Cryptolocker is a popular ransomware trojan that can spread via email and is considered one of the first ransomware malware. The .EXE file for Cryptolocker arrives in a .ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the .EXE file extension for the program.
Cryptolocker's payload encrypts the victim's files using a method of encryption that is quite difficult to crack or decrypt (RSA-2048), and refuses to unlock the files until the ransom of 500 units of currency ($500, €500, £500, etc.) is paid. However, people who have paid the ransom have not had their files decrypted yet. It gives about 72 hours for the user to pay the ransom, and if this is not done, then the program deletes the decryption code (preventing any recovery of data). The virus was last updated the 20th of November 2013 and is not as notorious as previous versions. While easy enough to remove, the files still remain encrypted. It has one other copy:Teslacrypt.
Only one known case of file decryption is currently known. A man put Cryptolocker on his computer and paid the ransom. It had worked but only for him.
Once Cryptolocker has finished decrypting the files, it deletes itself just so the user can retrieve their files and use their computer again.
This virus is based on a more popular ransom, WannaCry.
In early 2014, security firms FireEye and Fox-IT developed an online decryption tool for Cryptolocker victims. The website went offline in August of 2014, but can still be accessed via the WayBack Machine.
Tool link: decryptcryptolocker.com
- Trojan.Ransomlock (Symantec)
- Ransom.C (AVG)
- Trojan-Ransom.Win32.PornoBlocker.cel (NictaTech Free Web Scanner)
- Ransom.Worm.Cryptlocker.a (Kaspersky)