'CryptoLocker' ransomware on the rampage

Read time 2min 30sec
There is no way to recover scrambled files once CryptoLocker has been triggered.
There is no way to recover scrambled files once CryptoLocker has been triggered.

A nasty piece of malware is infecting PCs at an alarming rate, encrypting users' data, and then extorting them for $300 in order to decrypt it.

CryptoLocker, a ransomware Trojan, is spreading via e-mails and botnets. Once it has encrypted a victim's files, it pops up a message: "Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for the computer. To decrypt files you need to obtain the private key.

"The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files [sic]."

It then demands $300, EUR300, or a "similar amount in another currency" for the private key, and warns that "any attempt to remove or damage this software will lead to the immediate destruction of the private key by the server".

Sophos, in its Naked Security blog, says it detects the malware by the name Troj/Ransom-ACP.

Security researcher Paul Ducklin says the notion of malware that encrypts data and tries to sell it back to the victim or face dire consequences, is not new, and dates back to the late 1980s, with the AIDS Information Trojan being one of the first pieces of malware of this nature discovered.

However, he says luckily, this used basic encryption algorithms, scrambling PCs in the same way, so that tools for clean-up and recovery were soon developed and made freely available.

Unfortunately, he says the authors of CryptoLocker have made no such errors. "The malware seems to do its cryptography by the book, so there is no way to recover your scrambled files once it has triggered."

He says paying the ransom is a possibility, but he cautions against this.

Ounce of prevention

To prevent infection vie e-mail attachments, Sophos offers the usual caveat: "Take care with attachments you weren't expecting, or from people you don't know."

Botnet infection is a little trickier, says Sophos, as cyber criminals exploit a current malware infection to further infect your system - most bots, once active on a victim's computer, include a general 'upgrade' command, that allows their controllers to update, replace or add malware to the victim's system when they choose.

"So take our advice: make it your task today to search out and destroy any malware already on your computer, lest it dig you in deeper still," Ducklin says.

Login with