It’s not just hard disk crashes and human error that cause data loss. There are some pretty nasty computer programs out there that will do a good job too. A January 2014 internet security report shows that a virulent form of ransomware known as Cryptolocker has now infected about quarter of a million Windows computers. Once on a system, Cryptolocker will encrypt various files on the hard drive with a very strong encryption key before displaying a message to the user of the computer demanding a ransom payment in return for the decryption key. There is a time limit too – shown as a clock that counts down.
Ransomware has existed previously, but Cryptolocker is particularly problematic because of the way it makes files inaccessible. Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses strong third-party certified cryptography offered by Microsoft’s CryptoAPI.By using a sound implementation and following best practices, the malware is difficult to circumvent.
Cryptolocker is a malware trojan that attacks Windows machines and was first seen in late 2013. It finds its way onto systems by several methods, most commonly by via an innocent looking email that requires the reader to open the a disguised attachment that it infect the trojan.
As Cryptolocker was a completely new threat when first launched, malware detection programs were not able to spot it as these applications are only able to detect threats that have already been discovered. Although Cryptolocker is now detected by anti-malware and anti virus detection programs, the writers of Cryptolocker frequently update their code to avoid detection. This is a tactic that has proved successful on a number of releases.
The Cryptolocker program uses an encryption key of 1024 bits which means that the passwords are so long that they are more or less unbreakable. A brute force program (one that continually tries different password permutations in order to crack the password) would literally take many years, working at a rate of tens of thousands of attempts per day.
Alternatively the ransom amount can be paid in return for the decryption key allowing the encrypted files to be deleted. Cryptolocker ransoms are paid in Bitcoins – a new virtually untraceable internet currency and in December 2013 an attempt was made to discover how much Cryptolocker had earned it’s creators. It’s estimated that between October 15th and December 18th 2013 (ie. just over two months), almost 42,000 transactions had taken place with a total value of USD $27M.
If your system has been infected with Cryptolocker and you have some important files that need decrypting you can either pay the ransom – although there is no guarantee you’ll get the decryption key, try and crack the password using a brute force program – which will take decades, or accept that your data is gone. There’s little point contacting a data recovery company as they’ll only be able to do the same exercise as you – and will need the decryption key in order to access your data. The decryption key is not stored on the infected PC.