Security Threat Advisory

Ransomeware Threat: Cryptolocker


What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.


CryptoLocker payment screen
CryptoLocker payment screen


What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.


Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful.  If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.


Will paying the ransom actually decrypt your files?

Paying the ransom is no guarantee you will have your files restored, but this is a descion you will need to make if you have no backups of vital files infected by this virus.  Paying the ransom will start the decryption process of the CryptoLocker infection. When you pay the ransom you will be shown a screen stating that your payment is being verified. Reports from people who have paid this ransom state that this verification process can take 3-4 hours to complete. Once the payment has been verified, the infection will start decrypting your files. Once again, it has been reported that the decryption process can take quite a bit of time.

Be warned, that there have been some reports that the decryption process may give an error stating that it can't decrypt a particular file. At this point we have no information as how to resolve this. Visitors have reported that the infection will continue to decrypt the rest of the files even if it has a problem with certain files.


How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.


The current list of known CryptoLocker email subjects include:

USPS - Your package is available for pickup ( Parcel 173145820507 ) USPS - Missed package delivery ("USPS Express Services" <[email protected]>)
USPS - Missed package delivery FW: Invoice <random number>
ADP payroll: Account Charge Alert ACH Notification ("ADP Payroll" <*>)
ADP Reference #09903824430 Payroll Received by Intuit
Important - attached form FW: Last Month Remit
McAfee Always On Protection Reactivation Scanned Image from a Xerox WorkCentre
Scan from a Xerox WorkCentre scanned from Xerox
Annual Form - Authorization to Use Privately Owned Vehicle on State Business Fwd:
My resume New Voicemail Message
Voice Message from Unknown (675-685-3476) Voice Message from Unknown Caller (344-846-4458)
Important - New Outlook Settings Scan Data
FW: Payment Advice - Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13] Payment Advice - Advice Ref:[GB2198767]
New contract agreement. Important Notice - Incoming Money Transfer
Notice of underreported income Notice of unreported income - Last months reports
Payment Overdue - Please respond FW: Check copy
Payroll Invoice USBANK
Corporate eFax message from "random phone #" - 8 pages (random phone # & number of pages) past due invoices
FW: Case FH74D23GST58NQS Symantec Endpoint Protection: Important System Update - requires immediate action



CryptoLocker and Network Shares

CryptoLocker only encrypts data stored on network shares if the shared folders are mapped as a drive letter on the infected computer. Despite what some articles state, CryptoLocker does not encrypt data on a network through UNC shares. An example of a UNC share is \\computername\openshare.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CryptoLocker.



Most viruses and spyware issues come through web browsers and email software.  Having a secure web browser like Firefox will help lower infection rates.  Services like Gmail offer better junk mail protection and lower the possibilty of opening a bogus email containing a virus.

A two tier backup system will save your computer and files if you happen to be affected by this virus.  A backup software like Acronis True Image will take a snapshot of your whole system, including files and programs.  This will allow you to restore your whole computer before the virus caused any issues.  While Carbonite, another backup program can safely backup your files in the cloud.  Should your PC become compromised you can download your backed up files directly to your PC after removing the virus.


Here are a Few Tips to Follow

Use Firefox or Google Chrome as your web browser

Make sure you are using an antivirus software that is up to date, like AVG, Avast, or Norton

Make sure you are using a backup sotware as mentioned, like Acronis and Carbonite

The main bullet point, Please be Careful What You Click On