CryptoLocker

CryptoLocker
Classification	Trojan horse
Type	Ransomware
Subtype	Cryptovirus
Isolation	2 June 2014
Operating system(s) affected	Windows

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows,^[1] and was believed to have first been posted to the Internet on 5 September 2013.^[2] It propagated via infected email attachments, and via an existing Gameover ZeuS botnet.^[3] When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Although CryptoLocker itself was easily removed, the affected files remained encrypted in a way which researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.

CryptoLocker was isolated in late May 2014 via Operation Tovar, which took down the Gameover ZeuS botnet that had been used to distribute the malware.^[4] During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan. Other instances of encryption-based ransomware that have followed have used the "CryptoLocker" name (or variations), but are otherwise unrelated.

^ Cite error: The named reference ars-cryptolocker was invoked but never defined (see the help page).
^ Kelion, Leo (24 December 2013). "Cryptolocker ransomware has 'infected about 250,000 PCs'". BBC. Archived from the original on 22 March 2019. Retrieved 24 December 2013.
^ "CryptoLocker". Archived from the original on 14 September 2017. Retrieved 14 September 2017.
^ "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge – Krebs on Security". 2 June 2014. Retrieved 5 September 2023.

[ars-cryptolocker-1] Cite error: The named reference ars-cryptolocker was invoked but never defined (see the help page).

[bbc241213-2] Kelion, Leo (24 December 2013). "Cryptolocker ransomware has 'infected about 250,000 PCs'". BBC. Archived from the original on 22 March 2019. Retrieved 24 December 2013.

[3] "CryptoLocker". Archived from the original on 14 September 2017. Retrieved 14 September 2017.

[4] "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge – Krebs on Security". 2 June 2014. Retrieved 5 September 2023.

[1]

[2]

[3]

[4]