Be Aware of CryptoLocker

LukeBy Luke Orellana
Virtual Systems Administrator
Trivalent Group, Inc.

Ransomware has been on the rise for the last few years, with the most notorious variant known as “CryptoLocker.” It first appeared in mid-2013 and has since brought companies to their knees by encrypting their data and holding it for “ransom.”  In June 2014, the U.S. Department of Justice announced that the distribution of the CryptoLocker virus had been put to a halt. However, the success of the virus spawned numerous copycats, making it ever-important for employees and business owners to be aware of what CryptoLocker is and how it works.

How CryptoLocker Works

CryptoLocker is typically transmitted via a fake email that claims to come from a legitimate company, such as a fax service, postal service, hotel, or airline. The email will usually have a hyperlink or attachment disguised as a PDF which, when clicked on, encrypts all local hard drive files and any mapped network drives.


The virus then displays a message informing the user that their files have been encrypted and that they must pay a certain amount of money to decrypt their files:


The best way to recover from the attack is to reformat the computer and restore all files from backup. If no backups are available, then the only way to retrieve the files is to either pay the ransom or try decrypting them using a website like

What Can Be Done to Minimize an Attack?

As a business owner or manager, it is critical to take proactive measures to reduce the chances of infection.  There are several steps that can be taken to either lower the risk of being infected or minimize the impact:

User training on CryptoLocker
Since email is the most common method of delivery, this approach can go a long way. Teach users how to spot fake emails or attachments. Show them techniques that they can use to ensure that a URL they are clicking on is legit. Even the best spam filter in the world is not going to block email scams 100% of the time.  Therefore, it’s important to be able to detect them when they get through.

Minimize administrative privileges
Make sure network share security permissions are in order for each user. Also, don’t make all users local administrators of their workstations unless it is absolutely necessary. Minimizing the access of users can greatly minimize the damage done if infected with CryptoLocker or one of its clones, especially since the virus runs with the permissions of whoever opened it.

Use Software Restriction policies
A policy can be configured that prevents executable files from being run in the user app data folder. This is one of the most common places where CryptoLocker will execute from. So, if a user clicks a malicious attachment or hyperlink, the virus will not be able to run. The con to this approach is that some third party applications in your environment might actually need to run executables within the app data folder; if that’s the case, there are ways to exclude those files.

Have a backup solution in place
This is the most critical step to take. As previously noted, the only way to recover from a CryptoLocker attack is to restore all encrypted files from backup or pay the ransom. There have been many reported “Tales from the CryptoLocker” where companies have been infected, did not have any backup solution in place, and had to pay the ransom. Don’t let your company be at the mercy of ransomware; make sure there is a backup solution in place and regularly check to ensure backups are current.

As technology evolves, the malware that is being developed changes with it, and it becomes increasingly important for companies to be aware of what is out there and how to defend themselves against malicious attacks.