CryptoLocker, ransomware and holding the internet hostage

Submitted by Charlton Stanley, Guest Blogger

“I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing; you’re screwed’.”
   – Bruce Schneier

cryptolockerThe quote by Professor Bruce Schneier at the top of this article is the unvarnished truth by one of the leading internet and cryptography experts in the world. Which brings us to the subject of this story. The latest threat to everyone’s computer is a form of malware called “Ransomware.” This is not new, having first appeared years ago. Those first attempts were clumsy, the software codes easily broken, and the perpetrators caught. However, in the past few weeks the threat is back, more sophisticated and more dangerous than almost any malware threat to date. Although often referred to as a virus, it is not a true computer virus, because it does not self-propagate. It is a Trojan. Ransomware does not try to steal your files, passwords or photographs. Rather, it holds them hostage until you pay a ransom. There are several ransomware viruses going around, but CryptoLocker is the one getting the most media attention. How it works is this; you click on a file that may have arrived by email. Sometimes it will arrive by clicking on a web page link. Possibly a PDF of some business letter or report. Shortly after clicking an infected link, the image at the left appears. You will have no warning until it is too late. When the warning box appears, your files are already encrypted.  Follow me over the flip to see the message:

Your personal files are encrypted!

Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this. (it inserts a link to the encrypted files)

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files…

To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.

Click <<Next>> to select the method of payment and the currency.

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.

RSA is a type of encryption developed by three cryptographers in 1977; Ron Rivest, Adi Shamir and Leonard Adleman. The number following is based on the product of two large prime numbers with an added integer. So far so good, because that is the public key. However, a private key is needed to unlock the encryption, and that can be virtually unbreakable. Adding to the problem of any attempted decryption is the “dead man switch,” which causes the decryption key to destroy itself if any attempt is made to decrypt or lock out the ransomware. Additionally, ransomware usually has a time limit of about 72 hours, and there is a timer counting down showing you how much time you have left to pay the ransom. The countdown clock is on the left side of the warning image. The screengrab above shows fifty-six hours, sixteen minutes and twelve seconds left. When that timer reaches 00:00:00, the decryption key will self-destruct.

The files CryptoLocker infects have the following extensions:

????????.jpe, ????????.jpg, *.3fr, *.accdb, *.ai, *.arw, *.bay, *.cdr, *.cer, *.cr2, *.crt, *.crw, *.dbf, *.dcr, *.der, *.dng, *.doc, *.docm, *.docx, *.dwg, *.dxf, *.dxg, *.eps, *.erf, *.indd, *.kdc, *.mdb, *.mdf, *.mef, *.mrw, *.nef, *.nrw, *.odb, *.odc, *.odm, *.odp, *.ods, *.odt, *.orf, *.p7b, *.p7c, *.p12, *.pdd, *.pef, *.pem, *.pfx, *.ppt, *.pptm, *.pptx, *.psd, *.pst, *.ptx, *.r3d, *.raf, *.raw, *.rtf, *.rw2, *.rwl, *.sr2, *.srf, *.srw, *.wb2, *.wpd, *.wps, *.x3f, *.xlk, *.xls, *.xlsb, *.xlsm, *.xlsx, img_*.jpg

The criminals even anticipated your anti-virus software removing CryptoLocker. You will get a screen instructing you to recover CryptoLocker from your anti-virus software quarantine, or go to an infected site and re-install CryptoLocker. Otherwise, you cannot even pay the ransom and get the private key. Your files are gone permanently. There is now a new twist to the scam, in that if the original decryption subroutine times out and is itself encrypted, for a punitive added fee, they will sell the victim a decryption key that allows access to the now-encoded decryption key. Currently, the going rate is five times the original ransom price.

There is an excellent description of this malware, and some of the ways to deal with it at There is also useful information at the Malwarebytes web site. First of all, look at the information at and Malwarebytes. Other antivirus companies have similar information and research them as well. Install the software you think will work best for you.

The University of Oxford Medical Sciences Division’s IT department has this advice:

“Make the “file extension” (.docx, .xlsx, .pptx) on users’ documents clearly visible on all Windows machines connected to our network. Recent Windows versions hide this by default – the CryptoLocker infected attachment uses this feature to masquerade as a PDF file, when in fact with the file extension visible, we can see that it actually has a double file extension in the format “.pdf.exe” and is therefore an executable program, which runs when you try to open the file.

Users are advised to be even more vigilant than usual when opening emails – and attachments, particularly if they appear to come from a well-known courier company, even one you or your group/department regularly use.”

It is a good idea to reset your computer so you can see the file extensions for the reasons given in this message from the University of Oxford. Instructions at this link.

CryptoLocker can install itself when a computer is in Safe Mode. That is a new twist as well.

Bitcoin_logo.svgWhen the virus first appeared a few weeks ago, the ransom was in Bitcoins, usually about two Bitcoins. At that time a Bitcoin was worth around a thousand dollars, so the hapless victim had to come up with a couple of grand in less than three days to pay the ransom. The price of Bitcoins has fluctuated recently, so the crew holding your computer hostage has come up with other ways for the victim to pay in more stable currency, although they have not abandoned Bitcoins.

The primary targets seem to be small to medium sized businesses and individuals. A few days ago, the Swansea, Massachusetts Police Department computers were hit, and they had to pay the ransom to preserve their database. That raises an interesting legal question. Any evidence stored in the computer system has now been compromised by a third party having access to it. Can it still be used in court?

All major law enforcement agencies recommend strongly against paying the ransom. Paying a ransom just further enables the thieves, enriching them and making them stronger. That can mean only one thing. In order to keep from having to pay to decrypt your files, you must have copies backed up in a separate location where the ransomware virus cannot get to it to infect it.

This is highly sophisticated software, and the people running these operations are not amateurs. Once the virus is on your computer, it spreads to other computers on your network, and even to your backup files. If it can access remote servers or your cloud storage, it will encrypt those files as well.

There are anti-virus programs being developed that help prevent the virus from spreading or getting on your computer in the first place, but there is no software which will decrypt the files. CryptoLocker is based on high level encryption, so it is unlikely any decryption software will ever be written that can undo the damage. Even if the ransomware Trojan is removed completely from the computer, the files are still encrypted, and are impossible to decrypt—they are gone.

After spending the past week researching this threat to all of us, I have one or two suggestions. My suggestions are based on the fact I have experienced both the “blue screen of death” and actual mechanical hard drive failure. When your hard drive suddenly begins to sound like a fifteen-year-old trying to drive a stick shift for the first time, you know nothing good will come of it. As is often said, “It is not a matter of if, but a matter of when.” If one looks at CryptoLocker as just another form of complete hard drive failure, then the alternative to paying ransom is more obvious. Back in the olden days of DOS, our office computer had a tape backup. It took close to an hour to back up the files, so the tape backup always started an hour before everyone left for the day. At my suggestion, we had two tapes, marked “1” and “2”. The odd number tape was used on odd numbered days, and the even numbered tape on even numbered days. That way, if we had a drive failure, we had the tape from the day before. Or as happened one time, the drive failed and the tape broke the same day. We still only lost two day’s work.

Many people back up constantly, or in some cases, several times a day. One of the things Professor Schneier does to isolate files and computers is keep what he calls an “air gap” between machines. I have not yet upgraded our system, because this new threat is so new. However, this weekend, I plan to buy at least one and possibly two large external hard drives for the main office computer. I have an external hard drive for the home computer, but it is over capacity and I need a new one anyway. They will not be plugged into the computer until it is time do do a backup. I will back up once a day. That way, if the computer becomes infected with CryptoLocker or any other virus–or a hard drive failure–I still have a backup. Experts on ransomware seem to be of a mixed mind with regard to cloud storage. Most cloud storage services claim to have strong virus protection, including protection against ransomware. However, as I said above, these crooks are pros, and Murphy’s Law is still operant.

Frankly, if any of my hard drives becomes infected with ransomware, I will never use it again. I am quite aware of the claims of ransomware being easy to remove, but I am also aware virus writers are busy making removal either difficult or impossible.  I will take the hard drive out and destroy it, along with all other installed memory storage. All the top computer security experts are saying that since the current version of CryptoLocker and other ransomware is so profitable, there is no doubt newer, more powerful and more sophisticated versions are being created. The criminals know that every security agency in the world is working on ways to shut them down or destroy the Trojan before it reaches its target. Like every other internet threat, this virus will continue to evolve as long as there is money to be made.

FBI ransomwareCryptoLocker is not the only ransomware floating around. There is an FBI virus. That one pops up with an official-looking warning to the effect the FBI has been monitoring your browsing and have determined you are surfing child pornography sites or violating copyright laws. You are further informed your files are encrypted and you can only decrypt them by paying a “fine” of several hundred dollars within a specified time. Some of these warnings include the threat you will be arrested and jailed if you don’t pay they fine they demand. Different scenario, same kind of ransom extortion.

These threats are still evolving, and as fast as anti-virus software is written to protect the user, the criminals are keeping up. The only safe backup is one you manage yourself, offline. That is why I am getting my own external hard drive backup instead of relying on someone else’s servers in the so-called cloud.

I cannot and will not presume to tell anyone the best way to protect yourself. I have thrown out a few resources, and explained what I plan to do with my own system. If one is not an expert, the best plan is to consult with an expert. Additionally, I am not going to try to tell anyone there is a solution if your files are already encrypted by CryptoLocker or other ransomware. I wrote about encryption recently, mentioning TrueCrypt, a powerful asymmetrical encryption program similar to that used by these criminals. Once your files are encrypted, recovering them seems to be a lost cause other than paying a bribe. Personally, it seems more logical to spend the same amount, or less, on good backup hardware. I have provided several links below which should be a good start on making up your own mind on what will work best for you and your situation. These are current and working links at the time I am posting them.

PC Advisor: What you need to know about CryptoLocker and how to protect yourself from this ransomware

Matthew Hughes: CryptoLocker Is The Nastiest Malware Ever & Here’s What You Can Do

Naked Security: Destructive malware “CryptoLocker” on the loose – here’s what to do

CRN’s Robert Westervelt: Cryptolocker Attacks, Ransomware Target Small Businesses: Cisco

54 thoughts on “CryptoLocker, ransomware and holding the internet hostage

  1. does this mean, even if you back up your files, these crooks will still have all your files and all your personal info, pictures, etc??

  2. Larry,
    No, they don’t have your files. They are encrypted so you cannot access them. Kind of like coming home and finding all the door locks changed. Your stuff is still there; you just can’t get in without buying new keys from the crooks.

  3. As for backing up your files, if you have a full backup on a separate memory module, they didn’t go anywhere. However, the newest versions of ransomware look for shadow drives, so if you are running your backup constantly, it is likely to be infected too. That is why you should not plug the backup drive in until you are actually ready to back up. Lots of good information about that at the links I provided.

  4. OT
    Stallman warns about Bitcoin peril
    It needs to be anonymous
    by Nick Farrell in Rome |
    Richard Stallman, president of the Free Software Foundation warned that there needs to be a new form of electronic currency which is protected from NSA spy agency data mining.
    According to RT Stallman told a London gathering of Bit coin fans that while Bitcoin has its benefits, it is not up to the standard of a safe digital currency that would shield a payer from being tracked by companies and, ultimately, by intelligence agencies.
    He said that an anonymous payment system is also required for us to start “taking control of our digital lives”…

  5. lotta – no question that NK is one of the worst regimes. Maybe The Worst. But your “solution” is no different than the Cheney-Bush solution to Saddam. Wait -, make that a worse solution since you want to nuke ’em. Cheney was willing to let them live so they could greet us with fleurs. And to think that you’ve got a list of such candidates. The mind boggles.

  6. RE:encryption
    safe AND secure?
    Today I found out that during the height of the Cold War,
    the US military put such an emphasis on a rapid response to an attack
    on American soil, that to minimize any foreseeable delay
    in launching a nuclear missile,
    for nearly two decades they intentionally set the launch codes
    at every silo in the US to 8 zeroes…
    Oh, and in case you actually did forget the code,
    it was handily written down on a checklist handed out to the soldiers.
    As Dr. Bruce G. Blair,
    who was once a Minuteman launch officer,
    Our launch checklist in fact instructed us, the firing crew,
    to double-check the locking panel in our underground launch bunker
    to ensure that no digits other than zero
    had been inadvertently dialed into the panel…
    — Karl Smallwood,
    For Nearly Two Decades the Nuclear Launch Code at all Minuteman Silos in the United States Was 00000000

  7. What is the appropriate penalty under the law for these acts, or under any new law that might cover these specific circumstances?

    And should it be applied per victim, or some other means?

  8. @LottaKatz – I too share your “glass” feelings for DPRK but I was just being facisius. I would never want to be part of the wanton murder of indigent collaterals of lil’ Kim. However, lil’ Kim, like his father, has possession of several submarines sold to him by Putin. And they were NOT demilitarized. They are non-nuclear but can be outfitted for vertical tubes. A certain US Republican North Korean-born reverend and news paper owner helped broker the deal with Kim’s dad and Russia. They are 12 FRG class boats. Now what do you suppose they want to do with them. When viewing that “glass” doesn’t look too bad… :rollseyes:

    Now about your Belarus hackers… yes 4 of them got busted (by Belarus feds – division “K”) and they had the “chops” for CryptoLocker as they had done something similar before. It appears that InterPol is looking for 5 more Belarusians. But all totaled they are looking for 40 hackers world wide who have the “chops” for this type of crypto-monster.

    I wouldn’t be surprised if Putin’s fingerprints all all over the Belarus and Bulgarian groups. Microsoft has used the Bulgarians a lot to “Tiger-Team” their software security. The SVR (former KGB) could glean a ton of actionable intelligence on foreign nations (i.e. USA) CryptoLocker. The ransom could just be a red-herring to obfuscate the operation. Even though the data is encrypted doesn’t mean the hacker can’t FTP upload it to an SVR-funded server for later decryption.

    To the guy who wants to know why US can’t catch them and round them up? Because they use cyber-zombies. That means that your PC could be invisibly acting as a server and THEY can access it invisibly whenever they want. The only indication would be that your PC performance would suck badly and your router’s I/O data LED would be flashing constantly. Your PC could also be invisibly sending out Trojan Horse viruses or even acting as an infected web site.

    So they FBI might be knocking on your door think your the hacker responsible for CryptoLocker. Turn your PC off when not using it. That may help a little because you’ll notice performance issues when your using it and get a sniffer software to see what’s going on on your network.


  9. @dobbie606 – For verification of your allegation of “00000000” all we need to do is ask Otteray Scribe as that’s what he used to do back in the day. I personally thought they used an EAM system just like subs in where they get an Emergency Action Message from the POTUS and they have to open authenticator codes from a safe. Also Blouise could speak to this too. As there was a reason they went to the authenticator system due to too many prior FUBAR’s with our nukes.

  10. Just so you’ll know… DPRK (North Korea) has been playing “serious” mind games with US, Japan, and SK. They are playing submarine lost & find games with potential nuke boats with Davy Crockett torpedoes (nukes). We lost track of 5 of their subs recently. They claim their sites are on CONUS west coast and Hawaii (et al). They are underground testing nukes capable of setting off 5.1 seismic readings. PRC (China) is not doing too much to help as they have some serious bones-to-pick with US too. But PRC (President Xi Jinping) is pretty much NOT in control of Kim Jun Un. He’s out of control… as well as his mind (just like daddy was too).

    I guarantee you the USN has orders from POTUS to sink any unidentified submarines loitering in our waters off west coast and Hawaii. Albeit, we got suckered by a PRC/PLA nuke Jin-class sub not too long ago (c. 2010). But they were just playing self-authorized war-games with US (right in the middle of a USN war-game) and just fired an SLBM back to China to just show off that they could do it and get away with it. Obama did respond with the 7th Fleet to their waters to show-off back. Pesky little buztards… :rolls eyes:

  11. CryptoLocker blocked screen is a malware program designed by hackers to block access to personal or important files including videos, photos and documents. As soon as the Trojan finds its way into the computer it changes existing registry entries in the startup folder and in its place adds its own malicious registry entries. Not stopping there it further takes steps to ensure that computer automatically installs and executes malware program each time it is restarts. I request you to find solution at

Comments are closed.