Can 2017 be the year of CryptoLocker revival?

CryptoLocker virus is a malicious cyber threat which was initially spotted in 2013 [1]. A year after, the group of virus researchers managed to curb this virus by shutting down its main distributor -- the Gameover Zeus botnet [2]. Since then, the original project was though to be dead, but various CryptoLocker versions kept emerging and aiming to mess up victims' computers. Though most of them were designed by amateur hackers, quite recently two suspicious variants have surfaced the web and really got the experts thinking whether CryptoLocker is not raising from the dead. Sadly, the analysis of the new CryptoLockerEU and CryptON viruses has revealed that theses two are indeed based on CryptoLocker's original code. So, could it be that the web community's worst nightmare is becoming a reality and this 2014 threat is returning to reclaim its place within the ranks of the most dangerous ransomware? There are many reasons that may trigger such a situation. Perhaps CryptoLocker creators who inspired hundreds of criminals to start their own crime-related projects have missed the spotlight themselves or they have simply run out of the 3 million dollars the original CryptoLocker has brought them a few years ago. Either way, regardless of whether you got infected with a fake or real version of the virus, do not hesitate to remove CryptoLocker and end its stay on your computer before the ransomware causes even more damage. Since there is a chance that this virus is back on the market, it is beneficial to refresh our memory and remember how this virus operates and how to avoid it.

The main way used to spread it relies on seemingly harmless email messages. These messages typically contain malicious attachments, which carry the ransomware payload. When the victim opens it, the virus attacks the target PC system, encrypts victim's files and displays a ransom note, which is displayed below. No matter that it belongs to the same category as FBI virus, Police Central e-crime Unit virus or Department of Justice virus, this virus tries to convince its victims that they have to pay a ransom by encrypting their personal files. CryptoLocker [3] is the file-encrypting ransomware, so it uses RSA public-key cryptography to lock the following file types on victim's PC:

3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx.

As you can see, this list is full of widely used files names, such as doc, xls and similar. In order to restore them, it asks to pay a ransom via Moneypak, Ukash, cashU, or Bitcoin. Typically, this threat asks from $100 to $500, but the price can be bigger as well. According to the warning message, which is typically displayed by this threat, people have only a certain amount of time to pay a ransom and recover the connection to their files. The virus leaves the so-called ransom note, which showcases such information:

"Your personal files are encrypted!

Your important files encryption produced on this computer: photos, videos, documents, etc. Here is a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files...

To obtain the private key for this computer, which will automatically decrypt files, you need to pay [specified amount of money in EUR or USD] similar amount in another currency.

Click To select the method of payment and the currency. 

Any attempt to remove or damage this software will lead to the immediate destruction of the private key by server.

Fortunately, Cryptolocker can not harm those who have been backing up their data and making extra copies of their files. If you have copies of your photos, business documents, and other files, you don't need to pay a ransom. You just need to remove this ransomware from your computer and prevent the additional damage. For Cryptolocker removal, we highly recommend using Reimage, which has been showing great results when eliminating files of this virus. For restoring your files, we kindly ask you to read data recovery options provided below the article.

However, it seems that frauds have decided to ease the rules for victims who choose to pay the ransom but simply cannot gather the fixed amount of money within the specified amount of time. Typically, when the anti-virus software deletes the ransomware, the victim can no longer pay the ransom. Therefore, the latest versions of CryptoLocker have a new feature to change the desktop's wallpaper when the anti-virus detects the threat and display a message on the screen informing the victim where to download the ransomware again in case he or she still wants to buy the decryption software. Although we highly recommend not to pay the ransom, we understand that some companies might not be able to survive without specifical data that has been stored on the compromised computers, so in such cases, paying the ransom might be the only chance to evolve the business. Again, we remind you that we do not recommend paying up. Keep in mind that you can never be sure whether criminals provide working decryption tools!

Methods used to distribute CryptoLocker virus

CryptoLocker is considered as one of the most efficiently distributed crypto-ransomware viruses and, speaking of its distribution, we have to say that authors of this virus combine several different techniques to spread the virus. [4] It has been noticed that they use both old and new distribution techniques, failing to comply with any moral norms. According to experts, Cryptolocker virus is spread using officially-looking emails, fake pop-ups, and similar techniques. Earlier, CryptoLocker ransomware has been distributed via hideous email letters that contained malicious attachments, malware-laden ads, which advertise programs or updates that actually contain the virus executive file, or exploit kits, which allowed crooks to infect victims' PCs by exploiting their computers' vulnerabilities. Beware that this threat can infiltrate your computer thru fake pop-up that claims that you need to update your Java, Flash Player or similar program, so make sure you install these programs from their verified developers' sites, not from some suspicious third-party sites.

On September 2016, several new ransomware distribution techniques have been spotted. The first one is based on malicious emails posing as letters from electricity supplier VERBUND. This company is not related to these scammers in any way - they just use a reputable company's name to convince users to click on malicious links or open infectious email attachments containing CryptoLocker. The message subject is Detailaufstellung zu Rechnung Nr. [numbers]. If you have received such letter, delete it immediately without clicking on links included in the message or opening attachments it contains! 

The second ransomware distribution method that has been discovered is a filthy and hideous way to trick the user and force him or her to open the malicious file containing the virus. Scammers pose as employees of health care companies and send deceptive emails that can cause a heart attack for the victim. They deliver a bogus blood test report, stating that the victim might be suffering from cancer due to the lack of white blood cells. The message asks to print out the blood test results that are in an attached document and bring these to the family doctor ASAP. Such news can make anyone panic, and force to open the attached document without even thinking that this is just a bait. When the miserable victim opens the attachment, the ransomware takes control over the system and encrypts all victim's files without any remorse. As you can see, cyber criminals can go very low because all they care about is money.

Tips on how to protect your data from being encrypted by ransomware:

If you want to stay safe, you should never trust misleading ads that pretend to be helpful because the only thing what they do is spread viruses and useless programs. Also, make sure you delete spam and double check every email that was sent to you by unknown senders. Besides, don't forget to disable hidden extensions (if you are using Windows OS) [5] and, to avoid the loss of your files, you should think about their protection. The first thing that you should do is to download a reputable anti-spyware on your computer. We recommend using Reimage. In addition, make sure you perform backups as frequently as possible because this could help you to recover your encrypted files. Finally, you should use such solutions as Google Drive, Dropbox, Flickr, etc. when trying to protect your extremely important files. However, keep in mind that this powerful virus might be able to access these online storage places via your Internet connection and encrypt these files, too. Therefore, it is recommended to store data backups on removable storage devices such as hard drives or USBs. Unfortunately, if you are infected with this ransomware right now, you should know that there is no official Cryptolocker decrypt tool yet. Nevertheless, you can check the guide given on the second page of this post and recover your files with some special tools. Don't forget to remove ransomware before recovering your files because it may disable them again!

Malware that are related to this virus or pretends to be related to it:

Crypt0L0cker virus is one of file-encrypting ransomwares that is capable of infiltrating computers thru fake Java updates or thru infected email attachments. After encrypting victim's files, this virus adds .encrypted or .enc file extension to each of them and starts showing a warning message asking the victim to pay the ransom. This virus was first spotted in 2015. However, several years later it is still actively infecting computer users. Crypt0l0cker 2017 version demands 2.2 Bitcoin for giving user a chance to decrypt encrypted files. Please, do NOT pay the ransom and use a guide below to fix your computer. You can always recover your files from backup for free. 

CryptoLocker-v3. When infected with this ransomware (you can download it after clicking on the fake popup that says that you need to update your Java or Flash Player), you can expect that it will block the most of your files. For encrypting the files, this threat uses RSA-2048 (a unique public key) and asks 1 BTC ransom which was equal to $350 USD in 2015. Making this payment is the same as supporting the scammers and their future crimes, so you should never do that. This malware uses .crypted file extension which is added to every file it encrypts.

Cryptographic Locker is very similar to CryptoLocker ransomware. It lets its victim know what files it encrypted by adding .clf file extension to every file it encrypts. All these files are saved in %Temp%\CryptoLockerFileList.txt. Right after appearing on the Internet, this ransomware was asking 0.2 BTC ransom in exchange for the decryption key which is needed for recovering files. During its active distribution, the amount of ransom was equal to $100. However, as well all know, the price of bitcoins keeps changing. If you happen to get infected with this malware, please, do NOT pay the fine because there is no guarantee that this will help you to recover the connection to your files. Instead of doing that, you should use a guide below.

PCLock ransomware is another ransomware that tries to scare its victims by encrypting their files. This procedure is typically initiated with the help of XOR encryption. Fortunately, it is not as aggressive as the original CryptoLocker version, so you should be capable of eliminating it by removing its main file WinCL.exe and other files with the help of security software. Please, do NOT pay 1 bitcoin ransom which is required to be paid in the ransom note called last_chance.txt for unblocking encrypted files. After you remove PCLock from your computer, you can use the decryption tool invented by security experts for unblocking encrypted files.

CryptoTorLocker2015 is capable of infecting Windows OS and Android OS. Once it does that, it uses XOR encryption for blocking victim's files. If your system is filled with precious photos or business documents, you can lose them. Infected files are typically marked by .CryptoTorLocker2015 file extension. You should also find the ransom note called as HOW TO DECRYPT FILES.txt on your desktop. Fortunately, Android users need only to uninstall the affected application, which was used for downloading CryptoTorLocker virus to their computers, to remove this virus from their devices. Windows OS users are recommended using reputable anti-virus or anti-spyware software for CryptoTorLocker2015 removal.

Crypt0 ransomware. Discovered in September 2016, this ransomware variant also attempts to use a part of CryptoLocker's name to seem scarier than it is. This version appends ._crypt0 suffix after the original file name, while other viruses add the extension after the original file extension. This ransomware leaves HELP_DECRYPT.TXT ransom note, which informs the victim about the attack and asks to use contactfndimaf@gmail.com for data decryption instructions. The virus is a foolish copy of CryptoLocker and can be decrypted using this free Crypt0 decryption tool.

Il tuo computer e stato infettato da Cryptolocker! ransomware This virus is yet another version of CryptoLocker which is aimed at Italian-speaking computer users. This version of ransomware asks for a smaller ransom than other Cryptolocker-related viruses - it requires "only" 130 eur from its victims. However, that does not mean that victims should pay the ransom. Just like its predecessor, this ransomware changes file extensions (it uses .locked file extension) and gives its victim a specified amount of time to pay up. Currently, malware researchers keep silent as there is no free Il tuo computer e stato infettato da Cryptolocker decryption tool available; however, such tool might show up in the future.

CryptoLocker 5.1 ransomware virus. The ransomware has been released in 2016. Since its first appearance, it has been working on infecting Italian users. Alternatively, it has been alternatively known as Il tuo computer e stato infettato da Cryptolocker! threat. Though it attempts to disguise under the name of notorious cyber menace, IT experts still suspect that it is not so powerful as the original version. Speaking of the current virus, it appends .locked file extension and demands 250€ in exchange for the decryption key. The transaction is expected to be made within 48 hours. Brush aside any thoughts to transfer the money and concentrate on the elimination.

Cryptolocker3 ransomware virus is an imposter-type malware which can also be called as lock screen ransomware [Such viruses do not actually encrypt the computer files but prevent their victims from accessing them and using the regular computer functions. However, after several months of functionality, Cryptolocker3 entered another sub-section in which malware acts like the original ransomware virus  This parasite uses XOR encryption algorithm and appends .cryptolocker file extension. There is currently no safe decryption tool for the locked files, but we can assure you that the experts are working on it actively and you can expect your files to be decrypted in the future. In the meanwhile, you need to remove this parasite from your computer without any delay.

MNS Cryptolocker is yet another ransomware virus which uses Cryptolocker's name. While there is no evidence that it is related to the notorious cyber infection, it does not mean that this malware is less harmful. Once it encrypts victim's personal files, ransomware drops its ransom note asking the victim to send 0.2 BTC ($180 USD) via Tor or other anonymous networks. Virus does not append new extensions to the target files, so you become aware of the infection only when you try to open one of them. Unfortunately, this malware can eliminate shadow volume copies of the target files with the special command known as vssadmin DELETE SHADOWS /all /quiet. Because of this feature, victims find ShadowExplorer useless. The most interesting fact is that MNS Cryptolocker can delete itself from the system.

CryptoLockerEU ransomware virus was detected in January 2017. It appears to be a modified copy of the initial CryptoLocker virus. The virus calls itself CryptoLockerEU 2016 rusia, which gives an idea that it was developed in 2016 by Russian hackers. During the data encryption procedure, the virus encodes files using a RSA-2048 algorithm and gives each file a new extension .send 0.3 BTC crypt. The name of the ransom note is supposed to look like that: РАСШИФРОВАТЬ ФАЙЛЫ.txt. However, due to an error in virus' source code, it appears as ĐŔŃŘČÔĐÎ ŔŇÜ ÔŔÉËŰ.txt. Currently, files cannot be decrypted. Victims should use backups or wait for free decryption programs that malware researchers might release soon.

Cryptolocker Portuguese ransomware or CryptON CryptoLocker is the latest variant of CryptoLocker-related ransomware. Some believe that it may be released by the same group of hackers because it uses a similar source code and displays typical nature of CyptoLocker on the infected computer. The most interesting fact is that this virus is aimed at Portuguese-speaking users since the ransom note and the ransom payment interface are presented in this language. In particular, the ransom note used by this malware is called COMO_ABRIR_ARQUIVOS.txt which essentially means "how to access your files" in English. Likewise, the encrypted files are renamed in the following manner: [file_name].id-[victim’s ID]_steaveiwalker@india.com_. To retrieve access to the files, the victims are demanded to pay 1 BTC. By no means should you pay the hackers! Instead, remove CryptON CryptoLocker and try to recover your files using our recommended data recovery options.