Data Replay Services

Computer Crime / Digital Discovery / CCTV Image Recovery / Computer Forensics

Beware of Cryptolocker

without comments

Warning SignCryptolocker is a malware trojan that attacks Windows machines and was first seen in late 2013. It finds its way onto systems by several methods, most commonly by via an innocent looking email that requires the reader to open the a disguised attachment that it infect the trojan.

Once on a system, Cryptolocker will encrypt various files on the hard drive with a very strong encryption key before displaying a message to the user of the computer demanding a ransom payment in return for the decryption key.

As Cryptolocker was a completely new threat when first launched, malware detection programs were not able to spot it as these applications are only able to detect threats that have already been discovered. Although Cryptolocker is now detected by anti-malware and anti virus detection programs, the writers of Cryptolocker frequently update their code to avoid detection. This is a tactic that has proved successful on a number of releases.

The Cryptolocker program uses an encryption key of 1024 bits which means that the passwords are so long that they are more or less unbreakable. A brute force program (one that continually tries different password permutations in order to crack the password) would literally take many years, working at a rate of tens of thousands of attempts per day.

Alternatively the ransom amount can be paid in return for the decryption key allowing the encrypted files to be deleted. Cryptolocker ransoms are paid in Bitcoins – a new virtually untraceable internet currency and in December 2013 an attempt was made to discover how much Cryptolocker had earned it’s creators. It’s estimated that between October 15th and December 18th 2013 (ie. just over two months), almost 42,000 transactions had taken place with a total value of USD $27M.

If your system has been infected with Cryptolocker and you have some important files that need decrypting you can either pay the ransom – although there is no guarantee you’ll get the decryption key, try and crack the password using a brute force program – which will take decades, or accept that your data is gone. There’s little point contacting a data recovery company as they’ll only be able to do the same exercise as you – and will need the decryption key in order to access your data. The decryption key is not stored on the infected PC.

Written by Betty

January 15th, 2014 at 3:09 pm