Cryptolocker is a ransomware family that targeted windows systems and encrypted files on a victim’s system before demanding a ransom in exchange for restored access..

How Cryptolocker works

Generally speaking, Cryptolocker first arrived on a system in the form of a ZIP file that was typically attached to a legitimate-looking business email.

This ZIP file contained an executable that hides its .EXE extension and posed as an innocuous PDF file. When a victim attempted to open this imitation PDF, the executable ran, and the Cryptolocker payload installed itself within the user profile folder while adding a registry key that ensured it ran on startup.

It then established contact with designated remote servers used by the attackers. Once it established a connection, the attacker’s remote servers will generated a 2048-bit RSA key pair, sending the public key back to the infected computer. From there, Cryptolocker began encrypting files across local storage drives, network drives, and even some cloud storage locations with the public key, logging each file encrypted to a registry key. This targeted process sought out specific file extensions, and may have included personal photos and documents, as well as Microsoft Office, OpenDocument, and AutoCAD files.

Finally, the ransomware displayed a pop-up notification demanding the user pay a ransom to regain access to the encrypted files.

History of Cryptolocker

The initial Cryptolocker ransomware attacks occurred between September 2013, and May 2014. Since the initial attacks, several distinct versions of Cryptolocker have been identified, in addition to a slew of copycats.

By early November 2013, reports indicated that Cryptolocker ransomware had successfully infected approximately 34,000 systems. Estimates suggest that the combined attacks resulted in upwards of $27 million in ransoms paid.

On June 2nd, 2014, the U.S. Department of Justice announced that it had been able to disrupt Cryptolocker after seizing its remote servers. Furthermore, it identified Evgeniy Bogachev as the man allegedly responsible for both the Cryptolocker ransomware as well as the Gameover Zeus botnet. Bogachev remains at large and is currently wanted by the FBI.