CryptoLocker ransomware is typically installed by another threat, like a Trojan downloader or possibly a worm. After installation, CryptoLocker searches for files on the victim’s computer, then encrypts them, essentially taking the infected computer hostage. The hackers behind CryptoLocker then demand a ransom to decrypt infected files.
In the past, ransom Trojans were limited to locking the victim’s screen or web browser’s homepage. Their ransom messages generally showed a fake notice purportedly from the victim’s local law enforcement agency, claiming the victim had committed an illegal activity and must pay a fine using prepaid cards like Ukash or Paysafecard. This type of cyber scam dominated the digital extortion niche until 2013 when a game-changer threat called CryptoLocker emerged. Its appearance changed everything and laid the foundation for ransomware development. According to SecureWorks® CTU™ security intelligence research team, CryptoLocker infected over 250,000 systems globally within the first four months it was released in September 2013.
CryptoLocker changed the ransomware game in several ways. First, it’s the first to use 2048-bit RSA encryption to make its files inaccessible. The public-private key pair is stored on the cybercriminal’s Command and Control (C2) server, and the victim can only get it by paying a ransom. Although CryptoLocker used prepaid cards such as Ukash, MoneyPak, Paysafecard or CashU, it became the first ransomware to demand payment in Bitcoin.
CryptoLocker will cause an alarming message to be displayed when the infected computer starts up. The message may demand payment of $100, €100, £100, two Bitcoins or other figures for various currencies. The payments have increased over time. If the initial ransom is not paid before the deadline, CryptoLocker will offer its victims a second chance to pay a higher amount than the initial demand (for example, 10 Bitcoins). CryptoLocker’s message also claims that attempting to remove CryptoLocker code may result in the encrypted files being locked forever. The ransom message reads as follows:
‘Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.’
In an effort to scare inexperienced computer users, the ransom message continues with:
‘Any attempt to remove or damage this software will lead to immediate destruction of the private key server.’
Should I Pay the CryptoLocker Ransom?
There are a multitude of reasons why you shouldn’t pay the CryptoLocker ransom. First off, no guarantee that paying it will ultimately lead to the decryption of your files. Secondly, paying this ‘fee’ only supports malware developers, allowing them to continue their illicit activities. Thirdly, removing CryptoLocker with a legitimate security program does not actually endanger your files or prevent you from decrypting them.
A lesson that could be taken from being victimized by an infection such as CryptoLocker is to always remember to have keep backups of your files at hand, apply the latest updates to your operating systems and apps, do not click on suspicious links, download apps from trusted sites and use a comprehensive anti-malware program.
If you are still having trouble, consider contacting remote technical support options.
