Cryptolocker Ransomware: What You Need To Know

Below is a rehash of an article posted by Grinler from Bleeping Computer:

This post is designed to be repository of all current knowledge regarding the Cryptolocker infection. A link to this post will be added to the first post of this topic so that new visitors do not have to read the entire topic to get all of the current information.

How did you become infected by Cryptlocker

CryptoLocker currently has three infection vectors:
  • This infection was originally spread via sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. These emails would contain an attachment that when opened would infect the computer.
  • Via exploit kits located on hacked web sites that exploit vulnerabilities on your computer to install the infection.
  • Through Trojans that pretend to be programs required to view online videos. These are typically encountered through Porn sites.
What happens when you become infected with Cryptlocker

Once the infection is active on your computer it will scan your drives (local & network) and encrypt the following types of files with a mix of RSA & AES encryption: *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7cThe

For each file that is encrypted, a resulting registry value will be created under this key: HKCU\Software\CryptoLocker\Files

After a while, typically as long as it takes to encrypt the detected data files, you will be shown a screen titled CryptoLocker that contains a ransom note on how to decrypt your files. Depending on the version of Cryptolocker that is installed, the ransom may be for $100 or $300 USD/EUR. This payment can be made via Bitcoin, MoneyPak, Ukash, or cashU. You will also be shown a countdown that states that you need to pay the ransom with 72 hours. Failure to do so will cause the decryption tool to be deleted from your computer.

More detailed information about what this infection does when run can be found in this post by Fabian Wosnar of Emsisoft.

Are there any tools that can be used to decrypt your files?

Unfortunately at this time there is no way to retrieve the key used to encrypt your files. Brute forcing the encryption key is realistically not possibly due to the length of time required to break the key. Any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup, or if you have System Restore, through the Shadow Volume copies that are created every time a system restore is performed. More information about how to restore your files via Shadow Volume Copies can be found in the next section.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back. Please note that there have been cases when people have paid the ransom and the decryption did not work for whatever reason. Furthermore, if you do not pay the ransom within the allotted time, the Cryptolocker decryption tool will be removed from your system and make it much more difficult, if not impossible, to restore your files.

How to generate a list of files that have been encrypted

If you wish to generate a list of files that have been encrypted, you can download this tool:

When you run this tool it will generate a log file that contains a list of all encrypted files. Once it has completed it will automatically open this log in Notepad.

How to restore your encrypted files from Shadow Volume Copies

If System Restore is enabled on your computer, then it is possible to restore previous versions of the encrypted files. Though these previous versions will not be encrypted, they may also not be the latest version of the file. Please note that Shadow Volume Copies, and thus Previous Versions, are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

To restore individual files you can right click on the file and select the Previous Versions tab. This tab will list all copies of this files that have been stored in a Shadow Volume Copy. You can then select and earlier version and restore it.

Due to the amount of files encrypted by Cryptolocker, restoring them one-by-one can be a time consuming and arduous task. Instead you can use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.


To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.

Information about other malware that are being installed with Cryptolocker.

When CryptoLocker was first released, it was being distributed by itself. Newer malware attachments appear to be droppers that install other malware as well. The most common malware that is being distributed with CryptoLocker appears to be Zbot. You will know you are infected with Zbot as there will be a registry key in the form of:

Under these keys you will see Value names and their data with what appears at first to be garbage data (encrypted info). The droppers will also be found in the %Temp% folder and the main executable will be stored in a random folder under %AppData%. Last but not least, a startup will be created under HKCU\Software\Microsoft\Windows\Currentversion\Run to launch it.

How to block this infection from running on other computers on your computer.

You can use Software Restriction Policies to block executables from running when they are located in the %AppData% folder, or any other folder, which this thing launches from. See these articles from MS:

This can also be setup in group policy :)

File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

So the path rule you want to setup is:

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData.

With the bundling of Zbot with Cryptolocker, it is now also recommend that you create a rule to block executables running from a subfolder of %AppData%. This can be done with this path rule:

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from immediate subfolders of AppData.

You can see an alert and event log showing an executable being blocked: