Sophos, Malwarebytes Warn of CryptoLocker Ransomware

rSophos and Malwarebytes researchers are warning of a particularly nasty malware threat called CryptoLocker, which is currently being distributed via e-mail attachments and via botnets. Like all ransomware, CryptoLocker encrypts victims’ data, then demands a ransom to release it — but this one does so unusually well.

When the malware runs, CryptoLocker installs itself into the infected computer’s Documents and Settings folder using a randomly-generated name, and adds itself to the Windows registry. It then contacts a long list of domains, and uploads a file to the first one that responds — that file, according to Sophos, can be thought of as your CryptoLocker ID.

“The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer,” writes Sophos’ Paul Ducklin. “The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadsheets.”

“The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other. … The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server,” writes Malwarebytes’ Joshua Cannell.

CryptoLocker then displays a page warning the victim that their personal files have been encrypted and demands a payment, usually $300, to decrypt them.

The lesson, Sophos’ Ducklin writes, is simple: make sure your anti-virus software and your operating system are up to date, avoid opening attachments you weren’t expecting — and make regular backups, and store them somewhere safe.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles