Ransomware isn’t a new phenomenon. The time of these malicious computer programs’ emergence miraculously coincides with the extinction of rogue antiviruses, a once most aggressive cluster of digital threats that would attempt to intimidate their victims into buying a purported security tool, which in fact would only mimic the eradication of malware. It’s not clear thus far whether fake AVs faded away due to law enforcement efforts or the growing security awareness of users who at some point started to be able to tell the wheat from the chaff on their computers, but this niche in the digital threatscape couldn’t possibly stay vacant. Ransomware applications like CryptoLocker appear to have filled this vacuum and are now reaching their peak.
Here is a brief outline of the workflow followed by all ransom viruses out there: they find and encrypt the victim’s personal files stored on the infected machine and then offer a decryption tool in exchange for a certain amount of money. The specific sample mentioned above tends to contaminate Windows based PCs via social engineering tricks. People receive an email titled something like “Payroll reports”, which is phrase that can potentially be of interest to many. The Excel or PDF attachment to this or similar message, when opened, executes a payload which installs CryptoLocker virus in the background so that the user has no idea something bad is happening.
The infection configures the operating system to add its executable to the list of startup entries and scans the hard drive for more than a hundred different file extensions. Strong AES crypto is then applied to all detected items, which makes them inaccessible in the regular way. Every file gets the “.encrypted” extension appended to the name, which is how one can tell the compromised data objects. CryptoLocker goes on to display a warning screen, insisting that the victim submit a ransom payment in Bitcoins so that the decryption software can become available. What’s interesting is the way the warning message is structured in the latest version of the ransomware: it says “We have encrypted your files,” whereas the previous variant would state “Your personal files are encrypted.” This difference in wording and the presence of pronouns like “we” and “us”, in contrast to the passive voice, might seem insignificant at first sight, but it is believed to hint at a boost to the criminals’ self-esteem.
Unless the ransom of approximately 500 USD is paid during three days, the amount goes up. Complete file recovery beyond paying to the scammers, unfortunately, isn’t guaranteed by any security software vendor by now. Sticking to the proverb “prevention is better than cure”, it’s strongly advised to avoid clicking on suspicious email attachments, get critical software such as PDF and Java patched on time, and perform regular data backups. In the meanwhile, if infected, users should try a number of workarounds based on shadow copies of files and the use of reliable data recovery apps.