The cyber-extortionists behind the Cryptolocker “ransomware”, which encrypts users’ files and refuses to decrypt them without payment, have extended their deadline for affect PC users.
Cryptolocker uses 256-bit Advanced Encryption Standard (AES) encryption to encrypt important files, such as Microsoft Word documents and AutoCAD files.
After having done so, it alerts users and demands payment in return for the decryption key which, the malware promises, is held on a secure server.
The Cryptolocker ransomware first started affecting users – predominantly in the UK and US – in mid-September. It targets Windows-based PCs, and is propagated as an innocuous looking email attachment with an apparent .pdf file extension, but which is, in fact, an executable.
This file then downloads and runs the ransomware, making changes to the PC’s registry to ensure that it is run automatically on bootup. Next, it tries to connect to its “command and control” server, sending out information about the system when it does so, receiving the encryption key to encrypt the documents in return.
Hapless users are then presented with the ransom note, which includes the following message:
“The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window.
After that, nobody and never will be able to restore files.”
The malware typically gives users 72 hours to pay-up or kiss their files good-bye.
“Sophos Labs has received a large number of scrambled documents via the Sophos sample submission system.
These have come from people who are keenly hoping that there’s a flaw in the CryptoLocker encryption, and that we can help them get their files back. But as far as we can see, there’s no backdoor or shortcut: what the public key has scrambled, only the private key can unscramble,” warn Sophos-run security website Naked Security.
Recently, though, the scammers have given non-payers a second chance – if they pay-up 10 Bitcoins, which are currently worth around £1,380.
Cryptolocker is not the first malware of its type.
The first known example was the “AIDS Trojan” written by Joseph Popp in 1989, which claimed that the licence to a particular item of software had expired and demanded $189 to unlock the PC.
The particularly malicious nature of the Cryptolocker cyber-extortion racket highlights the need for regular backups – as well as the need to run up-to-date anti-virus software and use common sense before opening emailed files.