Threat Alert: Cryptolocker

Cryptolocker Eats Your Files!

A new trojan threat has been spreading through the Internet through various means: malicious emails, infected webpages, and infected file downloads. The damage can be quite extensive, as this trojan, called Cryptolocker, encrypts all your data files – both on your hard drive and on any accessible drive – so that you can no longer access your data unless you pay a “ransom” of $100-300 to an unknown entity.


What Happens to Your Data:

Cryptolocker encrypts all the files it can find that match a list of extensions, covering file types such as Word, Excel, and many more. Additionally, Cryptolocker will encrypt these files on your hard drive and on all external drives to which you have access – whether plugged into your local computer, available on the network, or even a thumb drive in a USB port.

After, Cryptolocker has infected your machine, a banner like the one below may be displayed:



What This Means for Users:

If you see the popup window requesting payment, indicating that you have been infected, your files are already encrypted.  Although the trojan says you can pay the “ransom” and retrieve your files, users who have been desperate enough to pay report that they never received a key to recover their files. Immediately disconnect your computer from the Internet or turn it off, and contact your ITS representative.  Due to the nature of encryption, there is no way to recover encrypted data, and even paying the ransom will not recover your files. 


How to Prevent This from Happening to You:


How It Works:

CryptoLocker uses what is called a public key encryption to encrypt the files on your hard drive.


The image above, from Loyola University in Chicago, shows how public key encryption works: a public key is used to encrypt the data, and a private, secret key is used to decrypt the data. The trojan uses this entity’s public key to encrypt your files, and only their private, secret key, which they want you to pay for, can decrypt it. The trojan  doesn’t lock you out right away – you’re usually given 72 hours to “buy” your data back before the private key is destroyed.  However, since the files are already encrypted at this point, it’s too late.