CryptoLocker: 7 Months Later.


It’s been 7 months since the discovery of CryptoLocker, a type of ransomware that encrypts files with RSA 2048 bit keys. This gliph will not be a rehash of what I said before, but here is a brief summery in the form of a timeline.

On the 12th of September, I got an email from someone asking me for help removing a piece of ransomware calling itself “CryptoLocker”

At the time I knew nothing about CryptoLocker, so I connected to the victim’s computer so I could get a closer look.

Through looking at the files CryptoLocker encrypted and attempting decryption, I found that with the current technology that it would be impossible to decrypt the encrypted files without the private key. CryptoLocker was holding this key for ransom.

One day later, I published a removal guide for CryptoLocker after looking at it on one of my virtual machines. This helped with removal, but removal was and still is trivial as the files remain encrypted.

Later on in the day, I published a gliph containing more information such as how CryptoLocker infected computers and a possible way to restore the encrypted files from previous versions.

On September 15th, I published some gliphs rehashing some key facts.

There was nothing more to report until October 24th, when a utility was made that set up software restriction policies that blocked CryptoLocker. At the time, this was the only real method of stopping CryptoLocker before the infection and subsequent file encryption occurred.

On October 30th, I recaped CryptoLocker, jokingly question where the mainstream media had been since the news of CryptoLocker had just hit mainstream.

On November 3rd, I published a gliph talking about two changes to CryptoLocker. These changes included a late payment option for those forced to pay the ransom and information that some newer varients seemed to delete Shadow Copies of files.

This showed that the author or authors of CryptoLocker were watching discussions regarding it and perhaps were even watching my blog.

On November 6th, I published about a new way to stop CryptoLocker before it encrypted your files. I also expressed my hope that infection ended soon with the mainstream media and the anti-malware community both on high alert.

On November 12th, I published news that zip files containing CryptoLocker in emails were now password protected in order to better deceive someone into believing that the email was real. This was further evidence that the author(s) of CryptoLocker were paying attention to people talking about it.

On November 19th, I published about the apparent shift in CryptoLocker’s main target. From the United States of America to the United Kingdom.

When the author(s) of CryptoLocker are found, I hope that some of the info I have helped bring to light will be remembered.

Until then, I am content to retrace my steps. And I am happy with the knowledge that I have helped people out there.