The next time that an IT horror story breaks through into mainstream consciousness, it could well be caused by CryptoLocker

What is CryptoLocker?

It’s a horrible piece of malware that encrypts the most common types of data files on your computer (especially Microsoft data files such as Word documents and Excel spreadsheets). Once attacked, you can not get access to those files unless you pay the perpetrators to decrypt them. Strangely, it appears that paying the ransom does actually get you the “key” to unlock your files again. Maybe the “perps” are very clever and have realised that if they get a reputation for “honouring their promise” (huh?), then sufferers will be more likely to take a risk and pay.

At this point, Mac users are permitted a smirk – CryptoLocker only attackes Windows computers.

How do you get it?

It’s usually downloaded as an email attachment when the user is duped into accepting something that looks like a pdf file, but isn’t. I received a similar thing just a few days ago (although it displayed as a zip file in this instance). Take a look at Figure 1. It appears to be from Amazon and it would be very easy indeed to apply 20% of my attention to it and just open the attachment. I don’t know if this one contains CryptoLocker, but I do know that this message is fake. Look at the “sent” address. Since when did Amazon send emails out in the name of “crescenzireider@yahoo”?

Fake email message, purportedly from Amazon
Figure 1. Fake email message that may contain CryptoLocker or other malware

Also, this just isn’t how Amazon send despatch notices etc. and, anyway, I have a system (of sorts!) for tracking Amazon orders and know I’ve got nothing outstanding. So, I haven’t opened the attachment and this has kept me safe from any “payload” it may have (and don’t worry – you can’t catch anything from Figure 1: it’s just a harmless image file by the time you see it).

Other common ways of getting you to open an infected file include faking the attachment as a FedEx or UPS delivery note, or faking a document from your bank.

Once you’ve been infected, you will be presented with a demand for money (typically $100 or $300) and a short time (4 days) to pay up. If you don’t pay in that time then your files go to data heaven. The bad guys “forget” the key that will unlock them and that’s that. Moreover, if your regular backups are made on other hard drives on your own computer then those backups are also at risk. Apparently, the malware isn’t yet configured to look in networked drives, but that’s got to be just a matter of time.

CryptoLocker Window
Figure 2. If you see this window, you’ve got problems

How do you stop it?

If you are working in a large or medium organisation (with IT staff) then Windows can be configured to stop you opening all kinds of attachments that are “executables”. This is probably neither possible nor practical for the average home user. To begin with, you need to have Windows 7 Professional, Ultimate, or Enterprise (ie not Windows 7 Home). If you have Windows 8, it needs to be either the Pro or Enterprise version. If you are using Vista you are unlucky, and if you are still using Windows XP then here’s yet another reason to move on – Microsoft support for Windows XP is ending. There is, anyway, a danger of throwing the baby out with the bathwater. Putting restrictions in place to stop you opening a fake file would probably also stop you opening genuine ones – very annoying.

Another thing you can do is to change the view of your files in Windows Explorer so that file extensions are always displayed. This may alert you to the fact that a file that appears to be called “readme.pdf” is actually “readme.pdf.exe”

Why doesn’t antivirus software stop it?

I don’t know. I’ve been to a number of websites to help me prepare this blog and none of them are specific on this point. They just say things like “(antivirus programs) have a particularly difficult time stopping this infection” and “Security software might not detect CryptoLocker, or detect it only after encryption is underway or complete“.


I understand that removal of the software is just a case of uninstalling it in the usual Windows way – ie go to “Programs and Features” in the Control Panel. That doesn’t decrypt your data, of course.

So, where does that leave us?

  1. We have to be even more vigilant than ever in opening email attachments. Don’t open any email attachment until you’ve looked at the email and made a definite decision that you trust the sender. For goodness sake, don’t think, “I’ll open it and just delete it if it’s crap” (which is how, I suspect, a lot of people filter their email). If it’s got CryptoLocker in it then it will be too late by the time you realise what’s happening.
  2. We have to review our data backup situation. Are you one of the millions who “haven’t got round to” creating backups? If so, do you really want to find out the hard way why they are so important? And if you do take backups, but these are just file copies on your hard drive or permanently attached drives, then my advice is to take an “offline” backup asap (eg to a USB drive or DVDs).

Cartoon robber stealing away from laptopSorry for delivering yet another warning of the dangers of the internet. I really don’t want to put anyone off using it, but we need to pay close attention to what we are doing. Think in terms of being “streetwise” about the internet (“cyberwise”?) You wouldn’t park your bicycle, unlocked, on Oxford Street and expect it to be there when you got back, would you? If you apply the same common sense online then I think the chances of being caught out will be greatly reduced.