CryptoLocker FAQ

There is a lot of confusion about the latest piece of ransomware now making the rounds on the Internet, known as "CryptoLocker". This FAQ intends to clear up this confusion and understand your data recovery options.

Q: How Did I Get CryptoLocker?

A: The CryptoLocker malware is delivered via a specially crafted spam message containing a ZIP file attachment. The subject lines that we have seen reference bank accounts, voice mail messages, and package delivery attempt notifications. Some subject lines that we have seen include:

  • Account Statement
  • Voice Message from Unknown (*random phone number*)

These e-mail messages include a ZIP file attachment (reports are that some of the attachments are password protected, with the password provided in the email). The ZIP file contains an executable. The executable disguises itself as a PDF or audio file icon depending on the content of the message, encouraging users to click on it.

Q: What Does CryptoLocker Do?

A: Once the user double clicks on the ZIP file, several malware applications are downloaded from the Internet and installed on the victim machine. The two most common malware applications are the Zeus botnet and CryptoLocker. CryptoLocker immediately starts listing all document files on all drives attached to your computer (including your hard drive, any attached external drives, thumb drives, and network shares).

CryptoLocker contacts the attacker's computer to generate what is known as a *public/private key pair*. CryptoLocker uses *public key cryptography* -- the same technology that keeps your online shopping secure -- to encrypt your files. Public key cryptography uses a key pair to encrypt data; data encrypted with the *public* key can only be decrypted with the *private* key; and vice versa.

The attacker generates a public/private key pair, and sends the public key back to your computer. CryptoLocker then encrypts all files on your computer using the public key; the only way to decrypt the files is then to recover the private key, which never leaves the attacker's possession.

Only after all of the files have been encrypted does CryptoLocker display a ransom message on the computer. By the time you see the ransom message, it is too late to recover the data.

Q: How Do I Get My Files Back?

A: The best way to get your files back is to have a recent backup of your data. If you use a cloud-based back up service such as BackBlaze, CrashPlan, or Mozy; or if you use a cloud-based file storage service such as Dropbox, immediately log into your account from another non-infected computer and see if your files can be recovered.

Another place where backups could be stored is in *shadow copy* which is automatically generated by Windows. To check if your files can be recovered through the Windows shadow copy service, use a tool such as [ShadowExplorer].

If there are no backups available the your only option is to pay the ransom. The ransom increases in price over time, so sooner you get help the less expensive the price of recovery.

Q: How Much is the Ransom?

A: The only payment option that reliably works with the attacker is a special currency called [BitCoin]. The exchange rate between BitCoin (or BTC) and the US Dollar (USD) is highly variable; as of this writing, one BTC is worth about $1,100 USD.

If the ransom is paid within five days, the ransom price is currently 0.3 BTC (about $300); if the ransom is not paid within five days, the ransom increases to 2.2 BTC (about $2,500). Note that the attackers have changed the ransom amount over time, so this can only be used as an estimate.

Q: Can You Decrypt My Files Without Paying the Ransom?

A: No. You cannot decrypt the files without paying the ransom. Unfortunately, since the private key is only available to the attackers, the only way to retrieve the private key is to pay the ransom.

Q: What Happens if I Decide to Pay the Ransom?

A: Kyrus can help you navigate the process of paying the ransom and recovering your files. We follow a five step process and will assist you at every step of the way.

  1. Send us an encrypted file from your computer.
  2. We will find out from the attacker the ransom amount (the ransom amount is dependent on how long ago the infection occurred; after 5 days, the ransom increases dramatically).
  3. Once we receive payment for the ransom, we will pay the attackers. The attackers will deliver the private key within 30 minutes to an hour after our payment.
  4. We will deliver the private key to you and tools to decrypt your files.

If you need additional assistance, we will be happy to help.

Q: How Can I Learn More?

A: Good question. A great, up-to-date resource is the BleepingComputer forums coverage of the CryptoLocker virus. We strongly recommend that you file a complaint at the IC3 Internet Crime Complaint center. While filing a complaint will not get your files back, it will increase the monetary damages in any criminal complaint brought against the attackers once they're identified.

For more technical information on CryptoLocker, visit the Emisoft blog. Kyrus has posted an analysis of the CryptoLocker encrypted file format and a decryption tool on our GitHub page.