Cryptolocker, what is it?
Cryptolocker was a ransomware: it encrypted the data on a computer, making it unreadable without the decryption key. This prevented users from accessing their software or viewing their files.
The attack occurred through a phishing email with malicious attachments. To obtain the decryption key, a ransom had to be paid in euros, dollars, or bitcoin.
Cryptolocker was active between 2013 and 2014. It affected many victims and managed to extort several million dollars.
The story of Cryptolocker
The malware was first identified between September 5, 2013, and May 2014. Within the first few days, Cryptolocker infected more than 34,000 machines and held them ransom. The software informed victims that the private key to decrypt their files would be destroyed after the 72-hour payment deadline.
Initially, the ransom was 400 dollars or the equivalent in bitcoin. The bitcoin amount was adjusted according to the bitcoin exchange rate at the time. However, the cybercriminals set up an online service that allowed the encrypted files to be unlocked after the deadline for a much higher price of 10 bitcoins.
Unlike computer viruses and worms, Cryptolocker did not have the ability to replicate itself. However, the hackers used a botnet called "GameoverZeus" to infect new victims.
GameOverZeus was a network of infected computers controlled remotely without the owners' knowledge. Using this botnet, the hackers sent fraudulent emails to spread CryptoLocker on the internet.
In 2014, a collaborative operation led by various national law enforcement agencies called Operation Tovar neutralized GameOverZeus, providing access to certain unchanged Cryptolocker decryption keys.
Security companies Fox-IT and FireEye participated in the operation. They collected decryption keys to create an online tool called Decrypt Cryptolocker. These keys allowed the recovery of encrypted files without paying a ransom.
The operation isolated the ransomware on June 2, 2014, by discreetly redirecting registration attempts to a government server, resulting in the destruction of Cryptolocker.
In total, Cryptolocker extorted over 27 million dollars. Several other ransomware attacks have used the name "Cryptolocker" since then, even though they have no direct connection to the original.
How does Cryptolocker work?
Cryptolocker initially infected computers through phishing campaigns, using fraudulent emails with attachments or download links for the malware.
Once executed, Cryptolocker acted like a typical ransomware. It encrypted your data and sent you a message demanding a ransom. The software used asymmetric encryption, where one key was used for encryption and another for decryption. These files could only be decrypted if you possessed the private decryption key, usually obtained by paying the ransom.
After execution, the ransomware identified and encrypted files on USB drives, external hard drives, network file shares, accessible cloud storage, and shared network drives with the infected computer. The search for new files or folders to encrypt could take several hours, during which Cryptolocker remained discreet. The incubation period included the installation and encryption of the data.
The ransomware then revealed its presence to contact you and demand payment. The payment had to be made within 72 hours, or the amount would increase significantly.
How to recognize it?
The ransom demand screen is characteristic of Cryptolocker and allows you to recognize the ransomware.
Some decryption tools have been made available for free, developed using the encryption keys seized during Operation Tovar. These tools can decrypt your files and restore your access. However, they are not always effective because Fox-IT and FireEye were unable to recover all the keys.
Like many ransomware, having a good backup strategy enables file restoration while minimizing productivity loss.
The main infection vector for Cryptolocker is phishing, a social engineering technique that is not foolproof.
Humans are the key to protecting themselves from phishing and many other threats.
It is essential to educate individuals to detect and report suspicious emails. Well-trained personnel can protect against these practices.