These have come from people who are keenly hoping that there’s a flaw in the CryptoLocker encryption, and that we can help them get their files back.īut as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble. SophosLabs has received a large number of scrambled documents via the Sophos sample submission system. We haven’t tried buying anything back, not least because we know we’d be trading with crooks. → With the private key, you can recover your files. (The price point is suprisingly similar to what it was back in 1989.) The malware then pops up a “pay page,” giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. The more privileged your account, the worse the overall damage will be.ħ. → Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more.
The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them.Ħ. → Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer. Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.”ĥ. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds.Ĥ. It produces a lengthy list of random-looking server names in the domains.
CryptoLocker installs itself into your Documents and Settings folder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon.Ģ. When the malware runs, it proceeds as follows:ġ. (You could, I suppose, try paying the ransom, but I recommend that you do not.) What CryptoLocker does The malware seems to do its cryptography by the book, so there is no way to recover your scrambled files once it has triggered. Sadly, the crooks behind the CryptoLocker malware haven’t made the same coding mistakes.
The perpetrator, one Dr Joseph Popp, was tracked down in the USA, extradited to the UK to stand trial, displayed increasingly shambolic behaviour, and was ultimately kicked out of Britain and never convicted.įortunately, his malware was similarly shambolic: it used simplistic encryption algorithms, and every computer was scrambled in the same way, so free tools for cleanup and recovery soon became available. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989.
Malware that encrypts your data and tries to sell it back to you, or else, is not new. Sophos Anti-Virus detects it by the name Troj/Ransom-ACP, because that’s exactly what it does: holds your files to ransom. SophosLabs has asked us to remind you about a destructive malware threat that calls itself CryptoLocker.