CryptoLocker's crimewave: A trail of millions in laundered Bitcoin

CryptoLocker has infected an estimated 250,000 victims, demands an average $300 payout, and is trailing millions in laundered Bitcoin. Dell SecureWorks' new paper sheds light on the unstoppable ransomware.
Written by Violet Blue, Contributor

Dell SecureWorks estimates that CryptoLocker has infected 250,000 victims. The average payout is $300 each, and millions in laundered Bitcoin have been tracked and traced to the ransomware's money runners.

Spreading like wildfire from offices to homes, it arrives in email attachments (or over infected networks) to aggressively encrypt all files on a system (including mapped drives, Dropbox files, and all locally connected, network-attached, or cloud-based storage) - while an ominous onscreen timer demands payment within 72 hours.

cryptolocker ransomware

Mess with the files or decline to pay and forget about ever opening your files again.

To date, no one has successfully defeated CryptoLocker. The Windows-only ransomware has held rapt the attention of malware fetishists since its formal appearance in September.

The Swansea, Massachusetts police department was hit in November.

The officers paid CryptoLocker's ransom. Police Lt. Gregory Ryan told press that his department shelled out around $750 for two Bitcoin on November 10 - even then admitting his department had no idea what Bitcoin is, or how the malware functioned.

One Bitcoin address, one million dollars in a day

Dell's CryptoLocker report cites a Computer Science thesis from an Italian grad student who looked at a few known CryptoLocker Bicoin payment addresses while examining BitIodine.

The thesis reported a stunning take for one CryptoLocker address on one day:

In total, we identified 771 ransoms, for 1226 BTC (approximately USD 1,100,000 on December 15, 2013).

After tracing another Bitcoin address belonging to CryptoLocker and watching it move over six million dollars they concluded, "This suggests that our estimate of their racket is very conservative."

Dell SecureWorks released its detailed report on CryptoLocker Ransomware Wednesday, cementing what several researchers already knew about CryptoLocker's cruelly smart extrotion system. 

Dell's unwillingness in its paper to estimate precise ransom payment statistics has confused press reports thus far: many articles incorrectly report $30 million (beginning with this updated URL, now citing an obviously incorrect $300K).

On our examination of Bitcoin addresses shared by victims online, the real number is likely in the hundreds of millions.

SecureWorks admits the true payout number is "very likely many times that" which its own paper suggested.

Bitcoin is "most cheap option"

CryptoLocker is criminally simple - and strangely eloquent, if you're a supervillain. 

Dell's researchers estimate that between 200,000 and 250,000 systems were infected globally in the first 100 days after CryptoLocker's release.

Carbonite, a cloud backup service, was reported in November to have been dealing with "several thousands" of phone calls from CryptoLocker-infected victims, and now have a dedicated team dealing with CryptoLocker recoveries.

In research for this article ZDnet traced four bitcoin addresses posted (and re-posted) in forums by multiple CryptoLocker victims, showing movement of 41,928 BTC between October 15 and December 18.

Based on the current Bitcoin value of $661, the malware ninjas have moved $27,780,000 through those four addresses alone - if CryptoLocker cashes out today.

If CryptoLocker's supervillans cash out when Bitcoin soars back up to $1000, like it did on November 27... Well, $41.9 million isn't bad for three months of work.

Many victims believe that CryptoLocker briefly moved its ransom sums through Bitcoin addresses to launder the bounty; just-dice.com was repeatedly cited as a digital "mixer" point.

The malware doesn't appear to the victim until all files are successfully encrypted (and in case you thought it was safe to proceed, you're not: CryptoLocker periodically scans for new files). 

CryptoLocker hides its presence from victims until it has successfully contacted a command and control (C2) server and encrypted the files located on connected drives.

Prior to these actions, the malware ensures that it remains running on infected systems and that it persists across reboots.

When first executed, the malware creates a copy of itself in either %AppData% or %LocalAppData%. CryptoLocker then deletes the original executable file.

Then, your files are swiftly and silently owned.

The encryption process begins after CryptoLocker has established its presence on the system and successfully located, connected to, and communicated with an attacker-controlled C2 server. This communication provides the malware with the threat actors' RSA public key, which is used throughout the encryption process.

(...) Instead of using a custom cryptographic implementation like many other malware families, CryptoLocker uses strong third-party certified cryptography offered by Microsoft's CryptoAPI.

By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent.

Dell's paper suggests CryptoLocker's puppetmasters are in Russia and Eastern Europe, with primary targets in the United States, as well as other English-speaking countries.

A "bastard and fiendish" idea

When all files have been encrypted, each victim is then presented with an ugly splash screen with an ominous countdown timer, demanding payment.

CryptoLocker honors ransom payments.

Upon submitting payment, victims' computers no longer show the threatening countdown screen and instead see a new payment activation window.

In Dell's words, "During this payment validation phase, the malware connects to the C2 server every fifteen minutes to determine if the payment has been accepted. According to reports from victims, payments may be accepted within minutes or may take several weeks to process."

If you didn't pay, you gave up your files - and any new ones you made on your system after infection. To date, no one has successfully recovered files after CryptoLocker infection - unless they paid the ransom.

CryptoLocker's ransom amount has varied since its debut in September, but currently sits at $300 (USD) and 300 Euro - the ransom price is typically listed in cash currency, and Bitcoin.

Bitcoin instability over the past few months has prompted CryptoLocker's masterminds to reduce the ransom to 1 BTC, 0.5 BTC, and then to where it is currently: 0.3 BTC.

At first, CryptoLocker included [two known] static bitcoin addresses for everyone who was infected. The current versons of CryptoLocker dynamically generate new bitcoin payment addresses for each infection instance.

CryptoLocker cares

In early November, CryptoLocker's clever writers added a new feature called the CryptoLocker Decryption Service.

SecureWorks explained, "This service gives victims who failed to pay the ransom before the timer expired a way to retrieve the encrypted files from their infected system."

Not surprisingly, CryptoLocker's "Decryption Service" is much more expensive than the original ransom - a hefty 10 BTC.

And what if a victim's anti-virus software deletes the CryptoLocker executable before the ransom is paid?

According to BleepingComputer's thorough guide, CryptoLocker thought of this, too.

Rather than leave you high and dry with encrypted files, a key, and no way to unlock them, CryproLocker detects the deletion of its executable files and shows victims a message that contains a link to a decryption tool that victims can download in case this happens.

BleepingComputer explains, "There are numerous reports that this download will not double-encrypt your files and will allow you to decrypt encrypted files."

CryptoLocker has left such a wide swath of confused and angry victims that numerous forums where victims have been gathering online since September to share information about their experience, offering details in hopes of helping others.

Active IT threads on sites such as Reddit (r/sysadminr/techsupport, others) and BleepingComputer have ended up doubling as pseudo-support networks for those under CryptoLocker's timed gun. 

After taking everything in, one Redditor was moved to remark that CryptoLocker is a "bastard and fiendish idea."

We're sure they got the message.

It's widely accepted that CryptoLocker's masterminds lurk on blogs and forums about CryptoLocker (especially this thread), and have responded to infected user's issues, as well as "give other messages on the home page of their Command and Control servers."

Another Redditor writes,

The malware author has responded to people in forums, helping them pay and such, and has stated that the keys are not sent out on an automated process, but selected manually by him for deletion and sending for decryption.

He keeps the keys longer than the 4 days, and will troubleshoot moneypak codes not working, and will send the decrypt key as fast as he can after he gets the money. He knows each computer that has it, and each computer gets a unique key.

Still, no one has been able to draw a bead on who might be pocketing CryptoLocker's spoils.

Dell's new paper looks for clues in the malware authors' behavior patterns:

Analysis of the IP addresses used by the threat actors reveals several patterns of behavior.

The first is that the threat actors use virtual private servers (VPS) located at different ISPs throughout the Russian Federation and in former Eastern bloc countries.

The extended use of some of these hosts, such as,, and, suggests that they are located at providers that are indifferent to criminal activity on their networks or are complicit in its execution (such as so-called "bulletproof" hosting providers). The remaining servers appear to be used for several days before disappearing.

The researchers say they don't know if the servers are disappearing because ISPs are terminating CryptoLocker's service, or if it's because CryptoLocker's crimewave gang prefers to stay a moving target.

Tell mom and dad not to open every damn email attachment

The first instances as reported by SecureWorks explains that the first wave of infection was through targeted emails with attachments, and this appears to remain a common vector.

The attachment, most of the time, is a .zip with a .PDF inside, which is actually an executable (.exe).

The flawless malware spread out of office networks, and currently targets home computer users as well.

Dell's researchers noted that peer-to-peer (P2P) CryptoLocker infections began to appear in early October.

On October 7, 2013, CTU researchers observed CryptoLocker being distributed by the peer-to-peer (P2P) Gameover Zeus malware in a typical pay-per-installation arrangement. In this case, Gameover Zeus was distributed by the Cutwail spam botnet using lures consistent with previous malware distribution campaigns.

(...) Attached to the message is a ZIP archive containing a small (approximately 20KB) executable using a document extension in the filename and displaying an Adobe Reader icon. This Upatre malware downloads and executes Gameover Zeus, which in turn downloads and installs other malware families including CryptoLocker.

(...) As of this publication, Gameover Zeus remains the primary method of distributing CryptoLocker.

Dell's report explains that the first email wave, targeted at businesses, lured clicks by addressing professionals to notify them of a formal complaint. But outside of Dell's paper, victims report CryptoLocker emails coming from spoofed Xerox email addresses, emails about resumes, and a commonly cited subject line is "Payroll Report."

Mine came from a business source we deal with that had an attachment labeled "stores parts.zip" and a title of "Sent by email: stores parts.zip" -wisdom_and_frivolity

The SecureWorks paper brought together much of what has already been written about CryproLocker, tied a number of threads, and provides a solid marker moving forward.

Now, if only Dell products were coded with the maddening target-objective mindset and frightening efficiency of CryptoLocker...

Editorial standards