New to BFS? Please click here to get started. See you in the comments soon!

Your Files Are at Risk – About Cryptolocker

This post may contain affiliate links.

The following is a guest post from BFS reader, Nancy Jones.  She made a mid-life career change into computer technology and system security since she loves all the stuff about it that most people hate.  She also created Grown Up Tech to help everyone learn how to get the most out of their computers and the internet without needing a degree in computer science.

There’s a nasty piece of malware out there called Cryptolocker. You won’t know you’re infected with it until you get the notice that your files are encrypted and if you don’t pay 2 Bitcoin (the value of this can change—read on to find out why) by a certain date, the decryption key will be destroyed, causing you to lose all your files forever.

At this time only Windows operating systems are vulnerable, with this exception: If you are running a Windows installation in Parallels on a Mac, with a shared home folder, you may be vulnerable to losing access to the home folder, which is basically where you live on a mac. So here’s what you need to know to grab a handle on what this is and why it’s so nasty.  Most importantly, how not to get it.  And if you do, how to survive it.

A Very Basic Understanding of Encryption:

Encryption is the process that makes text unreadable to someone who’s not in on the secret. It scrambles the text to such an extent that without the descrambler you’ll never be able to read it. It’s what the “lock” icon means when you go to your bank’s website or when you are shopping online and you go to check out.

Most encryption on the web is done with two “keys”.  One is a public key and the other is a private key, and they work together. No other combination of keys will work with either of those two. When you go to your bank’s website, you see the place where you log in with a username and password. When you hit the “login” button, you use the bank’s public key, which is stored on their server, to encrypt your login information so that if someone intercepts the traffic, all they’ll see is gobbledygook.  It won’t make any sense.  AND it can’t be used to log in, because if someone input what they intercepted, THAT would also get encrypted and end up being even more gobbledygooked. Without that private key at the other end, it IS just gobbledygook. So at the other end, the bank uses their private key, which is stored securely on their server, to decrypt your login credentials.

If you are at a website and see a lock, you’ll also see that the “http” is now “https” which means that a Secure Sockets Layer session has been started, which is another level of encryption added to the session. The original encryption session that was started with the public key/private key transmission (which is called “asymmetric”) now initiates a symmetric session that uses the same key between parties. Nothing that passes between the parties can be read by anyone other than those two parties. What you need to really understand is this: it works because both parties have the key. (Trust me, when I was learning all this, it made my head spin.)

What Cryptolocker Does:

Cryptolocker uses the originator’s (the bad guys) public key to encrypt your personal files. It grabs not only the files on your active hard drive, but if you work with an external hard drive attached to your computer as a standard practice, it will grab those too as well as any mapped network drives. That can make this a devastating infection for small businesses.

Don’t even think about cracking the encryption, either. The keys used in this are the best you can get, the strongest available. The payment demanded is any one of three untraceable methods: Bitcoin, MoneyPak card, or Ukash card. That lessens the chances of these guys getting caught, unless one of them gets very sloppy, and then rats the others out.

If you don’t pay the ransom, the decryption key is destroyed. Remember the part above, where I told you that the public key and the private key work together? Well, they ONLY work together. If the private key is destroyed, you will have zero chance of decrypting your files.

Here’s something else you need to know: if you are using a backup site in the cloud, as soon as you think you might be infected, unplug from the internet and call the human customer service rep at the backup service and let them know right away that you’ve been infected with Cryptolocker.  One cloud backup service has officially stated that this information will put a high priority on your call, and it’s reasonable that others are treating it the same way. By this time, they will already have a plan formulated for dealing with Cryptolocker, but if you let a backup take place after encryption has started, you will not be able to use your backup service to restore your computer.

Prevention is the Best Defense:

All indications at this point are that the infections are started with a phishing email. Phishing is just like fishing—someone’s putting some bait out there hoping someone will bite. These guys are not amateurs.  The emails will look like the real thing. Some documented cases so far include emails that look like Amazon, BestBuy, WalMart, and other shopping sites.  Don’t even think that all links in all other email messages from all other sources must be safe just because I didn’t name any others.  You should treat all emails containing links with a strong degree of suspicion.

It is getting to the point where is just is not safe to click on a link in an email anymore.

Other possible infection sources include attachments in emails (if you weren’t expecting it, don’t click on it!).  If your machine has been previously compromised, the attackers could just remotely run a program that automatically loads and runs the encryption software.

Documentation on the attachment version includes emails that look like they came from well-known companies like UPS, Fed-Ex, DHL, etc.  And with shopping online being so popular, we can expect that this will pickup, and with Christmas gift returns and all, don’t expect it to go away quickly. The attachments included in the email will have names that look like they end with .pdf, .doc, .xls, BUT are actually executables, meaning that when you click on them, a program will run. For some reason, Windows, by default, does not display the file extensions, and you generally know what kind of file something is by the icon it displays.

It’s better not to take that chance, you can follow this link ( for instructions on how to display all file extensions, so that you can actually see if something is not a .pdf, .doc, or .xls but is actually a .pdf.exe, or a .doc.exe, or a .xls.exe. Those are bad guys.  Do not open them. (By the way, this is a ploy used by a lot of other trojans as well, disguising an executable file as a non-executable file; taking the step of displaying file extensions can keep you from clicking on them even in the absence of the Cryptolocker threat.)

And above all, BACKUP, BACKUP, BACKUP!!!!! You should NEVER have only one copy of your critical data. Ever. Ever! Got that? Because if you have a current backup, you’re prepared for….

Surviving the Infection You Couldn’t Stop in Time:

Go ahead and decide, right now, if you are willing to pay the ransom. If so, set aside $300 at a minimum, and be prepared for that to go up. But remember that we are talking about people who already don’t care that they don’t have a right to do stuff to your computer. Counting on them to keep their word may not be wise.

If you don’t intend to reward criminals for bad behavior (yes, I am being clear which path I recommend), stop all your other computer activity TODAY and make a set of recovery disks. That is a disk or a set of disks that contains your computer’s operating system and installed programs as it looks at the moment the disks are made, and all the files. This is a good practice anyway, especially if your machine didn’t come with operating system installation media. Most don’t nowadays.

You may (or may not—it just depends on factors we haven’t figured out yet) have to activate Windows again after installation, and that may require a phone call. I’ve had to do this numerous times, and it’s not a difficult process. The phone instructions are very easy to follow, and when you are asked how many machines the software is installed on, the correct answer is “zero.” Remember that.  Once the operating system is restored, move the most recent backups of your files back into place and you’re ready to go.

Forewarned is forearmed. Now you know there’s bad stuff out there. More importantly, you know how not to get tricked, and you know how to recover if you do get tricked. Don’t be embarrassed if you get fooled, these guys are highly skilled at what they do. They count on you being trusting, and they count on you being too busy to take proper preventive measures. The time you spend in prevention and precaution will save you a lot of recovery time.

There is just a bit of good news post-infection. A security researcher whom I trust completely has confirmed that upon payment of the ransom, the decryption key was provided as agreed, and following decryption the computer was back to normal. This nasty software encrypts only FILES, not the whole disk, not that that’s any comfort, except that the decryption process is far less time consuming for this than for a whole-disk decryption process.

Lastly, more about the payment price—the demand is in Bitcoin, and the value of Bitcoin is extremely volatile right now. When I first started outlining this post, two Bitcoin was about $300.  A year ago it was $13/coin. As of 1/16/14 it’s about $800 each. So “your mileage may vary.” Best to do the backups and not play their game.

Have you heard of Cryptolocker?  Have you ever had to go through this?

FYI:  I worked at a dead end cubicle job from 2005-2011 for about $30,000 per year.  I went self-employed in July 2011 and make between $70,000-$90,000 through blogging, professional pet sitting, hubby's reffing, and our rental home.  If you’d like to start your own site (link to my free step-by-step guide), I highly suggest checking out Bluehost (my referral link with a nice discount for you, PLUS a free custom header banner from me!).  Please contact me any time at budgetingfunstuff*at*gmail*dot*com with questions or just to brainstorm! I’d love to help!
Be Sociable, Share!
Starting the New Year by Handling Issues
How Do You Handle Rough Times?

4 thoughts on “Your Files Are at Risk – About Cryptolocker

  1. I can thankfully say that I’ve never suffered a problem like this. However I have had websites infected many years ago and I’ve had viruses on my computers in the past.

    Luckily, I suppose rather like spending more than you earn, eventually I reached the “tipping point”. I bought anti-virus, educated myself about risky actions and *finally* started backing up my computer.

    So while I’ve had a few heart-stopping moments in the past, my backups have always pulled me through.

    Fun fact for an article I was researching today: did you know 29% of people *never* back up their computer? Don’t be one of those people 🙂

  2. Found more information here:
    “CryptoLocker typically propagates as an attachment to a seemingly innocuous e-mail message, which appears to have been sent by legitimate company; or, it is uploaded to a computer already recruited to a botnet by a previous trojan infection. A ZIP file attached to an email message contains an executable file with the filename and the icon disguised as a PDF file, taking advantage of Windows’ default behaviour of hiding the extension from file names to disguise the real .EXE extension. Some instances may actually contain the Zeus trojan instead, which in turn installs CryptoLocker. When first run, the payload installs itself in the Documents and Settings folder with a random name, and adds a key to the registry that causes it to run on startup. It then attempts to contact one of several designated command and control servers; once connected, the server then generates a 2048-bit RSA key pair, and sends the public key back to the infected computer.” had even more information and remedies; but since it is not an encrypted page and their links are hard to verify, I suggest just reading their page.

    People have tracked the bitcoin accounts and know the bad guys have already made well over $27,000,000 USD as of December 2013. First cases were reported in September, 2013. There is a copy cat (Cryptolocker2) around that may not actually give you the encryption key. You may be able to identify if it is the copycat if you look at the hidden extensions, save yourself some money.
    Before a full backup, run a scan for any trojan infections. There are a couple of other trojans used by Cryptolocker, that need to be removed before you backup anything or you can be re-infected.

    There are ways to block and isolate Cryptolocker. Looks like virus prevention software cannot detect the download, but can detect the associated trojans. So I guess we will keep our virus software running on all machines.
    After infection, best bet is to dump infected files if you have a backup copy.
    Sigh, this Cryptolocker can lock Open Office files as well as files with .jpg, .tif, and other photo extensions.
    Makes our annual hard drive backup in case of hurricane disaster look like it should be a quarterly practice. I like our photos. Not sure if its worth $300, much less over a $1000 others have paid, but I guess we will initiate yet another backup protocol, sigh. We already backup once a month, to an external drive. The external drive is backed up annually and the annual backup is placed in our safety deposit box at the bank. All personal documents are stored on personal flash drives so we can use each others computers, so our documents are backed up on 2 drives as we use them. Our hard drives are partitioned and data goes on separate partition than the OS. Not sure if that would stop this thing as it registers through the OS to cross over all storage devices. Maybe we can surf on a separate Drive (with no document or photo extensions) entirely with a separate OS, take time to set up, but should actually run faster. I could fix it up with Adobe reader and such, so that it would download and read files, but they would not get backed up unless we made a huge effort. Nah, I think I will come up with something better, easier, for the family. I need to go look over all of our devices. As long as there is a buck to be made, we will have to be ever vigilant, sigh.

  3. @Richard, I back up my comp every couple of months because of stuff like this…

    @me again, yeah, it’s frustrating to have to waste our time backing things up every 2-3 months because of a$$holes.

  4. Should the selling individual never make this call, the original dealership
    will never know the car was sold, that thee auto extended warranty was
    not used, and, therefore, never issue a refund. However, it is essential that you consider a
    reliable broker. Those engaging in his activity must mzke their deals cautiously.

Comments are closed.