Cryptolocker examples and variants
The messages generally consist of language similar to this:
“Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server”
Here is an example of an actual ransomware message:
“Private key will be destroyed on: specified date”
“Your important files were encrypted on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.”
“Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. ”
“The single copy of the private key , which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a time specified in this window. After that nobody and never will be able to restore files…”
“To obtain the private key for this computer, which will automatically decrypt files, you need to pay 300 USD / 300 EUR / similar amount in another currency.”
The Original form
The Cryptolocker (trojan) has been around for roughly three years now, entering the user’s system via an infected email attachment. It quickly scans the computer and the mapped network drives encrypting important business data and files.
The virus then displays a message that in order to gain access back to all your data you will need to pay the ransom amount, generally $300 – 400 dollars. Usually through an online currency such as bitcoin.
There are claims that paying the ransom is the only way to get your files back if you did not have an offline or offsite data backup in place. However, there are also other claims that paying the ransom did not successfully un-encrypt all of their business data and files.
The good news is that the international community joined forces to create a team of law enforcement agencies, tech firms, and cybersecurity experts and caught the bad guys in 2014 in what is know as Operation Tovar.
Luckily security firms also intercepted a copy of the database used in the attacks, which helped them gain a better understanding of the true magnitude of the attacks and also allowed them to create keys to help users decrypt their files which are called Decrypt Cryptolocker. However, it was possible that not all Cryptolocked files were able to be decrypted, including files encrypted by other ransomware variations. The site providing the keys is no longer active because that version of Cryptolocker Ransomware does not exist anymore. But new improved versions of ransomware are being discovered on a consistent basis.
The current form of Ransomware as described by the US-CERT and Homeland Security
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network. [reference]
Other types of messages displayed by Ransomware
- “Your computer has been infected with a virus. Click here to resolve the issue.”
- “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
- “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”