Cryptolocker is a popular ransomware trojan that is spread via email and is considered one of the first ransomware virus. The .EXE file for Cryptolocker arrives in a .ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the .EXE file extension for the program.
Cryptolocker's payload encrypts the victim's files using a method of encryption that is extremely hard to crack or decrypt (RSA-2048), and refuses to unlock the files until the ransom of 500 units of currency ($500, €500, £500, etc.) is paid. However, people who have paid the ransom have not had their files decrypted yet. It gives about 72 hours for the ransom to be paid, and if this is not done, then the program deletes the decryption code (preventing any recovery of data). The virus was last updated the 20th of November 2013 and isn't as notorious as previous versions. While easy enough to remove, the files still remain encrypted. It has one other copy: Teslacrypt.
Only one known case of file decryption is currently known. A man put Cryptolocker on his computer and paid the ransom. It had worked but only for him.
Once Cryptolocker has finished decrypting the files, it deletes itself just so the user can retrieve their files and use their computer again.
- Trojan.Ransomlock (Symantec)
- Ransom.C (AVG)
- Trojan-Ransom.Win32.PornoBlocker.cel (NictaTech Free Web Scanner)
- Ransom.Worm.Cryptlocker.a (Kaspersky)