CryptoLocker is a popular ransomware trojan on Microsoft Windows that can spread via email and is considered one of the first ransomware malware. The .EXE file for CryptoLocker arrives in a .ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the .EXE file extension for the program.
CryptoLocker's payload encrypts the victim's files using a method of encryption that is quite difficult to crack or decrypt (RSA-2048), and refuses to unlock the files until the ransom of 500 units of currency ($500, €500, £500, etc.) is paid. However, people who paid the ransom never had their files decrypted. It gives about 72 hours for the user to pay the ransom, and if this is not done, then the program deletes the decryption code (preventing any recovery of data). The virus was last updated the 20th of November 2013 and is not as notorious as previous versions. While easy enough to remove, the files still remain encrypted. It has one other copy: TeslaCrypt.
Once CryptoLocker has finished decrypting the files, it deletes itself just so the user can retrieve their files and use their computer again. It is one of the only ransomware that actually gives the user their files back after paying for them.
This virus is the subject of a template on this wiki, which is shown below.
In early 2014, security firms FireEye and Fox-IT developed an online decryption tool for CryptoLocker victims. The website went offline in August of 2014, but can still be accessed via the WayBack Machine.
Tool link: decryptcryptolocker.com
- Trojan.Ransomlock (Symantec)
- Ransom.C (AVG)
- Trojan-Ransom.Win32.PornoBlocker.cel (NictaTech Free Web Scanner)
- Ransom.Worm.Cryptlocker.a (Kaspersky)