Cryptolocker: Menace of 2013

Cryptolocker: Menace of 2013

Summary: The scale of the Cryptolocker threat is disputable. It's the psychology that is truly frightening.


Security software company Symantec this month named Cryptolocker the “Menace of the Year”.

Bitdefender logged over 12,000 victims in a week last month. That's not huge on a global scale but it should be a big enough number to make businesses pay attention.

While relatively few have been affected so far, many of those that have succumbed experienced a world of pain, as the victim stories below will attest.

Backup is the key to recovering from a Cryptolocker lockout.

For anyone who hasn’t been paying attention, Cryptolocker is a variant of ransomware that unlike its predecessors does not work by locking a computer. Instead, it encrypts all data and demands a ransom in Bitcoins for the user to regain access.

It is usually distributed as an executable attachment disguised as a Zipped document and presented as an invoice or report or similar via a spam campaign.

All of that would be frightening enough for individual users, but Cryptolocker more than most trojans is a threat to businesses too. that's because it not only attacks data on the PC on which the executable was opened, but also on devices and drives connected to that PC.

So, what’s it like being on the receiving end?

One business in Australia that was shut down for five days with staff sent home on leave. Every network share’s business data was encrypted, over 64,000 files, after a staff member clicked on an attachment, despite telltale suspicious signs.

The firewall failed to detect and stop the infection as did antivirus software.

After the download, multiple files executed from a website and downloaded more malicious code to boot at startup via the registry.

Backup is key. It allows companies to enter their own personal Tardis and, like Dr Who, wind the clock back.

In this case it failed. The server had made room for the latest revised data by deleting all the old backups.

“The receptionist could not wait for the backup to complete on the last known backup date, and pulled out the USB drive early.”  

This forced the IT fixers to restore from an older backup, losing many proposals and quotes. The system was recovered “but at great expense and emotional cost”.

Contrast that with a New Zealand law firm where, through good management and a bit of luck, backup was effective.

“Only 45 minutes of work was lost and as this all happened at around midday a lot of staff were at lunch so there was not much activity in regards to the data.”

The most famous victim to date is the Police department of Swansea, Massachusetts. Infected in November, the department decided to pay the ransom demand of two bitcoins, around US$750 at the time, and recovered its data.

In the process it not only revealed its vulnerability, but also drew heat for rewarding the criminals.

Cryptolocker is not entirely new. It emerged in September, but similar malware families date back as far as 2005.

Symantec says due to the publicity around ransomware, there are fewer uninformed potential victims and that had lowered the effectiveness of the tactic and its profitability.

Cryptolocker is their response.

“Due to this increased public awareness, in the last quarter of 2014 [sic] we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data…

“If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.”

There is no way to retrieve locked files without the attacker's private key. There can also be a time limit, usually 72 hours, in which to pay the ransom.

Almost comically, the criminals were making so much coin from a surging bitcoin value, they later reduced the ransom.

Users are being advised to take the following precautions:

  • Backup all files regularly and off the network 
  • Lock down directories 
  • Make sure you have a business grade unified threat management (UTM) firewall with current subscriptions
  • Keep all virus protection software up to date 
  • Make sure all employees are aware of this danger, trained in response and know to not open attachments without first talking to the IT department.

Topics: Security, Malware, New Zealand, Australia

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Number 4

    don't give in. I wipe and reinstall first.
    • And hope your backup didn't backup the encrypted data...

      deleting the valid data in the process.
    • Well,

      With the variant we are seeing at work, simply reformatting the drive doesn't clean it. You have to DBAN the drive first. What happens with the latest versions of Cryptolocker and its variants is that files are downloaded from the website which creates a new partition on your hard drive and then sets that new partiton up as a hypervisor partition. In other words, your C: drive is your guest OS and the host is Cryptolocker's partition. Wiping and reinstalling on the guest OS will not affect the host.
  • Still

    People still clicking on stuff they should not click on.
  • Ransom in Bitcoins?

    Well, that certainly makes sense. Bitcoins, the Vapor Currency of con men and criminals across the world.
    Sir Name
  • How about preventing the execution of arbitrary executables

    acquired via the Internet or email attachments? This will protect against CryptoLocker.

    Business users of Windows can choose between Software Restriction Policy (via gpedit.msc) and AppLocker, if using Windows 7 and above.

    Home users of Windows Vista and above can choose between whitelisting applications using Windows built-in Parental Controls or simply running the 3rd party tool 'CryptoPrevent':

    P.S. Frequent backups are always a good idea. For most users, hardware failure (e.g., disk drive) will be the culprit rather than malware such as CryptoLocker.
    Rabid Howler Monkey
    • and OS X users

      by default, won’t be able to run the executable until they've entered an Admin’s username and password.

      Oh. No they won’t. Cryptolocker doesn’t target OS X.
  • In the last quarter of 2014?

    What? News from the future, holy crap, what happens!?!?!

    Also, wow, letting software execute at administrative level by default sure sounds like a great idea... oh wait, what's the exact opposite of a great idea again?
    • Well, in fairness

      I don't think the software needs to be run as an admin in order to make a mess. After all, what's the functional difference between running your "My Documents" folder through 7zip with a password, and what cryptolocker does? If it's not attempting to encrypt files to which you don't have access, thus traversing folder permissions or similar, it can do all its dirty work in user space without requiring elevation.

      • Well...

        It's a little harder to do it on linux unless you do something dumb like set yourself as the root on all accounts and turn off all permission checks.
        • The target is the users data, not the system

          On Linux you have to be a bit more proactive to launch it: download then double click if it was saved with the executable attribute, if not you have to actively dig your grave by manually setting it then launching. Anyway still more complicated than just double click on the archive, double-click on the enclosed file.
          But once launched it would make the same kind of mess as it would on Windows since it goes after your documents, not trying to elevate its privileges and pwn your whole system.
          Remember, newer than XP Windows versions dont let you walk through other's folders by default either. But the single confirmation click needed that offers next to no info on who wants to do what is still a liability.
          • not a Linux liability.

            The program is a windows exe. Won't run on Linux except maybe under wine.
          • Yet.

          • Won't run anyway.

            The user has to set the execute bit after downloading it.

            Then has to run it.

            Typical trojan...
  • Does this...

    “but at great expense and emotional cost”.

    ... Mean that someone was REALLY effing mad? I bet they were.
  • Law enforcement??

    These are criminals, right? If our Gallant Law enforcement officers can crack a paedophile ring on 4 continents by following the transaction chain then why can they not round up this lot??

    Of should I start selling my Illegal Porn for Bitcoins?
  • no admin privileges

    Here is my plan. Run an automated backup from a administrator account on my computer, and only give standard privileges to all users. That way if someone downloads the virus it won't be able to encrypt my backups. Do you think that would keep me safe?
    • No -

      This virus/trojan(whatever) can take over ANY share! This includes NAS servers on your network! Killing sharing, and/or doing what Rabid Howler Monkey described previously is the way to go!
      • I don't get that

        To change a file, even on a network, surely the program needs the correct permissions. I presume it would run under whatever user permissions the person who opened it has. If that person doesn't have permission to alter a file, then neither would this virus right? That is, unless it somehow obtains admin rights, but that would surely be through a bug in Windows which could be fixed.
    • server side backups

      The proper way is to do server based incremental backup which cannot be accessed by client machines. Keep nothing important on client machines, everything on server.
      This way, no form of cryptolocker can mess up the backup.