CryptoLocker: What it is and How to Defend Against It

Posted by Christopher Cao on

There has been a particularly nasty threat floating around the internet, to be more precise, a ransomware that calls itself by the name of CryptoLocker. Many organizations have had the unfortunate experience of dealing with CryptoLocker. However, there are ways to mitigate the damage done and avoiding it altogether. Before we discuss ways that can help users or organizations in avoiding or defending against CryptoLocker, let’s take a moment to better understand what it is and what it does.

How to defend against Cryptolocker

What is CryptoLocker?

CryptoLocker is believed to have made its first appearance on the internet just under two years ago in September of 2013, targeting computers that were running on Microsoft Windows. Once a computer was infected with CryptoLocker, local files and mounted network drive files would be targeted by the malware to be encrypted. A private key, an encryption/decryption key, would be made and stored on the malware’s control servers. Once the files are encrypted, the malware would threaten to delete the private key needed to decrypt the files if a payment was not made to them by a provided deadline via pre-paid cash voucher or Bitcoin.

Although it isn’t hard to have CryptoLocker removed from the infected computer, the files that were encrypted by the malware won’t have such luck. The method of encryption utilized by CryptoLocker is RSA public-key cryptography using an Advanced Encryption Standard (AES), making it essentially impossible to recover.

Here is a list of some of the file extensions that are targeted by CryptoLocker: .ai, .docm, .docx, .jpg, .odb, .ppt, .ptm, .pptx, .psd, .pst, .srf, .xls, .xlsb, .xlsm, .xlsx, and many more.

    How CryptoLocker Infects Computers

    CryptoLocker is generally spread through an infected email attachment and existing botnets. Botnets are a network of computers that are being controlled as a group, and in this case, tasked to spread malware. The ransomware can sometimes be distributed by pretending to be an update for other applications or tracking notification from FedEx or UPS. In many cases, some fake updates are offered through pop-up windows that may appear when accessing unsafe websites or come tagged along with the installation of unwanted programs.

    The virus itself comes as an executable file, but masks itself as an Adobe Reader file, Flash Player or even a Java Runtime Environment. By hiding the fact that it’s an executable file through a Window’s feature that makes file extensions hidden, CryptoLocker is able to fool unwitting users into thinking that it is harmless. Below is a ransom note left on a computer that is infected with CryptoWall 2.0, a derivative of the Crypto family of malware:

    CryptoWall 3.0

    How CryptoLocker has Evolved

    The CryptoLocker ransomware has long faded last May of 2014 when an international collaborative operation, titled Operation Tovar, was carried out by law enforcement to take down the Gameover ZeuS botnet which was the primary distributor of the malware. This, however, has not stopped others from following its footsteps. Many ransomware trojans have spawned in its wake, unrelated to CryptoLocker but adopting a similar name. Although they are not related to CryptoLocker, they essentially work in the same way.

    An example of this is CryptoWall 3.0, a ransomware trojan that filled the space left from CryptoLocker’s takedown. Although CryptoWall is not as effective, it managed to compromise more computers. CryptoWall’s method of encryption isn’t as advanced as CryptoLockers method, but it targeted files that were more important to users, such as video and audio files.

    A few other ransomware trojans out there include CryptoBit, Crypto Defense, CryptoFortress, TorrentLocker, and many more.

    How to Avoid & Mitigate Ransomware Infection

    The first step that a user or organization could take to mitigate any damage from ransomware such as CryptoLocker is to have security software that is designed to catch such threats. If an attack of this kind is discovered during the early stages, damage to data can be limited dramatically due to file encryption requiring time. Unfortunately, the ransomware may not be detected at all if it’s a newer version that isn’t recognized by the security software.

    Due to malware threats constantly evolving, it is no longer enough to be completely reliant on security and antivirus software. The most reliable method to prepare against ransomware is by having the files on your computer or network backed up. This will allow users to have a peace of mind knowing that if their computer has been unknowingly infected, they will always have a backup of their files that can be easily restored to replace the encrypted and corrupted files.

    StorageCraft ShadowProtect

    When discussing the backup and preservation of important files, SonicWALL Continuous Data Protection (CDP) and ShadowProtect Backup and Disaster Recovery Software come to mind. Both allow users to back up their data locally and offsite for more security options. Individual files can be restored manually, and in the case that entire systems have been compromised, entire systems and data can be scheduled for back up for full system recoveries. Settings can be adjusted in much more depth to suit the needs of the user or organization.

    Aside from security software, users should avoid opening suspicious attachments that come from unverified sources or visiting unsecure websites.

    Closing Statement

    Having your network or workstation infected by CryptoLocker or other ransomware is a terrible experience. Being tricked into installing unwanted executables that lead to files being encrypted is a despicable practice, on top of being threatened to lose them unless a ransom is paid. To make things worse, many users who have opted in paying the ransom were still unable to have their files recovered. The best way to avoid the headache of dealing with ransomware is by being aware of its existence and being prepared in the case that an infection does happen. With that in mind, it is crucial for users to take preventative steps now before any data has been irreversibly lost.

MSI Technologies, LLC. 1055 Parsippany Boulevard, Suite 205A, Parsippany, NJ 07054 | Tel: (973) 263-0080 | Fax: (973) 263-0082 | Email: info [@]

© Copyright 2014. MSI Technologies, LLC

This website is owned by MSI Technologies LLC. MSI Technologies LLC is independent from Sage and is not authorized to make any statement, representation, or warranties or grant any license or permission on behalf of Sage regarding any product, service, or website content. Certain materials made available on or through this website are owned by Sage and cannot be used without the prior written permission of Sage.