the computer for specific file extensions such as xls, docx, psd, jpg or pptx.
- The list is large, and any file that it discovers will be encrypted by it so that it cannot be accessed anymore on the PC.
- Once the encryption of files has finished, a ransom message is displayed to the user on the screen.
If you notice that your computer is hit by the malware, you may want to disconnect it from the Internet to prevent further damage. This can be done by disconnecting the router from the Internet, or disabling the Internet connection on the local PC.
There is no option to decrypt the files, and while it is theoretically possible to decrypt them using brute force, the use of a unique RSA-2048 key makes this impossible for home users at this point in time.
There is however one option that you have: previous file versions. You can right-click any file in Windows Explorer, select Properties and then Previous Versions to display previously saved versions of that file on the system. While there is no guarantee that you will indeed find one, it is the best option that you have to restore important files on the system.
There is also the chance that you have backup copies of files. Most file synchronization services enable you to download previous copies of a file as well.
The best prevention is to know what you are doing on the PC you are working on. A basic understanding of how things work goes a long way in staying safe on the system. In fact, I believe that this is the best protection against many kinds of malware attacks you are exposed to on the Internet.
Good antivirus software should detect Cryptolocker by now. Malwarebytes and Symantec do detect it for example.
If you are particularly worried about your PC getting infected, you can run the tool CryptoPrevent on it. It locks down executable file from being run in directories that Cryptolocker is known to use.
This guide has been designed to provide you with a quick overview, and is not as detailed as the guides posted below. If you want to find out more about Cryptolocker, consult the following guides and pages:
- Cryptolocker ransomware information on Bleepingcomputer
- Malwarebytes blog post about Cryptolocker
- Sophos analyzing the malware
- Wikipedia on Cryptolocker